Re: ipsec lan: IKE: no private key found, ideas?
From: Steve Cartwright [MSFT] (scart@online.microsoft.com)
Date: 04/22/03
- Next message: Keith: "Scheduled Tasks Problem"
- Previous message: Wei Wang [MS]: "Re: Logging In"
- In reply to: flipper: "Re: ipsec lan: IKE: no private key found, ideas?"
- Next in thread: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- Reply: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Cartwright [MSFT]" <scart@online.microsoft.com> Date: Tue, 22 Apr 2003 14:00:21 -0700
Hi Flipper,
Cool, I'll try American seeing as I'm British anyway :)
Yes certs is preferred, PSK was just to establish that at least L2TP was
working.
Have you got the certificates in the right stores [sounds like you have
though], and do you have only the ones you need in the local machine
personal store and its not cluttered up with others? Sorry realise
troubleshooting cert issues is a problem so bear with me if my
questions/suggestions have been tried already.
For the certs you have, computer personal store and corresponding trusted
root CA check the certificate details and verify that all machines have the
same details, pay attention to the public keys that they are the same for
the certificates in each store and the certification paths are correct too,
the personal cert should see its certification path up to the one in the
trusted root CA [really stretching my cert knowledge here]
With perhaps so much troubleshooting maybe you need to request new
certificates with new private keys having cleared out [save the existing
certs for later reference perhaps] of the certs you presently have and
reboot the boxes.
I have tried to repro the conditions you have to no avail :(
T'chuss
-- Stephen Cartwright [MSFT] Microsoft Corporation ---------------------------------------------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights --------------------------------------------------------- "flipper" <flipper@gmx.de> wrote in message news:b7n88m$14i$01$1@news.t-online.com... > Dear Mr. Cartwright > > Sorry for posting in German, YOU MAY ANSWER IN AMERICAN :)) > Ive read the papers on support.ms.com and met all requirements specified. > Pre-shared keys does it respectively. > But i need it running with certs. > Ill not be able to go to market with my new app if i cant ensure ipsec will > do. > > At this time I got 3 hosts, xphomesp1, xpprosp1,w2kserversp3. > State: The calling host times out on IKE exchange, all called hosts notify > error "no associated private key found." in oakley log. > All certs are from the w2kserver cert services, i tried "server" and > individual minimum policy. > The full keypairs are in the machine stores respectively and the root cert > is installed on all machines. > Keylength of all certs is 2048 Bytes, sha1RSA, IPsec types, also tried 512, > 1024, md5RSA. > Ive also tried certs from thawte CA. > > Maybe the issue is with incomplete key index specification in the RSA certs. > > I just posted here and wait what the guys in here are saying, > before getting opened a highest priority case > at microsoft premier support ;-) > > CYa > > > > > "Steve Cartwright [MSFT]" <scart@online.microsoft.com> schrieb im > Newsbeitrag news:#u2$xdRBDHA.1604@TK2MSFTNGP10.phx.gbl... > > Entschuldigen Sie mich, den mein Deutsch nicht guter der ist > > peer1 does not have a certificate to negotiate a secure communication > with > > peer2 [peer 2 though does have a certificate] you will need to install the > > same cetificate to peer1 that peer2 has. > > As a trouble shooting aid if you are having certificate issues you could > try > > using Pre-shared-key to ensure that at least you can successfully complete > > negotiations > > > > T'chuss > > > > -- > > Stephen Cartwright [MSFT] > > > > Microsoft Corporation > > > > -------------------------------------------------------------------------- > -- > > This posting is provided "AS IS" with no warranties, and confers no rights > > > > --------------------------------------------------------- > > > > > > "flipper" <flipper@gmx.de> wrote in message > > news:b7im0o$rve$02$1@news.t-online.com... > > > oh jeh, mit zertifikatseinsatz funzts aber gar nicht, > > > BITTE ALLE MITHELFEN: > > > > > > so sieht das debug log oakley.log aus (konfig, siehe ms-anleitung, auch > > auf > > > deutsch da) > > > habs mit allen möglichen zertifikatsquellen versucht, immer dasselbe: > > > > > > peer1: > > > > > > 4-16: 04:57:25:805:9c4 Receive: (get) SA = 0x000fb490 from 192.168.2.101 > > > 4-16: 04:57:25:805:9c4 ISAKMP Header: (V1.0), len = 1556 > > > 4-16: 04:57:25:805:9c4 I-COOKIE 3ccdc554cc3dc04d > > > 4-16: 04:57:25:805:9c4 R-COOKIE 95cb0109e456387d > > > 4-16: 04:57:25:805:9c4 exchange: Oakley Main Mode > > > 4-16: 04:57:25:805:9c4 flags: 1 ( encrypted ) > > > 4-16: 04:57:25:805:9c4 next payload: ID > > > 4-16: 04:57:25:805:9c4 message ID: 00000000 > > > 4-16: 04:57:25:805:9c4 processing payload ID > > > 4-16: 04:57:25:805:9c4 processing payload CERT > > > 4-16: 04:57:25:805:9c4 processing payload CRP > > > 4-16: 04:57:25:805:9c4 C=DE, O=za, OU=za, CN=za > > > 4-16: 04:57:25:805:9c4 processing payload SIG > > > 4-16: 04:57:25:805:9c4 Verifying CertStore > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2 > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > dfe07769ade3821f546afbaa5225bab0 > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > 4-16: 04:57:25:805:9c4 Cert Trustes. 0 100 > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2 > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > dfe07769ade3821f546afbaa5225bab0 > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=za > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber > 8f5c036b7419284c8ff4d2b070e12c49 > > > 4-16: 04:57:25:805:9c4 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > 0269aeec2d0b6d52bb73c3e6bf919028 > > > 4-16: 04:57:25:805:9c4 b2b9eb19 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > dfe07769ade3821f546afbaa5225bab0 > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > 4-16: 04:57:25:805:9c4 Entered CRL check > > > 4-16: 04:57:31:934:9c4 Left CRL check > > > 4-16: 04:57:31:934:9c4 Signature validated > > > > > > 4-16: 04:57:31:934:9c4 constructing ISAKMP Header > > > 4-16: 04:57:31:934:9c4 constructing ID > > > 4-16: 04:57:31:934:9c4 Looking for IPSec only cert > > > 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100 > > > 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802 > > > > > > Der Schlüsselsatz ist nicht vorhanden. ??????? > > > > > > 4-16: 04:57:31:934:9c4 Failed to get key for cert > > > 4-16: 04:57:31:934:9c4 Looking for IPSec only cert > > > 4-16: 04:57:31:934:9c4 failed to get chain 80092004 > > > 4-16: 04:57:31:934:9c4 Looking for any cert > > > 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100 > > > 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802 > > > > > > 4-16: 04:57:31:934:9c4 Failed to get key for cert > > > 4-16: 04:57:31:934:9c4 Looking for any cert > > > 4-16: 04:57:31:934:9c4 failed to get chain 80092004 > > > > > > Das Objekt oder die Eigenschaft wurde nicht gefunden. ???????? > > > > > > 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000 > > > status:35fc > > > 4-16: 04:57:31:934:9c4 isadb_set_status sa:000FB490 centry:00000000 > status > > > 35fc > > > 4-16: 04:57:31:934:9c4 Schlüsselaustauschmodus (Hauptmodus) > > > > > > > > > 4-16: 04:57:31:934:9c4 Quell-IP-Adresse 192.168.2.100 > > > > > > Quell-IP-Adressmaske 255.255.255.255 > > > > > > Ziel-IP-Adresse 192.168.2.101 > > > > > > Ziel-IP-Adressmaske 255.255.255.255 > > > > > > Protokoll 0 > > > > > > Quellport 0 > > > > > > Zielport 0 > > > > > > Lokale IKE-Adresse > > > > > > Peer-IKE-Adresse > > > > > > > > > 4-16: 04:57:31:934:9c4 Zertifikatsbasierte Identität. > > > > > > Peerantragsteller C=DE, O=za, OU=za, CN=z2 > > > > > > Peer-SHA-Fingerabdruck dfe07769ade3821f546afbaa5225bab0a9bee86d > > > > > > Peer, der die Zertifizierungsstelle ausstellt: C=DE, O=za, OU=za, CN=za > > > > > > Stammzertifizierungsstelle > > > > > > Eigener Antragsteller > > > > > > Eigener SHA-Fingerabdruck 0000000000000000000000000000000000000000 > > > > > > Peer-IP-Adresse: 192.168.2.101 > > > > > > > > > 4-16: 04:57:31:934:9c4 Benutzer > > > > > > > > > 4-16: 04:57:31:934:9c4 Es ist kein privater Schlüssel mit dem > > > Computerzertifikat verknüpft. > > > > > > > > > 4-16: 04:57:31:934:9c4 0x80092004 0x0 > > > 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000 > > > status:35fc > > > 4-16: 04:57:31:934:9c4 Not creating notify. > > > > > > peer2: > > > > > > 4-15: 04:57:16:1fc *****************Queueing work for worker. 6 > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 Resume: (get) SA = 0x00237a18 from 192.168.2.100 > > > 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 243 > > > 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d > > > 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d > > > 4-15: 04:57:16:128 exchange: Oakley Main Mode > > > 4-15: 04:57:16:128 flags: 0 > > > 4-15: 04:57:16:128 next payload: KE > > > 4-15: 04:57:16:128 message ID: 00000000 > > > 4-15: 04:57:16:128 Stopping RetransTimer sa:00237A18 centry:00000000 > > > handle:0009A1F0 > > > 4-15: 04:57:16:128 processing payload KE > > > 4-15: 04:57:16:128 Generated 128 byte Shared Secret > > > 4-15: 04:57:16:128 KE processed; DH shared secret computed > > > 4-15: 04:57:16:128 processing payload NONCE > > > 4-15: 04:57:16:128 processing payload CR > > > 4-15: 04:57:16:128 Processing Cert request > > > 4-15: 04:57:16:128 In state OAK_MM_Key_EXCH > > > 4-15: 04:57:16:128 skeyid generated; crypto enabled (initiator) > > > 4-15: 04:57:16:128 constructing ISAKMP Header > > > 4-15: 04:57:16:128 constructing ID > > > 4-15: 04:57:16:128 Cert Trustes. 0 0 > > > 4-15: 04:57:16:128 Key Contained Name > > > 4-15: 04:57:16:128 > > > b53799241ca9cc0b251c811b2862f9b5_3ab5e203-31bc-4d7b-a784-bdae77975100 > > > 4-15: 04:57:16:128 Found try 1 > > > 4-15: 04:57:16:128 constructing CERT > > > 4-15: 04:57:16:128 constructing SIG > > > 4-15: 04:57:16:128 Construct SIG > > > 4-15: 04:57:16:128 Hash algo 2 > > > 4-15: 04:57:16:128 Initiator ID 090000003034310b3009060355040613 > > > 4-15: 04:57:16:128 024445310b3009060355040a13027a61 > > > 4-15: 04:57:16:128 310b3009060355040b13027a61310b30 > > > 4-15: 04:57:16:128 09060355040313027a32 > > > 4-15: 04:57:16:128 