On 11/21/2011 08:16 PM, Kevin VPN wrote: > On 11/18/2011 05:40 PM, A. J. Clark wrote: >> Hi there, >> >> I've been trying for the past few days to get a cert-based VPN setup >> between the Shrew soft client in Win 7 Enterprise and a Juniper SSG5. >> > <snip> >> >> Unfortunately on the Shrew side, as it's going through the process, the >> key daemon stops and there's no log, no matter how verbose, as to the >> problem. The key daemon logs look similar to this when it stops: >> >> 11/11/17 15:44:19 DB : phase1 resend event canceled ( ref count = 1 ) >> 11/11/17 15:44:19 -> : send IKE packet 10.250.0.242:500 -> >> 10.250.0.241:500 ( 1304 bytes ) >> 11/11/17 15:44:19 ii : added ca.crt to x509 store >> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:0 >> 11/11/17 15:44:19 ii : subject :/ST=British >> Columbia/L=Kamloops/O=SuperTest/OU=IPSec >> VPN/CN=0162072007000231/CN=(250) >> 434-8700/CN=ecdsa-key/CN=testcertvpn.testing.com/CN=Bob Smith >> 11/11/17 15:44:19 ii : unable to get certificate CRL(3) at depth:1 >> 11/11/17 15:44:19 ii : subject >> :/C=CA/ST=BC/L=Kamloops/O=SuperTesting/OU=Staff VPN/CN=SuperTesting >> CA/[email protected] >> >> I've attached a window shot of what the Acess Manager connect window >> looks like. >> >> Again, Phase1 completes successfully - I setup a whole new batch of keys >> & certs today to re-do the tests from scratch and I have exactly the >> same results - here's what the screenOS side says: >> >> 2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed >> Aggressive >> mode negotiations with a 28800-second lifetime. >> 2011-11-18 14:07:52 info IKE 10.250.0.242 Phase 1: Completed for >> user User1. >> 2011-11-18 14:07:51 notif PKI: No revocation check, per config, >> for cert >> with subject name [email protected],CN=User1,. >> 2011-11-18 14:07:51 info IKE 10.250.0.242 phase 1:The symmetric >> crypto >> key has been generated successfully. >> 2011-11-18 14:07:51 info IKE 10.250.0.242 Phase 1: Responder starts >> AGGRESSIVE mode negotiations. >> > > Hi Adam, > > I don't know much about certificates, having never worked with them, but > I can try to help. > > First, I think you have a subject name mismatch, but maybe that's > because your log outputs are from different days with different > keys/certs. And it's probably intentional, but in case not, your > ScreenOS log shows 'testZing.com' as the domain. > > When you generated your certificates, did you specify a CRL? If so, is > the CRL server you specified accessible to the Shrew client over the > plain Internet? > > If it's not available, can you try generating some certificates that do > not specify a CRL?
Hi Kevin, Yes, the subject mismatch you see comes from different CA/cert setups on different days. I wanted to try things the way I knew how with openvpn's easy-rsa scripts, and then I tried it following the ShrewVPN wiki documentation to the letter. In both cases, I could get Phase 1 to complete, so I'm pretty sure the contents of the certificates and xauth information (I tested with and without xauth) were all meshing appropriately. For the CRL - I believe that's generally a function of the VPN "server" device, not the client end. I have disabled CRL checking for this setup on the ScreenOS device side of things - I think it's interesting that the Shrewsoft side complains about it, but I suspect it complains about it for everyone as I don't see anywhere the client can be configured with a CRL, nor would I expect the client end to handle the CRL. Also, I don't believe the certificates specify a CRL - I haven't seen any information anywhere on the certificates specifying that information at all. I've only ever seen it specified as something on the 'server' end of these types of connections. Thanks, _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
