Re: ipsec lan: IKE: no private key found, ideas?
From: Steve Cartwright [MSFT] (scart@online.microsoft.com)
Date: 04/22/03
- Next message: Steve Cartwright [MSFT]: "Re: SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!"
- Previous message: David Kon: "Stand alone 2000 workstation lockdown"
- In reply to: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- Next in thread: flipper: "SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Cartwright [MSFT]" <scart@online.microsoft.com> Date: Tue, 22 Apr 2003 14:47:36 -0700
Sorry just saw your other post that you fixed this [thats good], am trying
to find out from Certificates team if c&p allows you to complete an
operation when in fact it stripped data off and you dont know about it -
hence really export/import should be the way to go, but c&p is just so easy
to do :)
-- Stephen Cartwright [MSFT] Microsoft Corporation ---------------------------------------------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights --------------------------------------------------------- "Steve Cartwright [MSFT]" <scart@online.microsoft.com> wrote in message news:eCflxIRCDHA.3040@TK2MSFTNGP11.phx.gbl... > > Hi Flipper, > > Cool, I'll try American seeing as I'm British anyway :) > > Yes certs is preferred, PSK was just to establish that at least L2TP was > working. > > Have you got the certificates in the right stores [sounds like you have > though], and do you have only the ones you need in the local machine > personal store and its not cluttered up with others? Sorry realise > troubleshooting cert issues is a problem so bear with me if my > questions/suggestions have been tried already. > > For the certs you have, computer personal store and corresponding trusted > root CA check the certificate details and verify that all machines have the > same details, pay attention to the public keys that they are the same for > the certificates in each store and the certification paths are correct too, > the personal cert should see its certification path up to the one in the > trusted root CA [really stretching my cert knowledge here] > > With perhaps so much troubleshooting maybe you need to request new > certificates with new private keys having cleared out [save the existing > certs for later reference perhaps] of the certs you presently have and > reboot the boxes. > > I have tried to repro the conditions you have to no avail :( > > T'chuss > -- > Stephen Cartwright [MSFT] > > Microsoft Corporation > > -------------------------------------------------------------------------- -- > This posting is provided "AS IS" with no warranties, and confers no rights > > --------------------------------------------------------- > > > "flipper" <flipper@gmx.de> wrote in message > news:b7n88m$14i$01$1@news.t-online.com... > > Dear Mr. Cartwright > > > > Sorry for posting in German, YOU MAY ANSWER IN AMERICAN :)) > > Ive read the papers on support.ms.com and met all requirements specified. > > Pre-shared keys does it respectively. > > But i need it running with certs. > > Ill not be able to go to market with my new app if i cant ensure ipsec > will > > do. > > > > At this time I got 3 hosts, xphomesp1, xpprosp1,w2kserversp3. > > State: The calling host times out on IKE exchange, all called hosts notify > > error "no associated private key found." in oakley log. > > All certs are from the w2kserver cert services, i tried "server" and > > individual minimum policy. > > The full keypairs are in the machine stores respectively and the root cert > > is installed on all machines. > > Keylength of all certs is 2048 Bytes, sha1RSA, IPsec types, also tried > 512, > > 1024, md5RSA. > > Ive also tried certs from thawte CA. > > > > Maybe the issue is with incomplete key index specification in the RSA > certs. > > > > I just posted here and wait