Hi

I am trying to use VPN Tracker on a MAC and I am close to working but I
think I must have done something wrong. I used their doc to create a
request and then have it signed via Imanager. I have a user called
Vpnuser. It looks like the server does not see that the cert is for that
user. The user is vpnuser.mke. AM I just missing that part as the cert
request was for vpnuser?

Here is the error from the client side:
Resolving connection "test new cert":
Router: 10.33.1.1 (00:50:8b:f4:bb:40)
Local Endpoint: 10.33.1.61
Remote Endpoint: 69.3.224.59
Local Network: none
Remote Network: 10.1.1.0/24
Starting IKE daemon...
2006-04-02 16:56:14: INFO: main.c:177:main(): @(#)package version
VPN-Tracker-4.6(1B98)
2006-04-02 16:56:14: INFO: main.c:179:main(): @(#)internal version
20001216 sakane@kame.net
2006-04-02 16:56:14: INFO: main.c:180:main(): @(#)This product linked
OpenSSL 0.9.6l 04 Nov 2003 (http://www.openssl.org/)
2006-04-02 16:56:15: INFO: licensing: Unlicensed demo valid for 5 days.
2006-04-02 16:56:16: INFO: isakmp.c:2083:isakmp_post_acquire(): IPsec-SA
request for 69.3.224.59 queued due to no phase1 found. Starting phase1...
2006-04-02 16:56:16: INFO: isakmp.c:1038:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 10.33.1.61[500]<=>69.3.224.59[500]
2006-04-02 16:56:16: INFO: isakmp.c:1043:isakmp_ph1begin_i(): begin Main
mode.
2006-04-02 16:56:17: WARNING: isakmp.c:583:isakmp_main(): remote address
mismatched. db=69.3.224.59[500], act=69.3.224.58[500]
2006-04-02 16:56:17: INFO: isakmp_ident.c:525:ident_i3recv(): detected
NAT, switching to port 4500 for 69.3.224.59[500]
2006-04-02 16:56:17: WARNING: isakmp.c:583:isakmp_main(): remote address
mismatched. db=69.3.224.59[4500], act=69.3.224.58[4500]
2006-04-02 16:56:17: WARNING: isakmp_inf.c:756:isakmp_info_recv_n():
message authentication failed.
2006-04-02 16:56:17: WARNING: isakmp_inf.c:916:isakmp_info_recv_n():
notification payload 31 is not protected, ignored.
2006-04-02 16:56:17: WARNING: isakmp.c:583:isakmp_main(): remote address
mismatched. db=69.3.224.59[4500], act=69.3.224.58[4500]
2006-04-02 16:56:17: WARNING: isakmp_inf.c:756:isakmp_info_recv_n():
message authentication failed.
2006-04-02 16:56:17: WARNING: isakmp_inf.c:916:isakmp_info_recv_n():
notification payload 65535 is not protected, ignored.
2006-04-02 16:56:47: ERROR: isakmp.c:2187:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting for phase1. ESP
69.3.224.59->10.33.1.61 (10.33.1.61/32 10.1.1.0/24)
2006-04-02 16:56:47: INFO: isakmp.c:2192:isakmp_chkph1there(): delete
phase 2 handler.
2006-04-02 16:58:17: ERROR: isakmp.c:1789:isakmp_ph1resend(): phase1
negotiation with 69.3.224.59[4500] failed
(aaf09b1a3417836e:556e76841d425120)
2006-04-02 16:59:15: INFO: licensing: Unlicensed demo. IPsec will be
stopped now.
2006-04-02 16:59:15: INFO: session.c:335:check_sigreq(): caught signal 15
2006-04-02 16:59:17: INFO: session.c:204:close_session(): version 46030
shutdown


And here is the error from the server side.

