VPN with own CA - CryptVerifySignature error: 80090006



  • Hi,

    i had a working SSG with certificates from my own CA.
    The Client Certificates got a valid lifetime of 1 year. So I had to renew them.

    So i recreated new certificates for the SSG and for the clients.
    When I check the certificates with the openssl tools it says everything is ok.
    I compared the entrys of the certificates with the old ones (CN, State, … - everything exactly right)

    But after succesful import the pcks12 files on the windows client i now got the error named in the topic.
    It tells me:

    4-25: 21:59:37.137 NetScreen-Remote Version 10.8.5 (Build 2).
    4-25: 21:59:40.406 Filter table loaded (2 entries).
    4-25: 21:59:40.448 This is a GA version of NetScreen-Remote.
    4-25: 21:59:41.605 No smart card readers detected.
    4-25: 22:00:12.109 Interface added: 192.168.0.26/255.255.255.0 on LAN “Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller”.
    4-25: 22:00:12.156 Clearing arp for adapter 9
    4-25: 22:00:12.234 Filter table loaded (2 entries).
    4-25: 22:04:31.256
    4-25: 22:04:31.256 My Connections\VPN-Remote - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx)
    4-25: 22:04:31.768 My Connections\VPN-Remote - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, CERT_REQ 7x, VID 6x)
    4-25: 22:04:32.323 My Connections\VPN-Remote - RECEIVED<<< ISAKMP OAK AG (SA, VID 4x, KE, NON, ID, CERT, CERT_REQ, VID, NAT-D 2x, SIG)
    4-25: 22:04:32.323 My Connections\VPN-Remote - Peer supports Dead Peer Detection Version 1.0
    4-25: 22:04:32.323 My Connections\VPN-Remote - Dead Peer Detection enabled
    4-25: 22:04:32.323 My Connections\VPN-Remote - Received certificate “ID + rsa-key + FW-JNP-Proxy.xxx.local + FW-JNP-Proxy’scompany IT ID”.
    4-25: 22:04:32.338 My Connections\VPN-Remote - Peer is NAT-T draft-02 capable
    4-25: 22:04:32.338 My Connections\VPN-Remote - Dead Peer Detection enabled
    4-25: 22:04:32.338 My Connections\VPN-Remote - NAT is detected for Client and Peer
    4-25: 22:04:32.338 My Connections\VPN-Remote - Floating to IKE non-500 port
    4-25: 22:04:32.411 CryptVerifySignature error: 80090006
    4-25: 22:04:32.411 Signature verification failed
    4-25: 22:04:32.411 My Connections\VPN-Remote - SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_SIGNATURE)

    4-25: 22:04:32.440 My Connections\VPN-Remote - Discarding IKE SA negotiation
    4-25: 22:04:32.440 My Connections\VPN-Remote -   MY COOKIE 12 b4 bb 49 16 aa 50 e4
    4-25: 22:04:32.440 My Connections\VPN-Remote -   HIS COOKIE f9 64 e6 ac 26 e5 2c 7c
    4-25: 22:04:35.650 My Connections\VPN-Remote - RECEIVED<<< ISAKMP OAK AG (SA, VID 4x, KE, NON, ID, CERT, CERT_REQ, VID, NAT-D 2x, SIG)
    4-25: 22:04:35.650 My Connections\VPN-Remote - Received message for non-active SA
    4-25: 22:04:39.406 My Connections\VPN-Remote - RECEIVED<<< ISAKMP OAK AG (SA, VID 4x, KE, NON, ID, CERT, CERT_REQ, VID, NAT-D 2x, SIG)
    4-25: 22:04:39.406 My Connections\VPN-Remote - Received message for non-active SA
    4-25: 22:04:43.178 My Connections\VPN-Remote - RECEIVED<<< ISAKMP OAK AG (SA, VID 4x, KE, NON, ID, CERT, CERT_REQ, VID, NAT-D 2x, SIG)
    4-25: 22:04:43.178 My Connections\VPN-Remote - Received message for non-active SA

    ??? got no idea. Anyone?


 

27
Online

38.4k
Users

12.7k
Topics

44.5k
Posts