Re: Mac 4.6 VPN client + MS X.509 certs

aduerr · ‎02-21-2005

Hi,

on a Macintosh powerbook machine I got some problems with using MS X.509 certificates.

Although I could positive manually verify certificate chain the client states that it could not load private key:

1 10:13:13.045 02/08/2005 Sev=Info/4 CERT/0x43600014

Cert (...) verification succeeded.

2 10:13:13.097 02/08/2005 Sev=Info/4 CM/0x43100002

Begin connection process

3 10:13:13.100 02/08/2005 Sev=Info/4 CM/0x43100004

Establish secure connection using Ethernet

4 10:13:13.100 02/08/2005 Sev=Info/4 CM/0x43100024

Attempt connection with server "IP"

5 10:13:13.100 02/08/2005 Sev=Info/4 CVPND/0x43400019

Privilege Separation: binding to port: (500).

6 10:13:13.174 02/08/2005 Sev=Info/4 CVPND/0x43400019

Privilege Separation: binding to port: (4500).

7 10:13:13.211 02/08/2005 Sev=Info/6 IKE/0x4300003B

Attempting to establish a connection with "IP".

8 10:13:13.423 02/08/2005 Sev=Info/4 CERT/0x43600015

Could not load private key for certificate "cert"from store Cisco User Certificate.

9 10:13:13.423 02/08/2005 Sev=Warning/2 IKE/0xC3000007

Unable to open certificate "cert".

If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

10 10:13:13.423 02/08/2005 Sev=Warning/2 IKE/0xC3000099

Failed to open my certificate (Connection:235)

11 10:13:13.423 02/08/2005 Sev=Warning/2 IKE/0xC3000098

Failed to set up connection data

12 10:13:13.423 02/08/2005 Sev=Info/4 CM/0x4310001C

Unable to contact server "IP"

13 10:13:13.423 02/08/2005 Sev=Info/5 CM/0x43100025

Initializing CVPNDrv

14 10:13:13.424 02/08/2005 Sev=Info/4 CVPND/0x4340001F

Privilege Separation: restoring MTU on primary interface.

15 10:13:13.424 02/08/2005 Sev=Info/4 IKE/0x43000001

IKE received signal to terminate VPN connection

16 10:13:13.425 02/08/2005 Sev=Info/4 IPSEC/0x43700008

IPSec driver successfully started

17 10:13:13.425 02/08/2005 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

18 10:13:13.425 02/08/2005 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

19 10:13:13.426 02/08/2005 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

20 10:13:13.426 02/08/2005 Sev=Info/4 IPSEC/0x43700014

Deleted all keys

21 10:13:13.426 02/08/2005 Sev=Info/4 IPSEC/0x4370000A

IPSec driver successfully stopped

All certificates could be correctly imported as p7b format. Any ideas ?

Thank you!

Regards,

Arne

steve.busby · ‎02-24-2005

Found this in the release notes, could this be the problem?

"Verisign works fine with the Macintosh version of the VPN Client. But the "browsers" available on the Macintosh don't export certificates (Verisign or others) in the proper format for the VPN Client to receive them, or they don't allow the export of certificates at all (IE). This is because IE is a Windows product and doesn't support on the Macintosh platform everything the normal Windows IE does (CSCdz23397)."

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/4_6/relnt/46clnt.htm#wp1299226

HTH

Steve

aduerr · ‎02-24-2005

Hi Steve,

thanks, but I`m sorry I don't agree with you concerning this bug.

The certificates got exported on a windows machine directly from MS Certificate Services as p7b downloaded via IE.

Now I imported them from mail attachment directly into Cisco Certificate Store on a Mac.

The Client validates the certificates but while trying to open a connection can't access the private key.

Somewhere on Internet I came across a installation procedure on a university VPN infrastructure where you should explicit install the certs into IE and export them as p12b(compressed) format. Afterwards you should import the p12b into the Cisco VPN client on MAC.

But I can't see the difference between this two formats concerning the usability of the private key!?

Regards,

Arne

michael.portz · ‎02-25-2005

Same here: I upgraded from perfectly working release 4.0.5 to 4.6. and the certificate based connections ceased to work with exactly the same log messages. I redefined the connections, removed and re-imported the certs and the bug persists.

As we do have customers who apparently got no problems with 4.6 and certificates whatsoever I am presuming it has got something to do with the update-process.

My question: Did you have any older version before installed on your mac, too? Did you remove this version including all dirs before? I will try this next here, but your answer might help :)

Thanks

Michael

aduerr · ‎02-27-2005

Hi Michael,

no we did not upgrade - it`s a fresh install of version 4.6.

But well, next we try to downgrade to see if that helps ;)

Thanks,

Arne

michael.portz · ‎03-04-2005

Well...bugtool is your friend...finally i came around to checking it: Compare your problem to Bug CSCeh11214!

Regards

Michael

aduerr · ‎03-06-2005

Thanks Michael!

Could be really that bug, but the workaround is no current option. Thus we need to wait until it`s fixed. Maybe clients lower <4.6 are working.

Regards,

Arne

michael.portz · ‎03-07-2005

The later lower versioned clients do work just fine with certificates for us. So I am confident downgrading is the way to go for you, too :)