[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: x509 with isakmpd



The telling problem is the "no CERT subject match the ID" message, all the
other messages follows from this one.

isakmpd tries to find subjectName and subjectAltName from the certificate
and then matches these against the expected value (for FQDNs, this is the
name, i.e "xyz.qobra.com").

Most likely this is due to the SafeNet client not encoding the certificate
in a way that isakmpd can properly decode (yet). We saw the same with
PGPnet.

The reason there is not error when you put the certificate manually into
certs/ is that the OpenSSL parts of isakmpd will then use it directly. I
guess you get some other errors in this case..? (Otherwise, the VPN should
really have been setup by this...)

It could be helpful with some more information. For example, if you could
provide debug output from the isakmpd side ('isakmpd -d -DA=99 -D1=70' is
usually good), the interesting parts are, say, the two hundred or so lines
up to the "no CERT subject match the OD" and twenty or so lines
afterwards.

Another thing that would help is to use the '-l' flag to isakmpd to have
it capture the packets in the IKE session. They are captured un/de-crypted
so they can be read by tcpdump etc. The default capture file name is
/var/run/isakmpd.pcap, and this is only available with an isakmpd from the
2.9 tree or (since yesterday) 2.8-STABLE.

(If you capture the session, the "best" way to view it is with something
 like 'tcpdump -nvs1500 -r /var/run/isakmpd.pcap'.)

/H

PS. In your policy file, I'd make a slight modification while testing.
    (look below)

On Wed, 9 May 2001, Jack Xiao wrote:

> Hi All,
>
> I want to set up VPN with isakmpd and x509 certificate between one
> host(bigbox.qobra.com) and the other SafeNet client(ire.qobra.com). I followed
> the step in Readme.pki. After creating CA and certificates on OpenBSD 2.8. I
> copied bigbox.qobra.com.crt to /etc/isakmpd/certs/,  bigbox.qobra.com.key to
> /etc/isakmpd/private/ and ca.crt to /etc/isakmpd/ca/ on host. I moved
> ire.qobra.com.p12 and ca.crt on SafeNet client.
>
> When I run isakmpd on host and ping from client, the following error comes.
>
> Default rsa_sig_decode_hash: no CERT subject match the ID
> Default rsa_sig_decode_hash: no public key found
> Default dropped message from 216.95.234.92 port 500 due to notification type
> INVALID_ID_INFORMATION
>
> After I copied ire.qobra.com.crt to bigbox.qobra.com /etc/isakmpd/certs/,
> there is no error. But VPN doesn't set up. I tried, tried and tried. But I can
> get it work. Who can give me help or some hint? Thanks a lot!!!
>
> By the way, without x509 certificate, VPN can be set up successfully with
> preshared key.
>
...
> KeyNote-Version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> Authorizer: "POLICY"

Try to leave this line out while you test the VPN functionality:
> Licensees: "DN:/CN=key.qobra.com"

> Conditions: app_domain == "IPsec policy" &&
>      esp_present == "yes" &&
>      esp_enc_alg != "null" -> "true";


--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB