On 11/18/2011 05:40 PM, A. J. Clark wrote:
Hi there,
I've been trying for the past few days to get a cert-based VPN setup
between the Shrew soft client in Win 7 Enterprise and a Juniper SSG5.
<snip>
Unfortunately on the Shrew side, as it's going through the process, the
key daemon stops and there's no log, no matter how verbose, as to the
problem. The key daemon logs look similar to this when it stops:
11/11/17 15:44:19 DB : phase1 resend event canceled ( ref count = 1 )
11/11/17 15:44:19 -> : send IKE packet 10.250.0.242:500 ->
10.250.0.241:500 ( 1304 bytes )
11/11/17 15:44:19 ii : added ca.crt to x509 store
11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:0
11/11/17 15:44:19 ii : subject :/ST=British
Columbia/L=Kamloops/O=SuperTest/OU=IPSec
VPN/CN=0162072007000231/CN=(250)
434-8700/CN=ecdsa-key/CN=testcertvpn.testing.com/CN=Bob Smith
11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:1
11/11/17 15:44:19 ii : subject
:/C=CA/ST=BC/L=Kamloops/O=SuperTesting/OU=Staff VPN/CN=SuperTesting
CA/[email protected]
I've attached a window shot of what the Acess Manager connect window
looks like.
Again, Phase1 completes successfully - I setup a whole new batch of keys
& certs today to re-do the tests from scratch and I have exactly the
same results - here's what the screenOS side says:
2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed Aggressive
mode negotiations with a 28800-second lifetime.
2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed for user
User1.
2011-11-18 14:07:51 notif PKI: No revocation check, per config, for cert
with subject name [email protected],CN=User1,.
2011-11-18 14:07:51 info IKE 10.250.0.242 phase 1:The symmetric crypto
key has been generated successfully.
2011-11-18 14:07:51 info IKE 10.250.0.242 Phase 1: Responder starts
AGGRESSIVE mode negotiations.
Hi Adam,
I don't know much about certificates, having never worked with them, but
I can try to help.
First, I think you have a subject name mismatch, but maybe that's
because your log outputs are from different days with different
keys/certs. And it's probably intentional, but in case not, your
ScreenOS log shows 'testZing.com' as the domain.
When you generated your certificates, did you specify a CRL? If so, is
the CRL server you specified accessible to the Shrew client over the
plain Internet?
If it's not available, can you try generating some certificates that do
not specify a CRL?
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
