ssh sentinal?

[newsham_(_at_)_lava_(_dot_)_net (Tim Newsham)]

Hi,

   I'm playing with the ssh sentinal IPSEC implementation (available for
demo at www.ssh.com).  The hurdles I passed so far are:

   - they require x509v3 fields present in the CA (in particular,
     the CA:true tag).  I had to adjust my openssl commands and
     generate new certs.

   - They send out both SECONDS and KILOBYTES type lifetimes.
     I had to adjust isakmpd.conf to add a new suite which
     included both a lifetime of 3600 seconds and ANY kilobytes.
     I think isakmpd can be adjusted to make this easier in
     the future.  All suites using time based lifetimes should be
     augmented to support any data lifetime, and similarly any
     suite using transfer based lifetimes should be augmented to
     support any seconds lifetime.  For example:

     [3DES-SHA-RSA_SIG]
     ....
     Life=   LIFE_1HR,LIFE_ANY_DATA

     [LIFE_1HR]
     LIFE_TYPE= SECONDS
     LIFE_DURATION= 3600,60:8640

     [LIFE_ANY_DATA]
     LIFE_TYPE= KILOBYTES
     LIFE_DURATION= ANY

     This wont affect functionality, except to make interop simpler,
     since you dont normally mind if the peer rekeys more often than
     you would.

The hurdle I'm on right now is this:

     sentinal->obsd     SA
     obsd->sentinal     SA
     sentinal->obsd     KE, NONCE, CertReq

     CertReq is:
         next payload = 0
         length = 5
         cert type = 4 (x509)
         [no certificate authority data follows]

The openbsd box at this point complains about ID missing in
x509_cert_obtain, because it is trying to look up the
id from the exchange->id_i or exchange->id_r, which has not
yet been exchanged.  No reply is ever sent and the protocol
grinds to a halt.  I'm not sure what the openbsd box is supposed
to do at this point.  Any ideas?

Tim N.