Re: ipsec lan: IKE: no private key found, ideas?

From: Mark Swift [MSFT] (mswift@online.microsoft.com)
Date: 04/16/03 

From: "Mark Swift [MSFT]" <mswift@online.microsoft.com>
Date: Wed, 16 Apr 2003 12:05:07 -0700

I'll reply in English, and hopefully you will understand :)

According to the portions of oakley.log you have in your email, Peer 1's
can't find a valid machine certificate for use with IPSec. Peer 2 can find a
valid certificate.

IPSec defines a valid machine certificate as:
1. A certificate in the local machine store - not the user store
2. A certificate with a private key
3. A certificate with a Key Usage of "Digital Signature"

So make sure Peer 1 has a certificate meeting these requirements from the CA
that is specified in the IPSec policy and it should work.

As a side comment, IPSec also checks the Extended Key Usage (EKU) for "IP
Security IKE Intermediate (1.3.6.1.5.5.8.2.2)" and will use a certificate
with this EKU before any other certificates in the Machine Store. 

--
Mark Swift
Microsoft/Windows/Networking/Secure Network Services/IP Security
Software Test Engineer
----------------------------------------------------------------------------
---------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
----------------------------------------------------------------------------
---------------------------------------
"flipper" <flipper@gmx.de> wrote in message
news:b7im0o$rve$02$1@news.t-online.com...
> oh jeh, mit zertifikatseinsatz funzts aber gar nicht,
> BITTE ALLE MITHELFEN:
>
> so sieht das debug log oakley.log aus (konfig, siehe ms-anleitung, auch
auf
> deutsch da)
> habs mit allen möglichen zertifikatsquellen versucht, immer dasselbe:
>
> peer1:
>
> 4-16: 04:57:25:805:9c4 Receive: (get) SA = 0x000fb490 from 192.168.2.101
> 4-16: 04:57:25:805:9c4 ISAKMP Header: (V1.0), len = 1556
> 4-16: 04:57:25:805:9c4 I-COOKIE 3ccdc554cc3dc04d
> 4-16: 04:57:25:805:9c4 R-COOKIE 95cb0109e456387d
> 4-16: 04:57:25:805:9c4 exchange: Oakley Main Mode
> 4-16: 04:57:25:805:9c4 flags: 1 ( encrypted )
> 4-16: 04:57:25:805:9c4 next payload: ID
> 4-16: 04:57:25:805:9c4 message ID: 00000000
> 4-16: 04:57:25:805:9c4 processing payload ID
> 4-16: 04:57:25:805:9c4 processing payload CERT
> 4-16: 04:57:25:805:9c4 processing payload CRP
> 4-16: 04:57:25:805:9c4 C=DE, O=za, OU=za, CN=za
> 4-16: 04:57:25:805:9c4 processing payload SIG
> 4-16: 04:57:25:805:9c4 Verifying CertStore
> 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2
> 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711
> 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint
dfe07769ade3821f546afbaa5225bab0
> 4-16: 04:57:25:805:9c4 a9bee86d
> 4-16: 04:57:25:805:9c4 Cert Trustes. 0 100
> 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2
> 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711
> 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint
dfe07769ade3821f546afbaa5225bab0
> 4-16: 04:57:25:805:9c4 a9bee86d
> 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=za
> 4-16: 04:57:25:805:9c4 Cert Serialnumber 8f5c036b7419284c8ff4d2b070e12c49
> 4-16: 04:57:25:805:9c4
> 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint
0269aeec2d0b6d52bb73c3e6bf919028
> 4-16: 04:57:25:805:9c4 b2b9eb19
> 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint
dfe07769ade3821f546afbaa5225bab0
> 4-16: 04:57:25:805:9c4 a9bee86d
> 4-16: 04:57:25:805:9c4 Entered CRL check
> 4-16: 04:57:31:934:9c4 Left CRL check
> 4-16: 04:57:31:934:9c4 Signature validated
>
> 4-16: 04:57:31:934:9c4 constructing ISAKMP Header
> 4-16: 04:57:31:934:9c4 constructing ID
> 4-16: 04:57:31:934:9c4 Looking for IPSec only cert
> 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100
> 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802
>
> Der Schlüsselsatz ist nicht vorhanden. ???????
