[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

problems about isakmpd with x509 certificate



Hi,

I want to set up VPN with isakmpd and x509 certificate between one
FreeBSD(bigbox.qobra.com) and one Winnt(ire.qobra.com). I followed the step in
Readme.pki and faq13. After creating CA and certificates on OpenBSD 2.8. I
copied bigbox.qobra.com.crt to /etc/isakmpd/certs/,  bigbox.qobra.com.key to
/etc/isakmpd/private/ and ca.crt to /etc/isakmpd/ca on FreeBSD. I moved
ire.qobra.com.p12 and ca.crt on IRE client.

When I run isakmpd on FreeBSD and ping from Winnt, the following error comes.

Default rsa_sig_decode_hash: no CERT subject match the ID
Default rsa_sig_decode_hash: no public key found
Default dropped message from 216.95.234.92 port 500 due to notification type
INVALID_ID_INFORMATION

After I copied ire.qobra.com.crt to /etc/isakmpd/certs/, there is no error.
But VPN doesn't set up. Who can give me help? Thanks!!!

Jack Xiao







My x509.conf and x509.policy on FreeBSD are as following,

x509.conf

[General]
Policy-file=  /etc/isakmpd/x509.policy
Retransmits=  3
Exchange-max-time= 60
Listen-on=  216.95.234.162

[Phase 1]
Default=  test

[Phase 2]
Passive-connections= test-tcserver

#[Keynote]
#Credential-directory= /etc/isakmpd/keynote

[X509-certificates]
CA-directory=  /etc/isakmpd/ca/
Cert-directory=  /etc/isakmpd/certs/
Private-key=  /etc/isakmpd/private/bigbox.qobra.com.key

[test]
Phase=   1
Transport=  udp
Local-address=  216.95.234.162
Configuration=  Default-main-mode
ID=   my-ID

[my-ID]
ID-type=  FQDN
Name=   bigbox.qobra.com

[test-tcserver]
Phase=   2
ISAKMP-peer=  test
Configuration=  Default-quick-mode
Local-ID=  Net-local

[Net-local]
ID-type=  IPV4_ADDR
Address=  216.95.234.162

[Default-main-mode]
DOI=   IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=  3DES-SHA

[Default-aggressive-mode]
DOI=   IPSEC
EXCHANGE_TYPE=  AGGRESSIVE
Transforms=  3DES-SHA

[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM=  SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
Life=   LIFE_3600_SECS

[Default-quick-mode]
DOI=   IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=   QM-ESP-3DES-SHA-PFS-SUITE

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols=  QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=  IPSEC_ESP
Transforms=  QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID=  3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life=   LIFE_3600_SECS,LIFE_6000_KB

[LIFE_3600_SECS]
LIFE_TYPE=  SECONDS
LIFE_DURATION=  3600,2700:4320

[LIFE_6000_KB]
LIFE_TYPE=  KILOBYTES
LIFE_DURATION=  6000,4608:9316


x509.policy

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "DN:/CN=key.qobra.com"
Conditions: app_domain == "IPsec policy" &&
     esp_present == "yes" &&
     esp_enc_alg != "null" -> "true";