[strongSwan] scepclient and cisco

Germano Veit Michel germanovmichel at aim.com
Mon Apr 2 20:12:05 CEST 2012

Hi Tobias, 

Thanks for the reply.

Looks like the cisco box wasn't able to decrypt the request. I've compared a few versions of the draft and found out that they changed a few things, including md5 to sha stuff. Do you think that might be the cause? I might have some more time to work on it later this month.

Thank you,

Germano Veit Michel
germanovmichel at aim.com

-----Original Message-----
From: Tobias Brunner <tobias at strongswan.org>
To: Germano Veit Michel <germanovmichel at aim.com>
Cc: users <users at lists.strongswan.org>
Sent: Mon, Apr 2, 2012 2:59 pm
Subject: Re: [strongSwan] scepclient and cisco

Hi Germano,

> I've been trying to get scepclient to work with CISCO (IOS 15) for a
> week, turned all debugging on and still no success.
> CISCO fails with "unable to open signed data" when I request a
> certificate (get ca cert works).
> This is what I'm doing:
> ipsec scepclient --out cert=mycert.der --dn "CN=myname" -k 1024 --url
> --in cacert-enc=CISCO.der --in
> cacert-sig=CISCO.der
> The wiki documentation for scepclient is extremely poor. I could improve
> it with some cisco examples if I get this to work...
> Are there any special options/compile options? Opinions on what could be
> wrong?

Well, scepclient is quite old.  It was written 7 years ago and did not
get much attention since then.  Development was based on version 10/11
of the SCEP draft [1], which is currently published in version 23.  So
it's very well possible that there are incompatibilities with more
recent implementations (which the one in IOS 15 presumably is).  And
updating scepclient has not a very hight priority for us at the moment.

The question really is what the Cisco box means with "unable to open
signed data" (Was it not able to parse the request?  Was it not able to
decrypt it? ...).  The only thing that might be wrong with your command
line is that you don't specify '--out pkcs1', but I don't see how that
could cause the above error on the Cisco side.


[1] http://tools.ietf.org/html/draft-nourse-scep

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120402/b7f0f7fc/attachment.html>

More information about the Users mailing list