ipcop support

community support forum
It is currently Sat Nov 01, 2014 11:46 am

All times are UTC [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
Unread postPosted: Tue Aug 30, 2005 3:40 pm 
New User

Joined: Mon Jul 18, 2005 7:24 pm
Posts: 6
Good day,

I have two 1.4.8 boxes with net<->net vpn working correctly between them using pre-shared keys.

I also have roadwarrior vpn on a macintosh OSX laptop working correctly to both boxes with certificates and IPSecuritas ... thank you to:
http://dividedsky.net/%7Eequate/vpn/

I would like to move to certificates for the net<->net vpn, and I have followed the Draft VPN Documentation at:
http://freespace.virgin.net/christiaan.theron1/

I'm getting stuck on:
----------
2.7.3.4.2 X.509 Certificates
Net-to-Net
Upload the first IPCop hostcert.pem files to the secondary IPCop. Then upload the secondary IPCop hostcert.pem files to the first IPCop.
----------

I'm confused by the plural "files", and in addition getting an error. Each IPCop has a hostcert.pem file and a cacert.pem file. The hostcert.pem files work fine for the host<->net connections. I did not need to use the cacert.pem files for those.

I have tried uploading both hostcert.pem and cacert.pem (when the former did not work) saved from the "left" box to the "right" box, and vice versa. On all four "save" attempts I get a red outlined screen with the error:
"Certificate does not have a valid CA associated with it"

In generating the root/host certificates for the left and right boxes, I was prompted to enter "CA or email address", so I entered my email address. Clicking the "info" icon on the root and host certificates of both boxes, all four show:
"CA/emailAddress=admin@u47.k12.me.us"

Searching this forum revealed a couple posts with a similar issue, but I could not find a post with a resolution. As always, any guidance, help, or "look here" would be greatly appreciated.


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Aug 30, 2005 5:02 pm 
New User

Joined: Tue Aug 09, 2005 9:43 pm
Posts: 8
Have you added the cert.perm file to your accepted certificates on your web browser?


Top
 Profile  
 
 Post subject:
Unread postPosted: Thu Sep 01, 2005 10:36 am 
New User

Joined: Thu Sep 01, 2005 10:22 am
Posts: 3
Not that I can help, but I am also having the same problem.

One IPCOP box will not accept the certificates generated on the other box.

I see others have had a similar problem before, and no one has been able to help.

I can get PSK connection working, but I need cert based connections.


I have wiped and restarted the VPN setup so many times, I am getting close to trying another firewall solution.

I have trawled the official support mailing list, and I have found the following which has helped someone else with the exact same problem, so maybe this is the solution:-

"Make sure that the time is correct on both machines otherwise, the
certificate will not be valid on the machine that is out of synch."

I am off to try that now, and will report back.


Top
 Profile  
 
 Post subject:
Unread postPosted: Thu Sep 01, 2005 11:15 am 
New User

Joined: Thu Sep 01, 2005 10:22 am
Posts: 3
OK, well that cured the "Certificate does not have a valid CA associated with it" problem.


Just update the time on the 2 ipcop machines.

I enabled the time server autoupdate while I was at it, must be off by default.

My VPN isn't working tho, but at least _I_ can work on that :)


Cheers, Des.


Top
 Profile  
 
Unread postPosted: Thu Sep 29, 2005 6:52 pm 
New User

Joined: Mon Jul 18, 2005 7:24 pm
Posts: 6
In the VPN draft documentation it has the part about uploading the hostcert.pem files to the vpn connection a few pages before the part about uploading the cacert.pem files. The cacert.pem files must be added to the Certificate Authorities section at the bottom of the page BEFORE you try to create a connection at the top of the page using the hostcert.pem file.


Top
 Profile  
 
 Post subject: Update to VPN draft
Unread postPosted: Fri Sep 30, 2005 10:43 am 
User

Joined: Thu Apr 28, 2005 9:32 am
Posts: 102
I would draw your attention to section 2.7.2 Certificate Authorities, in the very last paragraph:

"Upload the first IPCop cacert.pem files to the secondary IPCop. Then upload the secondary IPCop cacert.pem files to the first IPCop and then return to global settings to configure the VPN connection".

After which it goes on to state that you create the VPN connection BEFORE you upload the host.pem files.

However you have highlighted an important point that that it is confusing. I had tried to get to make it easier by writing the draft to encourage new users to config a pre-shared key VPN first in order to familiarise themselves with the process. However I wonder would be the best way to structure the draft in order that it is less confusing?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group