[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

x509 with isakmpd

To: <tech@openbsd.org>
Subject: x509 with isakmpd
From: "Jack Xiao" <Jack.Xiao@qobra.com>
Date: Wed, 09 May 2001 11:13:19 -0400
Cc: <angelos@dsl.cis.upenn.edu>

Hi All,

I want to set up VPN with isakmpd and x509 certificate between one
host(bigbox.qobra.com) and the other SafeNet client(ire.qobra.com). I followed
the step in Readme.pki. After creating CA and certificates on OpenBSD 2.8. I
copied bigbox.qobra.com.crt to /etc/isakmpd/certs/,  bigbox.qobra.com.key to
/etc/isakmpd/private/ and ca.crt to /etc/isakmpd/ca/ on host. I moved
ire.qobra.com.p12 and ca.crt on SafeNet client.

When I run isakmpd on host and ping from client, the following error comes.

Default rsa_sig_decode_hash: no CERT subject match the ID
Default rsa_sig_decode_hash: no public key found
Default dropped message from 216.95.234.92 port 500 due to notification type
INVALID_ID_INFORMATION

After I copied ire.qobra.com.crt to bigbox.qobra.com /etc/isakmpd/certs/,
there is no error. But VPN doesn't set up. I tried, tried and tried. But I can
get it work. Who can give me help or some hint? Thanks a lot!!!

By the way, without x509 certificate, VPN can be set up successfully with
preshared key.

My configuration file and policy file on host are as following,

x509.conf

[General]
Policy-file=  /etc/isakmpd/x509.policy
Retransmits=  3
Exchange-max-time= 60
Listen-on=  216.95.234.162

[Phase 1]
Default=  test

[Phase 2]
Passive-connections= test-tcserver

#[Keynote]
#Credential-directory= /etc/isakmpd/keynote

[X509-certificates]
CA-directory=  /etc/isakmpd/ca/
Cert-directory=  /etc/isakmpd/certs/
Private-key=  /etc/isakmpd/private/bigbox.qobra.com.key

[test]
Phase=   1
Transport=  udp
Local-address=  216.95.234.162
Configuration=  Default-main-mode
ID=   my-ID

[my-ID]
ID-type=  FQDN
Name=   bigbox.qobra.com

[test-tcserver]
Phase=   2
ISAKMP-peer=  test
Configuration=  Default-quick-mode
Local-ID=  Net-local

[Net-local]
ID-type=  IPV4_ADDR
Address=  216.95.234.162

[Default-main-mode]
DOI=   IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=  3DES-SHA

[Default-aggressive-mode]
DOI=   IPSEC
EXCHANGE_TYPE=  AGGRESSIVE
Transforms=  3DES-SHA

[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM=  SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
Life=   LIFE_3600_SECS

[Default-quick-mode]
DOI=   IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=   QM-ESP-3DES-SHA-PFS-SUITE

[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols=  QM-ESP-3DES-SHA-PFS

[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID=  IPSEC_ESP
Transforms=  QM-ESP-3DES-SHA-PFS-XF

[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID=  3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life=   LIFE_3600_SECS,LIFE_6000_KB

[LIFE_3600_SECS]
LIFE_TYPE=  SECONDS
LIFE_DURATION=  3600,2700:4320

[LIFE_6000_KB]
LIFE_TYPE=  KILOBYTES
LIFE_DURATION=  6000,4608:9316


x509.policy

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "DN:/CN=key.qobra.com"
Conditions: app_domain == "IPsec policy" &&
     esp_present == "yes" &&
     esp_enc_alg != "null" -> "true";

Jack Xiao

Follow-Ups:
- Re: x509 with isakmpd
  - From: Markus Friedl <Markus.Friedl@informatik.uni-erlangen.de>
- Re: x509 with isakmpd
  - From: Cedric Berger <cedric@wireless-networks.com>
- Re: x509 with isakmpd
  - From: Hakan Olsson <ho@crt.se>

Prev by Date: CA.pl
Next by Date: Re: x509 with isakmpd
Prev by thread: CA.pl
Next by thread: Re: x509 with isakmpd
Index(es):
- Date
- Thread