what the guys in here are saying, > > before getting opened a highest priority case > > at microsoft premier support ;-) > > > > CYa > > > > > > > > > > "Steve Cartwright [MSFT]" <scart@online.microsoft.com> schrieb im > > Newsbeitrag news:#u2$xdRBDHA.1604@TK2MSFTNGP10.phx.gbl... > > > Entschuldigen Sie mich, den mein Deutsch nicht guter der ist > > > peer1 does not have a certificate to negotiate a secure communication > > with > > > peer2 [peer 2 though does have a certificate] you will need to install > the > > > same cetificate to peer1 that peer2 has. > > > As a trouble shooting aid if you are having certificate issues you could > > try > > > using Pre-shared-key to ensure that at least you can successfully > complete > > > negotiations > > > > > > T'chuss > > > > > > -- > > > Stephen Cartwright [MSFT] > > > > > > Microsoft Corporation > > > > > > > -------------------------------------------------------------------------- > > -- > > > This posting is provided "AS IS" with no warranties, and confers no > rights > > > > > > --------------------------------------------------------- > > > > > > > > > "flipper" <flipper@gmx.de> wrote in message > > > news:b7im0o$rve$02$1@news.t-online.com... > > > > oh jeh, mit zertifikatseinsatz funzts aber gar nicht, > > > > BITTE ALLE MITHELFEN: > > > > > > > > so sieht das debug log oakley.log aus (konfig, siehe ms-anleitung, > auch > > > auf > > > > deutsch da) > > > > habs mit allen möglichen zertifikatsquellen versucht, immer dasselbe: > > > > > > > > peer1: > > > > > > > > 4-16: 04:57:25:805:9c4 Receive: (get) SA = 0x000fb490 from > 192.168.2.101 > > > > 4-16: 04:57:25:805:9c4 ISAKMP Header: (V1.0), len = 1556 > > > > 4-16: 04:57:25:805:9c4 I-COOKIE 3ccdc554cc3dc04d > > > > 4-16: 04:57:25:805:9c4 R-COOKIE 95cb0109e456387d > > > > 4-16: 04:57:25:805:9c4 exchange: Oakley Main Mode > > > > 4-16: 04:57:25:805:9c4 flags: 1 ( encrypted ) > > > > 4-16: 04:57:25:805:9c4 next payload: ID > > > > 4-16: 04:57:25:805:9c4 message ID: 00000000 > > > > 4-16: 04:57:25:805:9c4 processing payload ID > > > > 4-16: 04:57:25:805:9c4 processing payload CERT > > > > 4-16: 04:57:25:805:9c4 processing payload CRP > > > > 4-16: 04:57:25:805:9c4 C=DE, O=za, OU=za, CN=za > > > > 4-16: 04:57:25:805:9c4 processing payload SIG > > > > 4-16: 04:57:25:805:9c4 Verifying CertStore > > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2 > > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711 > > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > > dfe07769ade3821f546afbaa5225bab0 > > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > > 4-16: 04:57:25:805:9c4 Cert Trustes. 0 100 > > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2 > > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711 > > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > > dfe07769ade3821f546afbaa5225bab0 > > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=za > > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber > > 8f5c036b7419284c8ff4d2b070e12c49 > > > > 4-16: 04:57:25:805:9c4 > > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > > 0269aeec2d0b6d52bb73c3e6bf919028 > > > > 4-16: 04:57:25:805:9c4 b2b9eb19 > > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > > dfe07769ade3821f546afbaa5225bab0 > > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > > 4-16: 04:57:25:805:9c4 Entered CRL check > > > > 4-16: 04:57:31:934:9c4 Left CRL check > > > > 4-16: 04:57:31:934:9c4 Signature validated > > > > > > > > 4-16: 04:57:31:934:9c4 constructing ISAKMP Header > > > > 4-16: 04:57:31:934:9c4 constructing ID > > > > 4-16: 04:57:31:934:9c4 Looking for IPSec only cert > > > > 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100 > > > > 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802 > > > > > > > > Der Schlüsselsatz ist nicht vorhanden. ??????? > > > > > > > > 4-16: 04:57:31:934:9c4 Failed to get key for cert > > > > 4-16: 04:57:31:934:9c4 Looking for IPSec only cert > > > > 4-16: 04:57:31:934:9c4 failed to get chain 80092004 > > > > 4-16: 04:57:31:934:9c4 Looking for any cert > > > > 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100 > > > > 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802 > > > > > > > > 4-16: 04:57:31:934:9c4 Failed to get key for cert > > > > 4-16: 04:57:31:934:9c4 Looking for any cert > > > > 4-16: 04:57:31:934:9c4 failed to get chain 80092004 > > > > > > > > Das Objekt oder die Eigenschaft wurde nicht gefunden. ???????? > > > > > > > > 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000 > > > > status:35fc > > > > 4-16: 04:57:31:934:9c4 isadb_set_status sa:000FB490 centry:00000000 > > status > > > > 35fc > > > > 4-16: 04:57:31:934:9c4 Schlüsselaustauschmodus (Hauptmodus) > > > > > > > > > > > > 4-16: 04:57:31:934:9c4 Quell-IP-Adresse 192.168.2.100 > > > > > > > > Quell-IP-Adressmaske 255.255.255.255 > > > > > > > > Ziel-IP-Adresse 192.168.2.101 > > > > > > > > Ziel-IP-Adressmaske 255.255.255.255 > > > > > > > > Protokoll 0 > > > > > > > > Quellport 0 > > > > > > > > Zielport 0 > > > > > > > > Lokale IKE-Adresse > > > > > > > > Peer-IKE-Adresse > > > > > > > > > > > > 4-16: 04:57:31:934:9c4 Zertifikatsbasierte Identität. > > > > > > > > Peerantragsteller C=DE, O=za, OU=za, CN=z2 > > > > > > > > Peer-SHA-Fingerabdruck dfe07769ade3821f546afbaa5225bab0a9bee86d > > > > > > > > Peer, der die Zertifizierungsstelle ausstellt: C=DE, O=za, OU=za, > CN=za > > > > > > > > Stammzertifizierungsstelle > > > > > > > > Eigener Antragsteller > > > > > > > > Eigener SHA-Fingerabdruck 0000000000000000000000000000000000000000 > > > > > > > > Peer-IP-Adresse: 192.168.2.101 > > > > > > > > > > > > 4-16: 04:57:31:934:9c4 Benutzer > > > > > > > > > > > > 4-16: 04:57:31:934:9c4 Es ist kein privater Schlüssel mit dem > > > > Computerzertifikat verknüpft. > > > > > > > > > > > > 4-16: 04:57:31:934:9c4 0x80092004 0x0 > > > > 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000 > > > > status:35fc > > > > 4-16: 04:57:31:934:9c4 Not creating notify. > > > > > > > > peer2: > > > > > > > > 4-15: 04:57:16:1fc *****************Queueing work for worker. 6 > > > > 4-15: 04:57:16:128 > > > > 4-15: 04:57:16:128 Resume: (get) SA = 0x00237a18 from 192.168.2.100 > > > > 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 243 > > > > 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d > > > > 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d > > > > 4-15: 04:57:16:128 exchange: Oakley Main Mode > > > > 4-15: 04:57:16:128 flags: 0 > > > > 4-15: 04:57:16:128 next payload: KE > > > > 4-15: 04:57:16:128 message ID: 00000000 > > > > 4-15: 04:57:16:128 Stopping RetransTimer sa:00237A18 centry:00000000 > > > > handle:0009A1F0 > > > > 4-15: 04:57:16:128 processing payload KE > > > > 4-15: 04:57:16:128 Generated 128 byte Shared Secret > > > > 4-15: 04:57:16:128 KE processed; DH shared secret computed > > > > 4-15: 04:57:16:128 processing payload NONCE > > > > 4-15: 04:57:16:128 processing payload CR > > > > 4-15: 04:57:16:128 Processing Cert request > > > > 4-15: 04:57:16:128 In state OAK_MM_Key_EXCH > > > > 4-15: 04:57:16:128 skeyid generated; crypto enabled (initiator) > > > > 4-15: 04:57:16:128 constructing ISAKMP Header > > > > 4-15: 04:57:16:128 constructing ID > > > > 4-15: 04:57:16:128 Cert Trustes. 