[Swan] 2x win10 - 1 complains about expired server crt???

Marc Mon, 04 Nov 2024 11:07:38 -0800

I have 1 of 2 win10 clients complaining about an expired server certificate, 
android phone does not have any issues connecting. I indeed updated recently 
the server certificate. But 1 client is still complaining about this being 
expired (I assume windows is returning incorrect cause)


I am comparing here two logs of the vpn side by side and it looks like 
significant changes are after these lines. Where the good one is asking for an 
ip after "authentication of 'vpn.example.net' (myself)", and the error one

Anyone have an idea what this could be?

expired error 
=============
serverip 1.1.1.1 clientip: 8.8.8.8

Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[IKE] authentication of 'vpn.example.net' 
(myself) with RSA signature successful
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[IKE] sending end entity cert 
"C=xxxxxxxxxxxxxxxxxxxxxxxxxx CN=vpn.example.net"
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[ENC] generating IKE_AUTH response 1 [ IDr 
CERT AUTH EAP/REQ/ID ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[ENC] splitting IKE message (1836 bytes) 
into 2 fragments
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[ENC] generating IKE_AUTH response 1 [ 
EF(1/2) ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[ENC] generating IKE_AUTH response 1 [ 
EF(2/2) ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (1248 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 07[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (656 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 15[NET] received packet: from 8.8.8.8[4500] to 
1.1.1.1[4500] (108 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID 
]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 15[IKE] received EAP identity 
'user1.org.example.com'
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 15[IKE] initiating EAP_TLS method (id 0xE0)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 15[ENC] generating IKE_AUTH response 2 [ 
EAP/REQ/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 15[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (76 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[NET] received packet: from 8.8.8.8[4500] to 
1.1.1.1[4500] (252 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[ENC] parsed IKE_AUTH request 3 [ 
EAP/RES/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[TLS] using key of type RSA
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[TLS] negotiated TLS 1.2 using suite 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[TLS] sending TLS server certificate 
'C=xxxxxxxxxxxxxxxxxxxxxxxxxx CN=vpn.example.net'
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[TLS] created signature with 
RSA_PSS_RSAE_SHA256
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[TLS] sending TLS cert request for 
'CN=Example CA, O=Example'
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[ENC] generating IKE_AUTH response 3 [ 
EAP/REQ/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 05[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (1100 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 11[NET] received packet: from 8.8.8.8[4500] to 
1.1.1.1[4500] (76 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 11[ENC] parsed IKE_AUTH request 4 [ 
EAP/RES/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 11[ENC] generating IKE_AUTH response 4 [ 
EAP/REQ/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 11[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (1100 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 09[NET] received packet: from 8.8.8.8[4500] to 
1.1.1.1[4500] (76 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 09[ENC] parsed IKE_AUTH request 5 [ 
EAP/RES/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 09[ENC] generating IKE_AUTH response 5 [ 
EAP/REQ/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 09[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (92 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 10[NET] received packet: from 8.8.8.8[4500] to 
1.1.1.1[4500] (76 bytes)
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 10[ENC] parsed IKE_AUTH request 6 [ 
EAP/RES/TLS ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 10[IKE] EAP method EAP_TLS failed for peer 
192.168.0.102
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 10[ENC] generating IKE_AUTH response 6 [ 
EAP/FAIL ]
Nov  4 14:53:40 xxxxxxxxxxxxxxx: 10[NET] sending packet: from 1.1.1.1[4500] to 
8.8.8.8[4500] (76 bytes)


ok client
=========
serverip 1.1.1.1 clientip: 8.8.8.8

Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[IKE] authentication of 
'CN=user2.org.example.com' with RSA signature successful
Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[IKE] peer supports MOBIKE
Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[IKE] authentication of 'vpn.example.net' 
(myself) with RSA signature successful
Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[IKE] sending end entity cert 
"C=xxxxxxxxxxxxxxxxxxxxxxxxxx CN=vpn.example.net"
Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[IKE] peer requested virtual IP %any
Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[CFG] sending DHCP DISCOVER for 
7a:a7:3c:45:d6:f9 to 255.255.255.255
Nov  4 15:11:58 xxxxxxxxxxxxxxx: 11[CFG] received DHCP OFFER 

_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[Swan] 2x win10 - 1 complains about expired server crt???

Reply via email to