[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd: unknown id type user_fqdn



On Sat, 8 Jun 2002, Hanspeter Roth wrote:
...
> > It's ok to use a USER_FQDN ID when referring to a certificate etc, but not
> > as you do here as the Local-ID in phase 2 (Quick-Mode).  A phase 2 ID is
> > usually an address or a network, i.e IP-addresses.
>
> It should now be treated as a Default-phase-1-ID.

Ok, but note that Default-phase-1-ID is used for X509 certificate
authentication, while you are using shared-key auth (the Authentication=
field).

...
> > >
> > > [IPsec-east-west]
> > > Phase=			2
> > > ISAKMP-peer=		ISAKMP-peer-west
> > > Configuration=		Default-quick-mode
> > > Local-ID=		Road-Warrior-east
> > > Remote-ID=		Net-west
> >
> > Local-ID is wrong. Remote-ID is ok.
>
> I have removed the Local-ID. But now I get:
>
> 195642.982189 Default connection_record_passive: "Local-ID" is missing from section [IPsec-east-west]
> 195642.982215 Default connection_init: could not record connection "IPsec-east-west"

Yes, you still need a local ID for the VPN. Think "what's the local IP/net
on this side of the tunnel".

If you plan to go to a setup where the "Road-Warrior" uses a dynamic
address, your entire config file can probably look just like this
eventually:

###################################################

[Phase 1]
Default=                roadwarriors

[roadwarriors]
Phase=                  1
Configuration=          Default-main-mode
Authentication=         somesecret

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA,BLF-SHA

###################################################

With this simple config file, isakmpd will accept any incoming
negotitation as long as they use 3DES-SHA or BLF-SHA and authenticate with
the shared key 'somesecret'.

All "VPN" data will be supplied by the client. As this side does not know
what IP the other side has, it cannot start negotiations itself. Thus, all
such data is not relevant here.

With this setup it is recommended to add relevant data into isakmpd.policy
and perhaps start using certificate authentication instead (if the shared
key is compromised/lost, all participants need to change it...).

/H

--
Håkan Olsson <ho_(_at_)_crt_(_dot_)_se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB