[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
problem with isakmpd with certs
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: problem with isakmpd with certs
- From: Andreas Schuldei <andreas_(_at_)_schuldei_(_dot_)_org>
- Date: Fri, 5 Jan 2001 19:10:35 +0100
Now I created a script which generates certificate based isakmpd config files.
An example of such a generated conf and policy file is here:
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 195.84.105.112
[my-ID]
ID-type= IPV4_ADDR
Address= 195.84.105.112
[Phase 1]
195.84.181.91= utilator
[Phase 2]
Connections=incoming-from-utilator-net,incoming-from-utilator-host
[utilator]
Phase= 1
Transport= udp
Address= 195.84.181.91
Configuration= Default-main-mode
ID= my-ID
[incoming-from-utilator-net]
Phase= 2
ISAKMP-peer= utilator
Configuration= Default-quick-mode
Local-ID= schuldei-net
Remote-ID= utilator-net
[incoming-from-utilator-host]
Phase= 2
ISAKMP-peer= utilator
Configuration= Default-quick-mode
Local-ID= schuldei-host
Remote-ID= utilator-host
[utilator-net]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[utilator-host]
ID-type= IPV4_ADDR
Address= 195.84.181.91
[schuldei-net]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[schuldei-host]
ID-type= IPV4_ADDR
Address= 195.84.105.112
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_60_SECS,LIFE_1000_KB
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-PFS-SUITE
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols= QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-PFS-XF
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_60_SECS
[LIFE_60_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 60,45:72
[LIFE_1000_KB]
LIFE_TYPE= KILOBYTES
LIFE_DURATION= 1000,768:1536
and here comes the policy file:
keynote-version: 2
Authorizer: "POLICY"
licensees: "DN:\ORG=Frontyard"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
So far, so good. When I start isakmpd -d -DA=10 I am told:
173351.104824 Default keynote_cert_obtain: failed to stat "/etc/isakmpd/keynote//195.84.105.112/credentials"
173358.439092 Mesg 00 ipsec_validate_id_information: proto 0 port 0 type 1
173358.442331 Default rsa_sig_decode_hash: received CERT can't be validated
173358.442659 Default rsa_sig_decode_hash: no public key found
173358.442987 Default dropped message from 195.84.181.91 port 500 due to notification type INVALID_ID_INFORMATION
The first line tells me that it does not have any credentials yet. Do I need
to create the directory or is this done once the credentials are transmitted?
in The mailinglist archive I read that they are automatically generated by
isakmpd. Is that correct?
But what does the 'received CERT can't be validated' mean? My script generated
all all the certs in one go and I would guess that they must fit.
How can I make sure that all certs are correct? could it be that some old
certificates in /etc/openssl/ come into the way?
Why would it not find the public key? It is sitting in
/etc/isakmpd/private/lokal.key, like specified in the config file.
Please help.
Which file
was not found? does it need any special permissions (like rw-------)?
Visit your host, monkey.org