Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[juanjo]

Hi to all people:

I would like to implement certificates in a ipsec lan-to-lan VPN. I have followed the instructions related to document "How_to_create_Certification_Authority_and_import_into_firewall_v1.1".

When i try to activate changes the next error is displayed:

Error E4814/IPSEC in "ipsec-vpn-tunnel.IPsecTunnel", property "GatewayCertificate":
  - Unable to get alternative names for gateway certificate

Somebody knows what is this error ?
How to fix this error ?

Thanks in advance

[danilovav]

Did you specified email when you issued sertificates?

[juanjo]

Did you specified email when you issued sertificates?

Yes, all fields are filled.

Can be something related to LDAP or HTTP in order to search Certificate Revocation List (CRL) ?

I don't t know what to to. I don't know.    

Who are the DFL-210 flash programmers ?

[juanjo]

Did you specified email when you issued sertificates?

Hi danilovav:

Investigating that problem i found that although i specified the e-mail address and it's displayed in emissor, the e-mail address is not filled in the field "e-mail" of the DFL-210, and Windows 2003 server doesn't have other field to fill this data.

I will investigate more.

Thank you

[danilovav]

Try to generate certificate by OpenSSL

[juanjo]

Try to generate certificate by OpenSSL

Thanks danilovav

I'm using ELDOS instead OpenSSL, now certificates are installed but now DFL-210 display this error when it wants to connect

2010-09-08
15:51:56 Warning IPSEC
1802022   
 
ike_sa_failed
no_ike_sa
statusmsg="Invalid signature" local_peer="172.16.0.200:4500 ID usr@fqdn(any:0,[0..20]=naredt2340rty@msn." remote_peer="xx.yy.zz.kk:4500 ID No Id" initiator_spi="ESP=0x7328ec3d, AH=0x1afe1271, IPComp=0xf15089ed" 


What can be this error ??

[danilovav]

I hope, you hade two self-signed certificates (not one)?
Please show commands what you used.

[juanjo]

I hope, you hade two self-signed certificates (not one)?
Please show commands what you used.

Hi danilovav and the world wide:

I tried to do with openssl and does not work. The steps are the next:

1.- Create one CA ROOT
2.- Create new certificate (for the gateway) request based on CA key
3.- Sign the certificate
4.- Get the RSA private key (needed by DFL-210) because in the file newreq.pem are encrypted.
5.- Repeat steps from 2 to 4 for the other DFL-210 (the other end of the tunnel)

I Upload CA certificate in both firewalls,  gateway certificate A in firewall A and gateway certificate B in firewall B.

the first error is

2010-09-09
15:43:32 Warning IPSEC
1802715   
event_on_ike_sa
side=Initiator msg="failed" int_severity=6 

and the next error is

2010-09-09
15:43:32 Warning IPSEC
1802715   

ike_sa_failed
no_ike_sa
statusmsg="Invalid signature" local_peer="172.16.0.200:4500 ID usr@fqdn(any:0,[0..20]=naredt2340rty@msn." remote_peer="xx.yy.zz.kk:4500 ID No Id" initiator_spi="ESP=0x7328ec3d, AH=0x1afe1271, IPComp=0xf15089ed" 


I have exactly the same error with ELDOS and OPENSSL.

Any ideas??

[juanjo]

Hi to everybody:

At last, this problem has been solved.

The problems are:

1.- The exported key for each certificate was not valid.
2.- Certificate signing was not right.
3.- Duplicate fields in all certificates.

Thanks for your help, thanks to this forum

Best regards

Juanjo

[sav0808]

Hi everybody! Hi Juanjo!
Can you write here how did you solve all 3 problems? Something like "How to...". I have the same problem, instructions on D-Link resources - not working. Many people, I think, need help from you!
Thank you!

[juanjo]

Hi everybody! Hi Juanjo!
Can you write here how did you solve all 3 problems? Something like "How to...". I have the same problem, instructions on D-Link resources - not working. Many people, I think, need help from you!
Thank you!

Hi sav0808:

I'm afraid that a tutorial as How To can be a bit large, but i will give you some instructions.

Windows certificates doesn't works on d'link firewalls. Idon't know the reason but it's sounds like some required fields are empty and firewalls require them.

The first is to select the tool to generate certificates. I choose OpenSSL that is available for Linux an Windows and it's free, but there are others.

The key is study this tool but only the commands that you need and test the certificates in the firewall. There are many documentation about this tool in internet.

I remember that first you need generate first the CA certificate, the next step is generate the gateway certificate based on the CA certificate with it's own key, and the final step is sign the gateway certificate. I don't remember but i think that the policy of the gateway certificate must be "policy_anything"

After many frustrated testings at the end it's work.

The firewall needs 3 files: CA certificate, gateway certificate and the key of the gateway certificate. If you need ipsec with other firewall, the CA certificate must be the same, but the gateway certificate and key must be different but both based on the same CA.

And more or less that is all. But be carefull with the exported key for each certificates and how sign them.

Upload the certificates in the firewall and check what fields are empty in the web ui of the firewall.

Be more explicit about your problem, please. Whta is the log of the firewall?
Regards