[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: x509 with isakmpd



The first thing is to be sure you've the latest version of isakmpd, with all
errata applied, using "cvs checkout -P -rOPENBSD_2_8"

the version of isakmpd that's comes with the original 2.8 distro
is pretty broken when used with certificates and conf file.

Cedric

Jack Xiao wrote:

> Hi All,
>
> I want to set up VPN with isakmpd and x509 certificate between one
> host(bigbox.qobra.com) and the other SafeNet client(ire.qobra.com). I followed
> the step in Readme.pki. After creating CA and certificates on OpenBSD 2.8. I
> copied bigbox.qobra.com.crt to /etc/isakmpd/certs/,  bigbox.qobra.com.key to
> /etc/isakmpd/private/ and ca.crt to /etc/isakmpd/ca/ on host. I moved
> ire.qobra.com.p12 and ca.crt on SafeNet client.
>
> When I run isakmpd on host and ping from client, the following error comes.
>
> Default rsa_sig_decode_hash: no CERT subject match the ID
> Default rsa_sig_decode_hash: no public key found
> Default dropped message from 216.95.234.92 port 500 due to notification type
> INVALID_ID_INFORMATION
>
> After I copied ire.qobra.com.crt to bigbox.qobra.com /etc/isakmpd/certs/,
> there is no error. But VPN doesn't set up. I tried, tried and tried. But I can
> get it work. Who can give me help or some hint? Thanks a lot!!!
>
> By the way, without x509 certificate, VPN can be set up successfully with
> preshared key.
>
> My configuration file and policy file on host are as following,
>
> x509.conf
>
> [General]
> Policy-file=  /etc/isakmpd/x509.policy
> Retransmits=  3
> Exchange-max-time= 60
> Listen-on=  216.95.234.162
>
> [Phase 1]
> Default=  test
>
> [Phase 2]
> Passive-connections= test-tcserver
>
> #[Keynote]
> #Credential-directory= /etc/isakmpd/keynote
>
> [X509-certificates]
> CA-directory=  /etc/isakmpd/ca/
> Cert-directory=  /etc/isakmpd/certs/
> Private-key=  /etc/isakmpd/private/bigbox.qobra.com.key
>
> [test]
> Phase=   1
> Transport=  udp
> Local-address=  216.95.234.162
> Configuration=  Default-main-mode
> ID=   my-ID
>
> [my-ID]
> ID-type=  FQDN
> Name=   bigbox.qobra.com
>
> [test-tcserver]
> Phase=   2
> ISAKMP-peer=  test
> Configuration=  Default-quick-mode
> Local-ID=  Net-local
>
> [Net-local]
> ID-type=  IPV4_ADDR
> Address=  216.95.234.162
>
> [Default-main-mode]
> DOI=   IPSEC
> EXCHANGE_TYPE=  ID_PROT
> Transforms=  3DES-SHA
>
> [Default-aggressive-mode]
> DOI=   IPSEC
> EXCHANGE_TYPE=  AGGRESSIVE
> Transforms=  3DES-SHA
>
> [3DES-SHA]
> ENCRYPTION_ALGORITHM= 3DES_CBC
> HASH_ALGORITHM=  SHA
> AUTHENTICATION_METHOD= RSA_SIG
> GROUP_DESCRIPTION= MODP_1024
> Life=   LIFE_3600_SECS
>
> [Default-quick-mode]
> DOI=   IPSEC
> EXCHANGE_TYPE=  QUICK_MODE
> Suites=   QM-ESP-3DES-SHA-PFS-SUITE
>
> [QM-ESP-3DES-SHA-PFS-SUITE]
> Protocols=  QM-ESP-3DES-SHA-PFS
>
> [QM-ESP-3DES-SHA-PFS]
> PROTOCOL_ID=  IPSEC_ESP
> Transforms=  QM-ESP-3DES-SHA-PFS-XF
>
> [QM-ESP-3DES-SHA-PFS-XF]
> TRANSFORM_ID=  3DES
> ENCAPSULATION_MODE= TUNNEL
> AUTHENTICATION_ALGORITHM= HMAC_SHA
> GROUP_DESCRIPTION= MODP_1024
> Life=   LIFE_3600_SECS,LIFE_6000_KB
>
> [LIFE_3600_SECS]
> LIFE_TYPE=  SECONDS
> LIFE_DURATION=  3600,2700:4320
>
> [LIFE_6000_KB]
> LIFE_TYPE=  KILOBYTES
> LIFE_DURATION=  6000,4608:9316
>
> x509.policy
>
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> Authorizer: "POLICY"
> Licensees: "DN:/CN=key.qobra.com"
> Conditions: app_domain == "IPsec policy" &&
>      esp_present == "yes" &&
>      esp_enc_alg != "null" -> "true";
>
> Jack Xiao