I'm trying to make IPSec work in transport modebetween Vista andSolaris 10. It is failing during Main mode (IKE). I use certificates foran identity check.Vista seems to chock ona receivedpeer certificate (IkeStorePeerCert failed). Solaris seems to be ok. I wonder ifVista requires CRLDistributionPoints to be present in apeer certificate? Thanks. This is a debug trace from WFPUtil(x64): [3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct SA[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|AUTHIP keying module is not enabled for traffic[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|IKE not sending co-existence Vendor ID[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type MS NT5 ISAKMPOAKLEY[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type RFC 3947[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type draft-ietf-ipsec-nat-t-ike-02 [3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type FRAGMENTATION[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type MS-Negotiation Discovery Capable[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type Vid-Initial-Contact[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Construct VENDOR type IKE CGA version 1[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Sending Packet[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|iCookie b0608ead4dc08fac rCookie 0000000000000000[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Exchange type: IKE Main Mode Length 228 NextPayload SA Flags 0 Messid 0x00000000[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Local Address: 212.248.26.75.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Peer Address: 200.6.63.28.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:48.752 [ikeext] 0|200.6.63.28|Global IF index epoch (2) higher than cache epoch (0). Obtaining IF index from stack.[1]03F8.0D0C::09/14/2008-11:26:48.755 [ikeext] 0|200.6.63.28|IF-Index: 8[1]03F8.0D0C::09/14/2008-11:26:48.755 [ikeext] 0|200.6.63.28|Created new TimerContext 0000000002BDB000, type 0[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 0|200.6.63.28|[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 0|200.6.63.28|Received packet[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 0|200.6.63.28|Local Address: 212.248.26.75.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 0|200.6.63.28|Peer Address: 200.6.63.28.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|iCookie b0608ead4dc08fac rCookie 07f254c7ac5d3e23[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Exchange type: IKE Main Mode Length 132 NextPayload SA Flags 0 Messid 0x00000000[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|mmSa: 0x0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Process Payload VENDOR ID, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Received Vendor ID type: RFC 3947[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Process Payload VENDOR ID, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Process Payload SA, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|MM transform num: 1[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|OAK_ENCR_ALG: 5[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|OAK_HASH_ALG: 2[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|OAK_GROUP_DESC: 2[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|OAK_AUTH_METHOD: 3[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|OAK_LIFE_TYPE: 1[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|OAK_LIFE_DUR: 28800[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Accepted proposal. Trans: 1[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Ignoring port float. Incoming packet not on 4500[3]03F8.0D0C::09/14/2008-11:26:49.024 [ikeext] 5|200.6.63.28|Construct IKEHeader[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Construct KE[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Construct NONCE[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Construct NatDisc[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Construct NatDisc[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Sending Packet[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|iCookie b0608ead4dc08fac rCookie 07f254c7ac5d3e23[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Exchange type: IKE Main Mode Length 260 NextPayload KE Flags 0 Messid 0x00000000[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Local Address: 212.248.26.75.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Peer Address: 200.6.63.28.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|IF-Index: 8[3]03F8.0D0C::09/14/2008-11:26:49.029 [ikeext] 5|200.6.63.28|Updating TimerContext 0000000002BDB000[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 0|200.6.63.28|[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 0|200.6.63.28|Received packet[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 0|200.6.63.28|Local Address: 212.248.26.75.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 0|200.6.63.28|Peer Address: 200.6.63.28.500 Protocol 0[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|iCookie b0608ead4dc08fac rCookie 07f254c7ac5d3e23[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|Exchange type: IKE Main Mode Length 342 NextPayload KE Flags 0 Messid 0x00000000[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|mmSa: 0x0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|Process Payload KE, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|Process Payload NONCE, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|Process Payload CERTREQ, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.255 [ikeext] 5|200.6.63.28|Process Payload NATDISC, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.256 [ikeext] 5|200.6.63.28|Process Payload NATDISC, SA 0000000002FE0870[3]03F8.0D0C::09/14/2008-11:26:49.256 [ikeext] 5|200.6.63.28|Ignoring port float. Incoming packet not on 4500[3]03F8.0D0C::09/14/2008-11:26:49.256 [ikeext] 5|200.6.63.28|Construct IKEHeader[3]03F8.0D0C::09/14/2008-11:26:49.256 [ikeext] 5|200.6.63.28|Peer behind NAT[3]03F8.0D0C::09/14/2008-11:26:49.258 [ikeext] 5|200.6.63.28|Constructing local cert chain[3]03F8.0D0C::09/14/2008-11:26:49.258 [ikeext] 5|200.6.63.28|Taking into account CRPs[3]03F8.0D0C::09/14/2008-11:26:49.258 [ikeext] 5|200.6.63.28|LOOKING FOR: a NAP cert chain[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|Dumping Chain:[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|cert name: s35.betline.ru[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|cert hash: 000867ea770e0229d9b95b2a3abbe9471ea82d59[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|cert name: ca.gamesys.an[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|cert hash: b1390caa81f6913f4128e89f46665783819c5061[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|Doing BASE CAPI verification[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|CertChain did not pass CertVerifyCertificateChainPolicy: -2146885614(CRYPT_E_NO_REVOCATION_CHECK)[1]03F8.0D0C::09/14/2008-11:26:49.259 [ikeext] 5|200.6.63.28|But we are not failing because cert auth flags in policy is set to 0[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|Policy for chain root doesn't require NAP cert, rejecting chain[1]03F8.0D0C::09/14/2008-11:26:49.262 [user] |200.6.63.28|IkeFindLocalCertChainHelper failed with Windows error 13806(ERROR_IPSEC_IKE_NO_CERT)[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|LOOKING FOR: an IPsec EKU cert chain[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|Dumping Chain:[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|cert name: s35.betline.ru[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|cert hash: 000867ea770e0229d9b95b2a3abbe9471ea82d59[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|cert name: ca.gamesys.an[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|cert hash: b1390caa81f6913f4128e89f46665783819c5061[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|Doing BASE CAPI verification[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|CertChain did not pass CertVerifyCertificateChainPolicy: -2146885614(CRYPT_E_NO_REVOCATION_CHECK)[1]03F8.0D0C::09/14/2008-11:26:49.262 [ikeext] 5|200.6.63.28|But we are not failing because cert auth flags in policy is set to 0[1]03F8.0D0C::09/14/2008-11:26:49.264 [ikeext] 5|200.6.63.28|Local cert chain passed validity checks[1]03F8.0D0C::09/14/2008-11:26:49.266 [ikeext] 5|200.6.63.28|Cert lifetime in seconds low 31534550, high 0[1]03F8.0D0C::09/14/2008-11:26:49.266 [ikeext] 5|200.6.63.28|Construct MM ID[1]03F8.0D0C::09/14/2008-11:26:49.266 [ikeext] 5|200.6.63.28|Construct CERT[1]03F8.0D0C::09/14/2008-11:26:49.267 [ikeext] 5|200.6.63.28|Construct SIG[1]03F8.0D0C::09/14/2008-11:26:49.267 [ikeext] 5|200.6.63.28|Construct CERT REQUEST[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|Sending Packet[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|iCookie b0608ead4dc08fac rCookie 07f254c7ac5d3e23[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|Exchange type: IKE Main Mode Length 1116 NextPayload ID Flags 1 Messid 0x00000000[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|Local Address: 212.248.26.75.4500 Protocol 0[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|Peer Address: 200.6.63.28.4500 Protocol 0[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|IF-Index: 8[1]03F8.0D0C::09/14/2008-11:26:49.268 [ikeext] 5|200.6.63.28|Updating TimerContext 0000000002BDB000[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|[3]03F8.0E94::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|Received packet[3]03F8.0E94::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|Received packet[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|Local Address: 212.248.26.75.4500 Protocol 0[3]03F8.0E94::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|Local Address: 212.248.26.75.4500 Protocol 0[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|Peer Address: 200.6.63.28.4500 Protocol 0[3]03F8.0E94::09/14/2008-11:26:49.516 [ikeext] 0|200.6.63.28|Peer Address: 200.6.63.28.4500 Protocol 0[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 5|200.6.63.28|iCookie b0608ead4dc08fac rCookie 07f254c7ac5d3e23[3]03F8.0E94::09/14/2008-11:26:49.516 [ikeext] 5|200.6.63.28|Packet queued inside MM SA 0000000002FE0870, and will be processed later[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 5|200.6.63.28|Exchange type: IKE Main Mode Length 628 NextPayload ID Flags 1 Messid 0x00000000[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 5|200.6.63.28|mmSa: 0x0000000002FE0870[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 5|200.6.63.28|Process Payload MM ID, SA 0000000002FE0870[2]03F8.0D0C::09/14/2008-11:26:49.516 [ikeext] 5|200.6.63.28|Process Payload CERT, SA 0000000002FE0870[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkeStorePeerCert failed with Windows error 13804(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkeStorePeerCert failed with HRESULT 0x800735ec(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkePostPayloadProcessMMCert failed with HRESULT 0x800735ec(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkeHandlePayloadMMCert failed with HRESULT 0x800735ec(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkeProcessPayloadMM failed with HRESULT 0x800735ec(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkeProcessOakPayloadGroup failed with HRESULT 0x800735ec(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)[2]03F8.0D0C::09/14/2008-11:26:49.516 [user] |200.6.63.28|IkeProcessOakPacket failed with HRESULT 0x800735ec(ERROR_IPSEC_IKE_GENERAL_PROCESSING_ERROR)