4-4-2006 8:22:25 am Start IKE-SA 4392A220 -
Responder,src=69.3.224.58,dst=24.123.84.238,TotSA= 2
4-4-2006 8:22:25 am AUTH ALG IS 3
4-4-2006 8:22:25 am IKE SA NEGOTIATION: Peer lifetime = 28800 My
lifetime=28800
4-4-2006 8:22:25 am ****DH private exponent size is 1016****
4-4-2006 8:22:25 am Local server's interfaces : 69.3.224.58
4-4-2006 8:22:25 am Local server's interfaces : 10.1.1.254
4-4-2006 8:22:25 am Recieved UnSupported Vendor id from 24.123.84.238
Ignore
4-4-2006 8:22:25 am Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-03 from 24.123.84.238
4-4-2006 8:22:25 am Recieved Supported Vendor id
draft-ietf-ipsec-nat-t-ike-02 from 24.123.84.238
4-4-2006 8:22:25 am ***Send Main Mode message to 24.123.84.238
4-4-2006 8:22:25 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=SA-PAYLOAD,state=1212148524
4-4-2006 8:22:25 am ***Receive Main Mode message from 24.123.84.238
4-4-2006 8:22:25 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=KEY-PAYLOAD,state=1212148576
4-4-2006 8:22:25 am There is NAT in between server and client
4-4-2006 8:22:25 am info: sending certificate request payload is disabled
4-4-2006 8:22:25 am ***Send Main Mode message to 24.123.84.238
4-4-2006 8:22:25 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=KEY-PAYLOAD,state=1212148576
4-4-2006 8:22:25 am ***Receive Main Mode message from 24.123.84.238
4-4-2006 8:22:25 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=ID-PAYLOAD,state=1212148588
4-4-2006 8:22:25 am Recieved MM ID payload type 9 protocol 0 portnum 0
length 108
4-4-2006 8:22:25 am Could not verify certificate with a corresponding
eDirectory user.
4-4-2006 8:22:25 am sending notify message type 31 to 24.123.84.238
4-4-2006 8:22:25 am ***Send Unacknowledge Informational message to
24.123.84.238
4-4-2006 8:22:25 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=24159905,1stPL=HASH-PAYLOAD,state=1212148636
4-4-2006 8:22:25 am sending notify message type 65535 to 24.123.84.238
4-4-2006 8:22:25 am ***Send Unacknowledge Informational message to
24.123.84.238
4-4-2006 8:22:25 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=2E817FAF,1stPL=HASH-PAYLOAD,state=1212148636
4-4-2006 8:22:25 am Failed to create IKE-SA - Unknown error , dst =
24.123.84.238
4-4-2006 8:22:30 am IKE-SA 4392A220 is
Deleted,I-COOKIE=D71F38F0,R-COOKIE=4B552B0C,dst=24.123.84.238
4-4-2006 8:22:30 am State:2 Cond:4 TimerEvent:1
4-4-2006 8:22:30 am lifetime :28800 sec Rekey Time :0 sec
4-4-2006 8:22:30 am Created at :0 sec Remaining life time :-1776746
sec Current time 1805546
4-4-2006 8:22:30 am The client 24.123.84.238 removed from vpninf

4-4-2006 8:22:46 am ***Receive Main Mode message from 24.123.84.238
4-4-2006 8:22:46 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=ID-PAYLOAD,state=1212148588
4-4-2006 8:22:46 am The first payload of the message #1 is not the SA
Payload!
4-4-2006 8:22:46 am sending notify message type: 4 to 24.123.84.238
4-4-2006 8:22:46 am ***Send Unacknowledge Informational message to
24.123.84.238
4-4-2006 8:22:46 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=5C7F0D7F,1stPL=NOTIF Y-PAYLOAD,state=1212148688
4-4-2006 8:23:06 am ***Receive Main Mode message from 24.123.84.238
4-4-2006 8:23:06 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=ID-PAYLOAD,state=1212148588
4-4-2006 8:23:06 am The first payload of the message #1 is not the SA
Payload!
4-4-2006 8:23:06 am sending notify message type: 4 to 24.123.84.238
4-4-2006 8:23:06 am ***Send Unacknowledge Informational message to
24.123.84.238
4-4-2006 8:23:06 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=703FA64F,1stPL=NOTIF Y-PAYLOAD,state=1212148688
4-4-2006 8:23:26 am ***Receive Main Mode message from 24.123.84.238
4-4-2006 8:23:26 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=ID-PAYLOAD,state=1212148588
4-4-2006 8:23:26 am The first payload of the message #1 is not the SA
Payload!
4-4-2006 8:23:26 am sending notify message type: 4 to 24.123.84.238
4-4-2006 8:23:26 am ***Send Unacknowledge Informational message to
24.123.84.238
4-4-2006 8:23:26 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=33F00A8D,1stPL=NOTIF Y-PAYLOAD,state=1212148688
4-4-2006 8:23:46 am ***Receive Main Mode message from 24.123.84.238
4-4-2006 8:23:46 am
I-COOKIE=D71F38F0C6E2F3C5,R-COOKIE=4B552B0C507CB8F0,MsgID=0,1stPL=ID-PAYLOAD,state=1212148588
4-4-2006 8:23:46 am The first payload of the message #1 is not the SA
Payload!
4-4-2006 8:23:46 am sending notify message type: 4 to 24.123.84.238
4-4-2006 8:23:46 am ***Send Unacknowledge Informational message to
24.123.84.238