Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Gauntlet GVPN 4.1 with ISAKMP: "cert parse failure"

From: Chris Shenton <cshenton () uucom com>
Date: 16 Jul 1998 15:27:38 -0400
Message-ID: <864swrkjth.fsf () samizdat uucom com>
X-Mailer: Gnus v5.4.37/XEmacs 19.16
Lines: 38
Xref: samizdat.uucom.com mail.1998-07:27
X-Gnus-Article-Number: 27   Thu Jul  9 13:36:42 1998

We're trying to use Gauntlet VPN 4.1 between two BSDI boxes. We were
able to establish the VPN using IPSec Static keys but have not been
able to make it work with ISAKMP-generated keys; ikmpd complains it
can't parse some part of the cert [IP addrs changed to protect the guilty]:

  Jul  8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM  sa nbytes=80
  Jul  8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM  sa nbytes=80
  Jul  8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM  ke nbytes=184
  Jul  8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM  ke nbytes=184
  Jul  8 16:14:57 fw2e ikmpd: status ccb2bb02[3407fdcb] construct_sig FW cert parse failure
  Jul  8 16:14:57 fw2e ikmpd:        local 10.67.214.192:255.255.255.192 remote 10.254.35.0:255.255.255.0
  Jul  8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM *id nbytes=44
  Jul  8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM  ke nbytes=184
  Jul  8 16:14:57 fw2e ikmpd: status ccb2bb02[3407fdcb] Got a repeat message - resending
  [...]
  Jul  8 16:14:57 fw2e ikmpd:        local 10.67.214.192:255.255.255.192 remote 10.254.35.0:255.255.255.0
  Jul  8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM *id nbytes=44
  Jul  8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM  ke nbytes=184
  Jul  8 16:14:57 fw2e ikmpd: status ccb2bb02[3407fdcb] Deleting SA - too many errors
  Jul  8 16:14:57 fw2e ikmpd:        local 10.67.214.192:255.255.255.192 remote 10.254.35.0:255.255.255.0
  Jul  8 16:14:57 fw2e ikmpd: sendto ccb2bb02[3041f676] IE *hash nbytes=84
  Jul  8 16:14:57 fw2e ikmpd: Can't find ISAKMP SA from ccb2bb02
  Jul  8 16:14:57 fw2e ikmpd: status ccb2bb02[00000000] Sending notify INVALID_COOKIE
  Jul  8 16:14:57 fw2e ikmpd:        local 0.0.0.0:0.0.0.0 remote 0.0.0.0:0.0.0.0
  Jul  8 16:14:57 fw2e ikmpd: sendto ccb2bb02[00000000] IE  notify nbytes=84


We did the cert-request on the firewalls, had the Gauntlet CA grant
the cert, and installed these and the CA root cert on the firewalls.
The docs don't say I need to, but should I have had the CA "sign" them
too?  How can I diagnose and fix the problem?

Thanks.
Previous By Date Next
Previous By Thread Next

Current thread: