This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

8.305 - Problems with second Thawte certificate

Hello

We have one Thawte certificate for WAF and it's working fine.
Now we want to use a second Thawte certificate for Remote Access / Cisco VPN Client.
If we choose this certificate at the VPN configuration we get this message:

"The certificate of the CA that issued the 'Thawte_certificate_name' certificate is needed."

If we try to upload the CAs from Thawte at Certificate Authority we get:

"Storage already holds a certificate with the same fingerprint."

What can we do to get this certificate working?

Thanks

This thread was automatically locked due to age.

0 chk over 13 years ago in reply to JonathanM

Hi there

If we use this certificate for the user portal, everything is working fine.
So i think we've imported the cert and CAs correct.

This is what we get when we try to connect through Cisco VPN:

2012:09:05-11:45:06 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: responding to Main Mode from unknown peer 178.X.X.X 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: NAT-Traversal: Result using RFC 3947: peer is NATed 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: ignoring informational payload, type IPSEC_INITIAL_CONTACT 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: Peer ID is ID_DER_ASN1_DN: 'C=de, L=City, O=Company, CN=Name, Firstname' 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: crl not found 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: certificate status unknown 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: we have a cert and are sending it 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X #8: Dead Peer Detection (RFC 3706) enabled 

2012:09:05-11:45:07 astaro-1 pluto[1549]: | NAT-T: new mapping 178.X.X.X:500/58961) 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X:58961 #8: sent MR3, ISAKMP SA established 

2012:09:05-11:45:07 astaro-1 pluto[1549]: "D_for vpn_username to DNS Forwarder (172.Y.Y.Y)"[2] 178.X.X.X:58961 #8: sending XAUTH request 

2012:09:05-11:45:10 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:13 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:16 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange 

2012:09:05-11:45:29 astaro-1 pluto[1549]: packet from 178.X.X.X:58961: Main Mode message is part of an unknown exchange

0 BAlfson over 13 years ago

chk, please confirm on the 'Global' tab of the Astaro's 'Cisco VPN Client' setup that the 'Server certificate' selected there has the current hostname of your Astaro as VPNId, and that the hostname is an FQDN that resolves in public DNS to the IP of the interface selected above it.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel