[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN between MacOSX and OpenBSD

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: VPN between MacOSX and OpenBSD
From: Schamil Wackenhut <sw_(_at_)_wacke_(_dot_)_org>
Date: Tue, 07 Sep 2004 22:52:11 +0200
Reply-to: Schamil Wackenhut <sw_(_at_)_wacke_(_dot_)_org>

Hi,

i have some troubles in setting ip vpn between my laptop (mac osx) and an openbsd gateway (openbsd 3.5 isakmpd) based on x509 certificates.

The gateway has ip-address 10.0.2.1 and the client 10.0.2.2
Files on gateway:
isakmpd.conf
[General]
Listen-on=              10.0.2.1

[Phase 1]
Default=                SECUREWLAN-1

[SECUREWLAN-1]
Phase=                  1
Transport=              udp
Configuration=          Default-main-mode
ID=                     WLAN

[WLAN]
ID-type=                FQDN
Name=                   vpngw.wackes.netz

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-GRP2-RSA_SIG,BLF-SHA-GRP2-RSA_SIG

[Phase 2]
Passive-connections=    SECUREWLAN-2

[SECUREWLAN-2]
Phase=                  2
ISAKMP-peer=            SECUREWLAN-1
Configuration=          Default-quick-mode
Local-ID=               All-networks

[All-networks]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-GRP2-SUITE,QM-ESP-3DES-SHA-PFS-GRP2-SUITE

isakmpd.policy
KeyNote-Version: 2
Comment: Authentication based on CA Certificates
Authorizer: "POLICY"
Licensees: "CA"

Authorizer: "CA" Licensees: "DN:/C=DE/O=wacke.org/CN=wacke.org CA" Conditions: app_domain == "IPsec policy" && esp_present == "yes" -> "true";

Files on client:
racoon.conf

path certificate "/etc/certs" ;
log notify;

remote anonymous { exchange_mode main; doi ipsec_doi; certificate_type x509 "ibook.wackes.netz.crt" "ibook.wackes.netz.key"; my_identifier fqdn "ibook.wackes.netz"; peers_identifier fqdn "vpngw.wacke.org"; initial_contact on; situation identity_only; proposal_check strict; nonce_size 16; support_mip6 on;

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method rsasig;
        dh_group 2;
    }
}
sainfo anonymous
{
    pfs_group 2;
    encryption_algorithm aes;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate ;
}

and
ipsec.conf
spdadd 10.0.2.2/32 0.0.0.0/0 any -P out ipsec
 esp/tunnel/10.0.2.2-10.0.2.1/require;
spdadd 0.0.0.0/0 10.0.2.2/32 any -P in ipsec
 esp/tunnel/10.0.2.1-10.0.2.2/require;

So, when i start isakmpd with isakmpd -d -DA=70 everything is ok, then i run setkey -f ipsec.conf and then racoon -f racoon.conf -d -F after some messages i get following one on my client: 2004-09-07 22:30:12: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.2.1->10.0.2.2 2004-09-07 22:30:12: INFO: isakmp.c:2050:isakmp_chkph1there(): delete phase 2 handler. On the gateway machine (isakmpd) i can't see anything that looked suspicious. What is wrong in my configuration? I just don't get it, cause it's an example from ipsec tutorual on openbsd.de.

Please CC me, i'm not on this list. tia, schamil

Follow-Ups:
- Re: VPN between MacOSX and OpenBSD
  - From: Waldemar Brodkorb

Prev by Date: Re: carp question
Next by Date: Re: Apache problems on 3.5-stable
Previous by thread: Problems with CARP and inet access via NAT/PF
Next by thread: Re: VPN between MacOSX and OpenBSD
Index(es):
- Date
- Thread

Visit your host, monkey.org