0 0 > > > > 4-15: 04:57:16:128 Key Contained Name > > > > 4-15: 04:57:16:128 > > > > b53799241ca9cc0b251c811b2862f9b5_3ab5e203-31bc-4d7b-a784-bdae77975100 > > > > 4-15: 04:57:16:128 Found try 1 > > > > 4-15: 04:57:16:128 constructing CERT > > > > 4-15: 04:57:16:128 constructing SIG > > > > 4-15: 04:57:16:128 Construct SIG > > > > 4-15: 04:57:16:128 Hash algo 2 > > > > 4-15: 04:57:16:128 Initiator ID 090000003034310b3009060355040613 > > > > 4-15: 04:57:16:128 024445310b3009060355040a13027a61 > > > > 4-15: 04:57:16:128 310b3009060355040b13027a61310b30 > > > > 4-15: 04:57:16:128 09060355040313027a32 > > > > 4-15: 04:57:16:128 Error 80090016 during CryptSignHash1! > > > > > > > > Der Schlüsselsatz ist nicht vorhanden. ???????????? > > > > DAS KANN NICHT SEIN, ALLE DA, MIT PRIVATE KEYS !!!!!!!!! > > > > > > > > 4-15: 04:57:16:128 Trying KE key > > > > 4-15: 04:57:16:128 Signature Created Successfully > > > > 4-15: 04:57:16:128 Sig LE: 23008a3510138947ad9badf54b5af5dd > > > > 4-15: 04:57:16:128 145f7dc9eb69a9d3f1f67a087a88c155 > > > > 4-15: 04:57:16:128 19f27a0d8c2906879139417440391bf8 > > > > 4-15: 04:57:16:128 0592ca96c96b641983b544b8e212be1c > > > > 4-15: 04:57:16:128 b75216f4e15acc4d617b2a1343c4ac77 > > > > 4-15: 04:57:16:128 8b3c63b70ecc6a39ad80b93feb4d9912 > > > > 4-15: 04:57:16:128 cbac3bcc022a3d9710217e0537c4bd69 > > > > 4-15: 04:57:16:128 012789978177da76935b0ea21511b08c > > > > 4-15: 04:57:16:128 3030dd05be447d4117f31ae05e1531fd > > > > 4-15: 04:57:16:128 a3f74ff5be4af678707579a8ef1a599f > > > > 4-15: 04:57:16:128 4179b42b354c8c0db26d1055f7440d29 > > > > 4-15: 04:57:16:128 ef45b12fb11e381dc87c0b197eb9e00f > > > > 4-15: 04:57:16:128 408492a40efa53c7524017d1aa37d3a7 > > > > 4-15: 04:57:16:128 5cbf24b3fc6a552a6346ec9a59522d6b > > > > 4-15: 04:57:16:128 1606ce4ef1aac1edbf3f446fabe24027 > > > > 4-15: 04:57:16:128 a93a91c41a8f5adc675eab4ba9327b37 > > > > 4-15: 04:57:16:128 > > > > 4-15: 04:57:16:128 SIG BE: 377b32a94bab5e67dc5a8f1ac4913aa9 > > > > 4-15: 04:57:16:128 2740e2ab6f443fbfedc1aaf14ece0616 > > > > 4-15: 04:57:16:128 6b2d52599aec46632a556afcb324bf5c > > > > 4-15: 04:57:16:128 a7d337aad1174052c753fa0ea4928440 > > > > 4-15: 04:57:16:128 0fe0b97e190b7cc81d381eb12fb145ef > > > > 4-15: 04:57:16:128 290d44f755106db20d8c4c352bb47941 > > > > 4-15: 04:57:16:128 9f591aefa879757078f64abef54ff7a3 > > > > 4-15: 04:57:16:128 fd31155ee01af317417d44be05dd3030 > > > > 4-15: 04:57:16:128 8cb01115a20e5b9376da778197892701 > > > > 4-15: 04:57:16:128 69bdc437057e2110973d2a02cc3baccb > > > > 4-15: 04:57:16:128 12994deb3fb980ad396acc0eb7633c8b > > > > 4-15: 04:57:16:128 77acc443132a7b614dcc5ae1f41652b7 > > > > 4-15: 04:57:16:128 1cbe12e2b844b58319646bc996ca9205 > > > > 4-15: 04:57:16:128 f81b3940744139918706298c0d7af219 > > > > 4-15: 04:57:16:128 55c1887a087af6f1d3a969ebc97d5f14 > > > > 4-15: 04:57:16:128 ddf55a4bf5ad9bad47891310358a0023 > > > > 4-15: 04:57:16:128 > > > > 4-15: 04:57:16:128 AuthCount 1 > > > > 4-15: 04:57:16:128 Constructing Cert Request > > > > 4-15: 04:57:16:128 Setting CertReq type > > > > 4-15: 04:57:16:128 Throw: State mask=111f > > > > 4-15: 04:57:16:128 Doing tripleDES > > > > 4-15: 04:57:16:128 > > > > 4-15: 04:57:16:128 Sending: SA = 0x00237A18 to 192.168.2.100 > > > > 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 1556 > > > > 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d > > > > 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d > > > > 4-15: 04:57:16:128 exchange: Oakley Main Mode > > > > 4-15: 04:57:16:128 flags: 1 ( encrypted ) > > > > 4-15: 04:57:16:128 next payload: ID > > > > 4-15: 04:57:16:128 message ID: 00000000 > > > > 4-15: 04:57:17:128 Handling Retransmit: sa 237a18 handle 9a1f0 context > > > > 2348b8 arg 2348b8 > > > > 4-15: 04:57:17:128 retransmit: sa = 00237A18 centry 00000000 , count = > 0 > > > > 4-15: 04:57:17:128 > > > > > > > > thx > > > > > > > > > > > > > > > > > > > >
- Next message: Steve Cartwright [MSFT]: "Re: SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!"
- Previous message: David Kon: "Stand alone 2000 workstation lockdown"
- In reply to: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- Next in thread: flipper: "SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
