[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN between MacOSX and OpenBSD



Hi,

i have some troubles in setting ip vpn between my laptop (mac osx) and an openbsd gateway
(openbsd 3.5 isakmpd) based on x509 certificates.


The gateway has ip-address 10.0.2.1 and the client 10.0.2.2
Files on gateway:
isakmpd.conf
[General]
Listen-on=              10.0.2.1

[Phase 1]
Default=                SECUREWLAN-1

[SECUREWLAN-1]
Phase=                  1
Transport=              udp
Configuration=          Default-main-mode
ID=                     WLAN

[WLAN]
ID-type=                FQDN
Name=                   vpngw.wackes.netz

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-GRP2-RSA_SIG,BLF-SHA-GRP2-RSA_SIG

[Phase 2]
Passive-connections=    SECUREWLAN-2

[SECUREWLAN-2]
Phase=                  2
ISAKMP-peer=            SECUREWLAN-1
Configuration=          Default-quick-mode
Local-ID=               All-networks

[All-networks]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-GRP2-SUITE,QM-ESP-3DES-SHA-PFS-GRP2-SUITE


isakmpd.policy
KeyNote-Version: 2
Comment: Authentication based on CA Certificates
Authorizer: "POLICY"
Licensees: "CA"

Authorizer: "CA"
Licensees: "DN:/C=DE/O=wacke.org/CN=wacke.org CA"
Conditions: app_domain == "IPsec policy" && esp_present == "yes" -> "true";


Files on client:
racoon.conf

path certificate "/etc/certs" ;
log notify;

remote anonymous
{
exchange_mode main;
doi ipsec_doi;
certificate_type x509 "ibook.wackes.netz.crt" "ibook.wackes.netz.key";
my_identifier fqdn "ibook.wackes.netz";
peers_identifier fqdn "vpngw.wacke.org";
initial_contact on;
situation identity_only;
proposal_check strict;
nonce_size 16;
support_mip6 on;


    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method rsasig;
        dh_group 2;
    }
}
sainfo anonymous
{
    pfs_group 2;
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate ;
}

and
ipsec.conf
spdadd 10.0.2.2/32 0.0.0.0/0 any -P out ipsec
 esp/tunnel/10.0.2.2-10.0.2.1/require;
spdadd 0.0.0.0/0 10.0.2.2/32 any -P in ipsec
 esp/tunnel/10.0.2.1-10.0.2.2/require;

So, when i start isakmpd with isakmpd -d -DA=70 everything is ok, then i run
setkey -f ipsec.conf and then racoon -f racoon.conf -d -F
after some messages i get following one on my client:
2004-09-07 22:30:12: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.2.1->10.0.2.2
2004-09-07 22:30:12: INFO: isakmp.c:2050:isakmp_chkph1there(): delete phase 2 handler.
On the gateway machine (isakmpd) i can't see anything that looked suspicious.
What is wrong in my configuration? I just don't get it, cause it's an example from ipsec tutorual on
openbsd.de.


Please CC me, i'm not on this list.
tia,
schamil




Visit your host, monkey.org