Error 80090016 during CryptSignHash1! > > > > > > Der Schlüsselsatz ist nicht vorhanden. ???????????? > > > DAS KANN NICHT SEIN, ALLE DA, MIT PRIVATE KEYS !!!!!!!!! > > > > > > 4-15: 04:57:16:128 Trying KE key > > > 4-15: 04:57:16:128 Signature Created Successfully > > > 4-15: 04:57:16:128 Sig LE: 23008a3510138947ad9badf54b5af5dd > > > 4-15: 04:57:16:128 145f7dc9eb69a9d3f1f67a087a88c155 > > > 4-15: 04:57:16:128 19f27a0d8c2906879139417440391bf8 > > > 4-15: 04:57:16:128 0592ca96c96b641983b544b8e212be1c > > > 4-15: 04:57:16:128 b75216f4e15acc4d617b2a1343c4ac77 > > > 4-15: 04:57:16:128 8b3c63b70ecc6a39ad80b93feb4d9912 > > > 4-15: 04:57:16:128 cbac3bcc022a3d9710217e0537c4bd69 > > > 4-15: 04:57:16:128 012789978177da76935b0ea21511b08c > > > 4-15: 04:57:16:128 3030dd05be447d4117f31ae05e1531fd > > > 4-15: 04:57:16:128 a3f74ff5be4af678707579a8ef1a599f > > > 4-15: 04:57:16:128 4179b42b354c8c0db26d1055f7440d29 > > > 4-15: 04:57:16:128 ef45b12fb11e381dc87c0b197eb9e00f > > > 4-15: 04:57:16:128 408492a40efa53c7524017d1aa37d3a7 > > > 4-15: 04:57:16:128 5cbf24b3fc6a552a6346ec9a59522d6b > > > 4-15: 04:57:16:128 1606ce4ef1aac1edbf3f446fabe24027 > > > 4-15: 04:57:16:128 a93a91c41a8f5adc675eab4ba9327b37 > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 SIG BE: 377b32a94bab5e67dc5a8f1ac4913aa9 > > > 4-15: 04:57:16:128 2740e2ab6f443fbfedc1aaf14ece0616 > > > 4-15: 04:57:16:128 6b2d52599aec46632a556afcb324bf5c > > > 4-15: 04:57:16:128 a7d337aad1174052c753fa0ea4928440 > > > 4-15: 04:57:16:128 0fe0b97e190b7cc81d381eb12fb145ef > > > 4-15: 04:57:16:128 290d44f755106db20d8c4c352bb47941 > > > 4-15: 04:57:16:128 9f591aefa879757078f64abef54ff7a3 > > > 4-15: 04:57:16:128 fd31155ee01af317417d44be05dd3030 > > > 4-15: 04:57:16:128 8cb01115a20e5b9376da778197892701 > > > 4-15: 04:57:16:128 69bdc437057e2110973d2a02cc3baccb > > > 4-15: 04:57:16:128 12994deb3fb980ad396acc0eb7633c8b > > > 4-15: 04:57:16:128 77acc443132a7b614dcc5ae1f41652b7 > > > 4-15: 04:57:16:128 1cbe12e2b844b58319646bc996ca9205 > > > 4-15: 04:57:16:128 f81b3940744139918706298c0d7af219 > > > 4-15: 04:57:16:128 55c1887a087af6f1d3a969ebc97d5f14 > > > 4-15: 04:57:16:128 ddf55a4bf5ad9bad47891310358a0023 > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 AuthCount 1 > > > 4-15: 04:57:16:128 Constructing Cert Request > > > 4-15: 04:57:16:128 Setting CertReq type > > > 4-15: 04:57:16:128 Throw: State mask=111f > > > 4-15: 04:57:16:128 Doing tripleDES > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 Sending: SA = 0x00237A18 to 192.168.2.100 > > > 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 1556 > > > 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d > > > 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d > > > 4-15: 04:57:16:128 exchange: Oakley Main Mode > > > 4-15: 04:57:16:128 flags: 1 ( encrypted ) > > > 4-15: 04:57:16:128 next payload: ID > > > 4-15: 04:57:16:128 message ID: 00000000 > > > 4-15: 04:57:17:128 Handling Retransmit: sa 237a18 handle 9a1f0 context > > > 2348b8 arg 2348b8 > > > 4-15: 04:57:17:128 retransmit: sa = 00237A18 centry 00000000 , count = 0 > > > 4-15: 04:57:17:128 > > > > > > thx > > > > > > > > > > > >
- Next message: Keith: "Scheduled Tasks Problem"
- Previous message: Wei Wang [MS]: "Re: Logging In"
- In reply to: flipper: "Re: ipsec lan: IKE: no private key found, ideas?"
- Next in thread: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- Reply: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
