Firewall Wizards mailing list archives
Gauntlet GVPN 4.1 with ISAKMP: "cert parse failure"
From: Chris Shenton <cshenton () uucom com>
Date: 16 Jul 1998 15:27:38 -0400
Message-ID: <864swrkjth.fsf () samizdat uucom com> X-Mailer: Gnus v5.4.37/XEmacs 19.16 Lines: 38 Xref: samizdat.uucom.com mail.1998-07:27 X-Gnus-Article-Number: 27 Thu Jul 9 13:36:42 1998 We're trying to use Gauntlet VPN 4.1 between two BSDI boxes. We were able to establish the VPN using IPSec Static keys but have not been able to make it work with ISAKMP-generated keys; ikmpd complains it can't parse some part of the cert [IP addrs changed to protect the guilty]: Jul 8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM sa nbytes=80 Jul 8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM sa nbytes=80 Jul 8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM ke nbytes=184 Jul 8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM ke nbytes=184 Jul 8 16:14:57 fw2e ikmpd: status ccb2bb02[3407fdcb] construct_sig FW cert parse failure Jul 8 16:14:57 fw2e ikmpd: local 10.67.214.192:255.255.255.192 remote 10.254.35.0:255.255.255.0 Jul 8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM *id nbytes=44 Jul 8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM ke nbytes=184 Jul 8 16:14:57 fw2e ikmpd: status ccb2bb02[3407fdcb] Got a repeat message - resending [...] Jul 8 16:14:57 fw2e ikmpd: local 10.67.214.192:255.255.255.192 remote 10.254.35.0:255.255.255.0 Jul 8 16:14:57 fw2e ikmpd: sendto ccb2bb02[551ae272] MM *id nbytes=44 Jul 8 16:14:57 fw2e ikmpd: caught ccb2bb02[551ae272] MM ke nbytes=184 Jul 8 16:14:57 fw2e ikmpd: status ccb2bb02[3407fdcb] Deleting SA - too many errors Jul 8 16:14:57 fw2e ikmpd: local 10.67.214.192:255.255.255.192 remote 10.254.35.0:255.255.255.0 Jul 8 16:14:57 fw2e ikmpd: sendto ccb2bb02[3041f676] IE *hash nbytes=84 Jul 8 16:14:57 fw2e ikmpd: Can't find ISAKMP SA from ccb2bb02 Jul 8 16:14:57 fw2e ikmpd: status ccb2bb02[00000000] Sending notify INVALID_COOKIE Jul 8 16:14:57 fw2e ikmpd: local 0.0.0.0:0.0.0.0 remote 0.0.0.0:0.0.0.0 Jul 8 16:14:57 fw2e ikmpd: sendto ccb2bb02[00000000] IE notify nbytes=84 We did the cert-request on the firewalls, had the Gauntlet CA grant the cert, and installed these and the CA root cert on the firewalls. The docs don't say I need to, but should I have had the CA "sign" them too? How can I diagnose and fix the problem? Thanks.
Current thread:
- Gauntlet GVPN 4.1 with ISAKMP: "cert parse failure" Chris Shenton (Jul 17)