CRL problem with VPN-1 4.1 and iPlanet CMS 4.2

[Tamas FORJAN <tamas () 2fkft com>]

Dear Wizards,

we have run into serious problems with VPN-1 + iPlanet CMS 4.2.

We would like to use the iPlanet CMS to issue user certificates to
SecuRemote users, and have VPN-1 authenticate them from a Netscape Directory
Server via LDAP.

There seems to be some problem related to the CMS, though. SecuRemote
clients can log on to the network using IPSec and userid/password as
authentication scheme. Usernames and passwords can be taken from the LDAP
server - so far so good. When we switch to using certificates, though, it
does not work anymore. We see two errors:
1. In the firewall log, there is an IKE log entry saying: "Certificate xxx
cannot be validated. No valid CRL." xxx is the name of the firewall module's
certificate issued by the CMS.

2. At the SecuRemote client, when trying to add the site to SecuRemote, we
get an error "Communication with server failed". This does not happen if we
use password authentication instead of certificates.

(we exported the CA key and imported into VPN-1, generated a certificate for
the gw and certified it with the CA, and did all the steps that were
documented to make CA+LDAP work)

We feel there is some problem with the CRL processing, but cannot determine
what. Does anyone have any ideas to help us?

Thank you,

--
FORJAN Tamas
Technical Support
2F 2000 Szamitastechnikai es Szolgaltato Kft.
http://www.2f.hu/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards