[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN problems isakmpd vs. ssh sentinel



Hi,

I have set up isakmpd and SSH sentinel as proposed on
http://www.allard.nu/openbsd/sentinel/ and
have run into problem with the x509 certificate exchange:

Starting "isakmpd -4 -DA=70" on OpenBSD 3.6 / GENERIC shows:

---

Feb 20 10:57:24 legolas isakmpd[31324]: monitor_init: pid 11877 my fd 6
Feb 20 10:57:24 legolas isakmpd[11877]: monitor_init: pid 0 my fd 5
Feb 20 10:57:24 legolas isakmpd[11877]: monitor_init: privileges dropped 
for child process
Feb 20 10:57:24 legolas isakmpd[11877]: connection_record_passive: 
passive connection "IPsec-gbf-roadwarrior" added
Feb 20 10:57:24 legolas isakmpd[11877]: policy_init: initializing
Feb 20 10:57:24 legolas isakmpd[11877]: x509_read_from_dir: reading 
certs from /etc/isakmpd/ca/
Feb 20 10:57:24 legolas isakmpd[11877]: x509_read_from_dir: reading 
certificate ca.crt
Feb 20 10:57:24 legolas isakmpd[11877]: x509_read_from_dir: reading 
certs from /etc/isakmpd/certs/
Feb 20 10:57:24 legolas isakmpd[11877]: x509_read_from_dir: reading 
certificate legolas.gbf.de.crt
Feb 20 10:57:24 legolas isakmpd[11877]: x509_hash_enter: cert 0x3c06b500 
added to bucket 12
Feb 20 10:57:24 legolas isakmpd[11877]: x509_hash_enter: cert 0x3c06b500 
added to bucket 55
Feb 20 10:57:24 legolas isakmpd[11877]: x509_read_crls_from_dir: reading 
CRLs from /etc/isakmpd/crls/
Feb 20 10:57:24 legolas isakmpd[11877]: virtual_listen_lookup: no match
Feb 20 10:57:24 legolas last message repeated 2 times
Feb 20 10:57:24 legolas isakmpd[11877]: udp_make: transport 0x3c1ecd80 
socket 9 ip 193.175.244.183 port 500
Feb 20 10:57:24 legolas isakmpd[11877]: transport_setup: added 
0x3c1ecd80 to transport list
Feb 20 10:57:24 legolas isakmpd[11877]: udp_encap_make: transport 
0x3c1ecdc0 socket 10 ip 193.175.244.183 port 4500
Feb 20 10:57:24 legolas isakmpd[11877]: transport_setup: added 
0x3c1ecdc0 to transport list
Feb 20 10:57:24 legolas isakmpd[11877]: transport_setup: virtual 
transport 0x3c1eccc0
Feb 20 10:57:24 legolas isakmpd[11877]: virtual_init: not binding ISAKMP 
port(s) to ADDR_ANY
Feb 20 10:57:47 legolas isakmpd[11877]: transport_setup: added 
0x3c1ece40 to transport list
Feb 20 10:57:47 legolas isakmpd[11877]: transport_setup: added 
0x3c1ece80 to transport list
Feb 20 10:57:47 legolas isakmpd[11877]: virtual_clone: old 0x3c1eccc0 
new 0x3c1ece00 (main is 0x3c1ece40)
Feb 20 10:57:47 legolas isakmpd[11877]: transport_setup: virtual 
transport 0x3c1ece00
Feb 20 10:57:47 legolas isakmpd[11877]: message_recv: message 0x3c06b600

----

When the sentinel client tries to connect, this is what gets logged:

...
Feb 20 10:57:47 legolas isakmpd[11877]: MSG_TYPE: INITIAL_CONTACT
Feb 20 10:57:47 legolas isakmpd[11877]: ipsec_responder: phase 1 
exchange 2 step 4
Feb 20 10:57:47 legolas isakmpd[11877]: ike_phase_1_recv_ID: USER_FQDN:
Feb 20 10:57:47 legolas isakmpd[11877]: 6178656c 2e776167 6e657240 
6762662e 6465
Feb 20 10:57:47 legolas isakmpd[11877]: x509_hash_find: no certificate 
matched query
Feb 20 10:57:47 legolas isakmpd[11877]: x509_generate_kn: added credential
Feb 20 10:57:47 legolas isakmpd[11877]: x509_hash_enter: cert 0x3c06bc00 
added to bucket 61
Feb 20 10:57:47 legolas isakmpd[11877]: x509_hash_enter: cert 0x3c06bc00 
added to bucket 2
Feb 20 10:57:47 legolas isakmpd[11877]: hash_get: requested algorithm 1
Feb 20 10:57:47 legolas isakmpd[11877]: message_free: freeing 0x3c06b780
Feb 20 10:57:47 legolas isakmpd[11877]: transport_release: freeing 
0x3c06c580
Feb 20 10:57:47 legolas isakmpd[11877]: crypto_update_iv: updated IV:
Feb 20 10:57:47 legolas isakmpd[11877]: a3d4230d 7c0e7940
Feb 20 10:57:47 legolas isakmpd[11877]: exchange_run: exchange 
0x3c067f00 finished step 4, advancing...
Feb 20 10:57:47 legolas isakmpd[11877]: ipsec_responder: phase 1 
exchange 2 step 5
Feb 20 10:57:47 legolas isakmpd[11877]: ike_phase_1_send_ID: IPV4_ADDR:
Feb 20 10:57:47 legolas isakmpd[11877]: c1aff4b7
Feb 20 10:57:47 legolas isakmpd[11877]: keynote_cert_obtain: failed to 
open "/etc/isakmpd/keynote//193.175.244.183/credentials"
Feb 20 10:57:47 legolas isakmpd[11877]: x509_hash_find: no certificate 
matched query
Feb 20 10:57:47 legolas isakmpd[11877]: rsa_sig_encode_hash: no 
certificate to send
...

I have stripped away lines due to massive output - hopefully not lines 
containing necessary information. Of course, I can
provide the whole output.


My isakmpd.conf:

[General]
Listen-on=              193.175.244.183

[Phase 1]
Default=                ISAKMP-peer-roadwarrior

[Phase 2]
Passive-connections=    IPsec-gbf-roadwarrior

[ISAKMP-peer-raodwarrior]
Phase=                  1
Transport=              udp
Configuration=          Default-rsa-main-mode
ID=                     Legolas

[IPsec-gbf-roadwarrior]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-roadwarrior
Configuration=          Default-rsa-quick-mode
Local-ID=               Net-gbf
Remote-ID=              dummy-remote

[Legolas]
ID-type=                FQDN
Name=                   legolas.gbf.de

[dummy-remote]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[Net-gbf]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.50.0
Netmask=                255.255.255.0

[Default-rsa-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             
3DES-SHA-RSA_SIG,3DES-MD5-RSA_SIG,AES-SHA-RSA_SIG,AES-MD5-RSA_SIG

[Default-rsa-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 
QM-ESP-AES-MD5-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE

---

My isakmpd.policy:

KeyNote-Version: 2
Authorizer: "POLICY"
Licensees:      "CA"

KeyNote-Version: 2
Authorizer:     "CA"
Licensees: "DN:/C=DE/ST=Niedersachsen/L=Braunschweig/O=GBF GmbH/OU=RZ"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";


---

Certificates and Keys:

./ca:
total 2
-rw-r--r--  1 root  wheel  985 Feb 20 10:34 ca.crt

./certs:
total 2
-rw-r--r--  1 root  wheel  1017 Feb 20 10:56 legolas.gbf.de.crt

./crls:

./keynote:

./private:
total 2
-rw-------  1 root  wheel  887 Feb 20 10:35 local.key

---

CA x509:

root_(_at_)_legolas:/etc/isakmpd# openssl x509 -in ca/ca.crt  -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, ST=Niedersachsen, L=Braunschweig, O=GBF GmbH, 
OU=RZ, CN=RootCA/emailAddress=aw_(_at_)_gbf_(_dot_)_de
        Validity
            Not Before: Feb 20 09:34:23 2005 GMT
            Not After : Feb 20 09:34:23 2007 GMT
        Subject: C=DE, ST=Niedersachsen, L=Braunschweig, O=GBF GmbH, 
OU=RZ, CN=RootCA/emailAddress=aw_(_at_)_gbf_(_dot_)_de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:be:33:71:37:00:fb:5f:11:c5:b3:1a:d0:87:9b:
                    56:1d:d2:c2:31:28:db:a9:52:62:6f:f0:a8:a6:83:
                    c5:bd:36:ba:52:44:d9:9d:f0:b8:b6:43:59:e6:3a:
                    05:b6:49:27:a1:44:ec:69:0c:c4:f9:01:57:3a:20:
                    ec:6d:ad:57:93:0a:92:a4:33:4e:92:28:86:11:fc:
                    44:54:c1:d6:76:45:a8:18:89:ae:5d:00:a8:36:f5:
                    7c:03:ed:6f:4e:58:ad:ca:df:81:0c:6e:95:2c:0a:
                    4a:01:55:07:c9:a1:98:c8:2f:cf:ee:75:99:20:61:
                    64:21:f8:28:e5:58:66:35:57
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Key Usage:
                Digital Signature, Certificate Sign
    Signature Algorithm: md5WithRSAEncryption
        44:5f:01:b8:b4:cf:e4:8d:8f:06:b1:d4:45:c2:19:46:05:f2:
        c3:b5:45:54:46:27:c5:45:d7:8e:2d:1d:82:fb:2e:e9:66:87:
        88:45:91:be:93:ca:1c:6e:d6:bb:5b:ac:b2:b3:eb:dc:21:77:
        a2:b3:ee:d5:ff:f8:b2:05:18:b6:95:26:a3:03:b6:93:d9:61:
        d5:39:9b:82:2a:c5:29:b1:9a:50:c7:64:c2:5d:b4:c3:be:9c:
        e5:d8:b7:e3:65:be:12:9f:62:05:51:24:1c:42:ed:aa:e5:8b:
        7e:4b:23:12:1a:bb:5b:40:b4:01:e4:be:2a:43:ff:5a:cf:b4:
        c4:98
---

GATEWAY x509:

root_(_at_)_legolas:/etc/isakmpd# openssl x509 -in certs/legolas.gbf.de.crt 
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, ST=Niedersachsen, L=Braunschweig, O=GBF GmbH, 
OU=RZ, CN=RootCA/emailAddress=aw_(_at_)_gbf_(_dot_)_de
        Validity
            Not Before: Feb 20 09:37:11 2005 GMT
            Not After : Feb 20 09:37:11 2006 GMT
        Subject: C=DE, ST=Niedersachsen, L=Braunschweig, O=GBF GmbH, 
OU=RZ, CN=legolas.gbf.de/emailAddress=aw_(_at_)_gbf_(_dot_)_de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ab:12:44:92:42:de:cc:70:59:67:de:43:76:69:
                    f7:db:7e:0c:69:fb:1c:cb:b7:d3:36:2f:9a:aa:f0:
                    5e:2a:07:58:89:9f:cd:38:cb:da:65:26:42:2f:8c:
                    68:71:2a:e0:c3:9a:be:a4:a3:e6:f5:94:0e:89:e2:
                    80:fb:3a:0f:60:e6:00:f6:78:9e:a6:d6:a7:5b:34:
                    3a:b0:f6:34:f4:cf:ec:4b:6d:2f:b2:0a:9b:54:03:
                    48:31:f8:50:64:a0:b7:9f:bf:68:d6:9c:eb:a8:70:
                    8b:17:aa:db:2b:c7:2c:c4:75:5d:39:ab:b2:1f:a8:
                    b2:7a:20:b3:89:ae:48:7c:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: critical
                DNS:legolas.gbf.de
            X509v3 Subject Alternative Name: critical
                IP Address:193.175.244.183
    Signature Algorithm: md5WithRSAEncryption
        a2:72:27:ce:39:33:76:11:db:38:74:ac:91:74:79:7f:5a:24:
        ec:ff:5e:9a:80:8f:a7:fc:52:6f:b3:5e:cb:9f:5e:dc:f1:d3:
        e5:10:99:09:3a:d0:b6:94:84:66:ce:76:48:d4:be:19:66:fd:
        bb:23:cd:07:e1:c1:39:f1:77:bb:13:6e:c5:61:49:07:e7:89:
        72:10:6d:56:8b:a2:3a:46:1e:1a:3b:7c:74:dd:c4:e3:d5:81:
        85:de:9d:27:46:9d:cc:38:bb:6e:b1:aa:85:ec:91:3f:49:1d:
        ca:bd:1a:1b:2e:ac:12:3f:d7:76:e2:e7:f7:4f:29:fd:84:7b:
        c2:b2

---

USER x509:

root_(_at_)_legolas:/etc/isakmpd# openssl x509 -in ../ssl/users/AxelWagner.crt  
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=DE, ST=Niedersachsen, L=Braunschweig, O=GBF GmbH, 
OU=RZ, CN=RootCA/emailAddress=aw_(_at_)_gbf_(_dot_)_de
        Validity
            Not Before: Feb 20 09:38:43 2005 GMT
            Not After : Feb 20 09:38:43 2006 GMT
        Subject: C=DE, ST=Niedersachsen, L=Braunschweig, O=GBF GmbH, 
OU=RZ, CN=AxelWagner/emailAddress=aw_(_at_)_gbf_(_dot_)_de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:af:e4:e1:3b:66:1b:97:64:0c:ec:de:bf:a1:aa:
                    4c:28:92:99:72:08:7a:84:11:4b:2f:66:84:d1:36:
                    b8:4d:7c:1b:e3:78:af:80:b0:21:e7:b6:45:a7:6e:
                    1e:5f:cd:e8:47:26:f0:82:ef:fc:77:d9:41:da:8b:
                    ec:8d:3c:32:b2:98:d3:53:23:01:41:6f:45:86:a1:
                    04:10:ef:76:d1:fd:b5:17:dd:f4:7f:8c:1d:4b:73:
                    d5:c1:3d:96:2a:70:bd:27:1e:9b:39:e5:4d:b9:11:
                    60:6e:7e:36:6b:44:d3:01:b2:d4:96:dc:e7:6f:49:
                    2e:ab:5a:b1:07:19:dd:e5:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: critical
                email:axel_(_dot_)_wagner_(_at_)_gbf_(_dot_)_de
    Signature Algorithm: md5WithRSAEncryption
        b3:9d:64:b4:09:e0:6e:0d:ab:18:fd:45:f3:a1:23:20:b9:18:
        bd:28:b2:f5:14:3c:b8:47:88:bb:ab:c4:e9:e0:1b:7f:bc:18:
        67:1b:dc:ff:1a:83:3e:f1:bb:1e:8b:a8:e8:74:fe:0f:bf:a8:
        ab:52:6a:d7:10:e2:d1:be:09:f7:21:10:65:c8:4f:00:0d:fb:
        a1:a9:ed:19:43:26:41:00:2c:23:9a:56:04:e8:1c:69:d6:22:
        90:a8:65:fb:f3:89:18:d3:05:b3:03:20:5d:ef:93:3c:9c:88:
        41:43:24:4e:da:c9:46:d7:fc:6d:91:46:95:c1:c8:49:82:3b:
        8d:92

---

I have googled on the messages " x509_hash_find: no certificate matched 
query" and
"rsa_sig_encode_hash: no certificate to send", but haven't found 
anything helpful.

As far as I understand the logging messages, the gateway receives the 
user cert,
but does not send it's own cert in return.
That's why authentication failed in phase 1, right?

What does the line "x509_hash_find: no certificate matched query" mean?

How do I get to know which certificate was queried?

SSH sentinel tries to connect to "legolas.gbf.de" (using FQDN).
Why does isakmpd tries to send IPV4_ADDR?

Any kind of help would be very appreciated. Thanks!

Axel Wagner