>
> 4-16: 04:57:31:934:9c4 Failed to get key for cert
> 4-16: 04:57:31:934:9c4 Looking for IPSec only cert
> 4-16: 04:57:31:934:9c4 failed to get chain 80092004
> 4-16: 04:57:31:934:9c4 Looking for any cert
> 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100
> 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802
>
> 4-16: 04:57:31:934:9c4 Failed to get key for cert
> 4-16: 04:57:31:934:9c4 Looking for any cert
> 4-16: 04:57:31:934:9c4 failed to get chain 80092004
>
> Das Objekt oder die Eigenschaft wurde nicht gefunden. ????????
>
> 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000
> status:35fc
> 4-16: 04:57:31:934:9c4 isadb_set_status sa:000FB490 centry:00000000 status
> 35fc
> 4-16: 04:57:31:934:9c4 Schlüsselaustauschmodus (Hauptmodus)
>
>
> 4-16: 04:57:31:934:9c4 Quell-IP-Adresse 192.168.2.100
>
> Quell-IP-Adressmaske 255.255.255.255
>
> Ziel-IP-Adresse 192.168.2.101
>
> Ziel-IP-Adressmaske 255.255.255.255
>
> Protokoll 0
>
> Quellport 0
>
> Zielport 0
>
> Lokale IKE-Adresse
>
> Peer-IKE-Adresse
>
>
> 4-16: 04:57:31:934:9c4 Zertifikatsbasierte Identität.
>
> Peerantragsteller C=DE, O=za, OU=za, CN=z2
>
> Peer-SHA-Fingerabdruck dfe07769ade3821f546afbaa5225bab0a9bee86d
>
> Peer, der die Zertifizierungsstelle ausstellt: C=DE, O=za, OU=za, CN=za
>
> Stammzertifizierungsstelle
>
> Eigener Antragsteller
>
> Eigener SHA-Fingerabdruck 0000000000000000000000000000000000000000
>
> Peer-IP-Adresse: 192.168.2.101
>
>
> 4-16: 04:57:31:934:9c4 Benutzer
>
>
> 4-16: 04:57:31:934:9c4 Es ist kein privater Schlüssel mit dem
> Computerzertifikat verknüpft.
>
>
> 4-16: 04:57:31:934:9c4 0x80092004 0x0
> 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000
> status:35fc
> 4-16: 04:57:31:934:9c4 Not creating notify.
>
> peer2:
>
> 4-15: 04:57:16:1fc *****************Queueing work for worker. 6
> 4-15: 04:57:16:128
> 4-15: 04:57:16:128 Resume: (get) SA = 0x00237a18 from 192.168.2.100
> 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 243
> 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d
> 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d
> 4-15: 04:57:16:128 exchange: Oakley Main Mode
> 4-15: 04:57:16:128 flags: 0
> 4-15: 04:57:16:128 next payload: KE
> 4-15: 04:57:16:128 message ID: 00000000
> 4-15: 04:57:16:128 Stopping RetransTimer sa:00237A18 centry:00000000
> handle:0009A1F0
> 4-15: 04:57:16:128 processing payload KE
> 4-15: 04:57:16:128 Generated 128 byte Shared Secret
> 4-15: 04:57:16:128 KE processed; DH shared secret computed
> 4-15: 04:57:16:128 processing payload NONCE
> 4-15: 04:57:16:128 processing payload CR
> 4-15: 04:57:16:128 Processing Cert request
> 4-15: 04:57:16:128 In state OAK_MM_Key_EXCH
> 4-15: 04:57:16:128 skeyid generated; crypto enabled (initiator)
> 4-15: 04:57:16:128 constructing ISAKMP Header
> 4-15: 04:57:16:128 constructing ID
> 4-15: 04:57:16:128 Cert Trustes. 0 0
> 4-15: 04:57:16:128 Key Contained Name
> 4-15: 04:57:16:128
> b53799241ca9cc0b251c811b2862f9b5_3ab5e203-31bc-4d7b-a784-bdae77975100
> 4-15: 04:57:16:128 Found try 1
> 4-15: 04:57:16:128 constructing CERT
> 4-15: 04:57:16:128 constructing SIG
> 4-15: 04:57:16:128 Construct SIG
> 4-15: 04:57:16:128 Hash algo 2
> 4-15: 04:57:16:128 Initiator ID 090000003034310b3009060355040613
> 4-15: 04:57:16:128 024445310b3009060355040a13027a61
> 4-15: 04:57:16:128 310b3009060355040b13027a61310b30
> 4-15: 04:57:16:128 09060355040313027a32
> 4-15: 04:57:16:128 Error 80090016 during CryptSignHash1!
>
> Der Schlüsselsatz ist nicht vorhanden. ????????????
> DAS KANN NICHT SEIN, ALLE DA, MIT PRIVATE KEYS !!!!!!!!!
>
> 4-15: 04:57:16:128 Trying KE key
> 4-15: 04:57:16:128 Signature Created Successfully
> 4-15: 04:57:16:128 Sig LE: 23008a3510138947ad9badf54b5af5dd
> 4-15: 04:57:16:128 145f7dc9eb69a9d3f1f67a087a88c155
> 4-15: 04:57:16:128 19f27a0d8c2906879139417440391bf8
> 4-15: 04:57:16:128 0592ca96c96b641983b544b8e212be1c
> 4-15: 04:57:16:128 b75216f4e15acc4d617b2a1343c4ac77
> 4-15: 04:57:16:128 8b3c63b70ecc6a39ad80b93feb4d9912
> 4-15: 04:57:16:128 cbac3bcc022a3d9710217e0537c4bd69
> 4-15: 04:57:16:128 012789978177da76935b0ea21511b08c
> 4-15: 04:57:16:128 3030dd05be447d4117f31ae05e1531fd
> 4-15: 04:57:16:128 a3f74ff5be4af678707579a8ef1a599f
> 4-15: 04:57:16:128 4179b42b354c8c0db26d1055f7440d29
> 4-15: 04:57:16:128 ef45b12fb11e381dc87c0b197eb9e00f
> 4-15: 04:57:16:128 408492a40efa53c7524017d1aa37d3a7
> 4-15: 04:57:16:128 5cbf24b3fc6a552a6346ec9a59522d6b
> 4-15: 04:57:16:128 1606ce4ef1aac1edbf3f446fabe24027
> 4-15: 04:57:16:128 a93a91c41a8f5adc675eab4ba9327b37
> 4-15: 04:57:16:128
> 4-15: 04:57:16:128 SIG BE: 377b32a94bab5e67dc5a8f1ac4913aa9
> 4-15: 04:57:16:128 2740e2ab6f443fbfedc1aaf14ece0616
> 4-15: 04:57:16:128 6b2d52599aec46632a556afcb324bf5c
> 4-15: 04:57:16:128 a7d337aad1174052c753fa0ea4928440
> 4-15: 04:57:16:128 0fe0b97e190b7cc81d381eb12fb145ef
> 4-15: 04:57:16:128 290d44f755106db20d8c4c352bb47941
> 4-15: 04:57:16:128 9f591aefa879757078f64abef54ff7a3
> 4-15: 04:57:16:128 fd31155ee01af317417d44be05dd3030
> 4-15: 04:57:16:128 8cb01115a20e5b9376da778197892701
> 4-15: 04:57:16:128 69bdc437057e2110973d2a02cc3baccb
> 4-15: 04:57:16:128 12994deb3fb980ad396acc0eb7633c8b
> 4-15: 04:57:16:128 77acc443132a7b614dcc5ae1f41652b7
> 4-15: 04:57:16:128 1cbe12e2b844b58319646bc996ca9205
> 4-15: 04:57:16:128 f81b3940744139918706298c0d7af219
> 4-15: 04:57:16:128 55c1887a087af6f1d3a969ebc97d5f14
> 4-15: 04:57:16:128 ddf55a4bf5ad9bad47891310358a0023
> 4-15: 04:57:16:128
> 4-15: 04:57:16:128 AuthCount 1
> 4-15: 04:57:16:128 Constructing Cert Request
> 4-15: 04:57:16:128 Setting CertReq type
> 4-15: 04:57:16:128 Throw: State mask=111f
> 4-15: 04:57:16:128 Doing tripleDES
> 4-15: 04:57:16:128
> 4-15: 04:57:16:128 Sending: SA = 0x00237A18 to 192.168.2.100
> 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 1556
> 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d
> 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d
> 4-15: 04:57:16:128 exchange: Oakley Main Mode
> 4-15: 04:57:16:128 flags: 1 ( encrypted )
> 4-15: 04:57:16:128 next payload: ID
> 4-15: 04:57:16:128 message ID: 00000000
> 4-15: 04:57:17:128 Handling Retransmit: sa 237a18 handle 9a1f0 context
> 2348b8 arg 2348b8
> 4-15: 04:57:17:128 retransmit: sa = 00237A18 centry 00000000 , count = 0
> 4-15: 04:57:17:128
>
> thx
>
>

Relevant Pages

  • Re: ipsec lan: IKE: no private key found, ideas?
    ... > can't find a valid machine certificate for use with IPSec. ... >> Der Schlüsselsatz ist nicht vorhanden. ... >> Das Objekt oder die Eigenschaft wurde nicht gefunden. ...
    (microsoft.public.win2000.security)
  • VPN using L2TP
    ... IKE security association established. ... Peer Identity: ... Certificate based Identity. ... Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN using L2TP
    ... > IKE security association established. ... > Peer Identity: ... > Certificate based Identity. ... > Destination Port 0 ...
    (microsoft.public.windows.server.sbs)
  • Re: L2TP/IPSEC Connection problem to Windows 2000 Server
    ... IKE security association negotiation failed. ... Peer Identity: ... Peer Issuing Certificate Authority ... >Issuing Certificate Authority Root Certificate Authority My ...
    (microsoft.public.win2000.ras_routing)
  • Re: L2TP/IPSEC Connection problem to Windows 2000 Server
    ... When you are using the certificate authentication method for L2TP ... the list of certification authorities (CAs) is not ... The root CAs in this list correspond to the root CAs that ... notifies its IPSec peer during main mode negotiation that it will accept ...
    (microsoft.public.win2000.ras_routing)