Re: isakmpd/x.509 on OpenBSD-2.8-current

To:	Christian Bahls <c.bahls@it-netservice.de>
Subject:	Re: isakmpd/x.509 on OpenBSD-2.8-current
From:	Daniel Lucq <daniel@custodix.com>
Date:	Sun, 18 Feb 2001 15:52:34 +0100 (CET)
Cc:	misc@openbsd.org
In-reply-to:	<3A8F0FAD.997C62F6@it-netservice.de>
Sender:	owner-misc@openbsd.org

On Sat, 17 Feb 2001, Christian Bahls wrote:

[snap]
> Authorizer: "POLICY"
> Licensees: "DN:/C=DE/ST=Sachsen/L=Leipzig/O=iT-NetService
> GmbH/OU=Network Security/CN=west.vpn.my/Email=c.bahls@it-netservice.de"
If you want to authorize using the CA certificate, the previous line
should read:
.../OU=Network Security/CN=ca.vpn.my/Email=...
and the CA certificate should be in /etc/isakmpd/ca/ (unless you
changed the location, which you didn't if I recall correctly). If you want
to authorize just west.vpn.my, the line above is correct, I think
(assuming that this line is from the policy file on east.vpn.my).

[snap]
> 233936.511550 Cryp 60 x509_read_from_dir: reading certificate
> west.vpn.my.crt
[snap]
> 233936.617308 Cryp 80 x509_generate_kn: added policy:
> Authorizer: "DN:/C=DE/ST=Sachsen/L=Leipzig/O=iT-NetService
> GmbH/OU=Network Security/CN=ca.vpn.my/Email=c.bahls@it-netservice.de"
> Licensees: "DN:/C=DE/ST=Sachsen/L=Leip
> 233936.617391 Cryp 60 x509_read_from_dir: reading certificate
> east.vpn.my.crt
[snap]
> 233936.631492 Cryp 80 x509_generate_kn: added policy:
> Authorizer: "DN:/C=DE/ST=Sachsen/L=Leipzig/O=iT-NetService
> GmbH/OU=Network Security/CN=ca.vpn.my/Email=c.bahls@it-netservice.de"
> Licensees: "DN:/C=DE/ST=Sachsen/L=Leip

> look for the Licensees: -field .. the second '"' is really missing !!
> 
> could that be my problem ?
Well, I just had a quick glimpse at the sources of isakmpd from -current,
and the logging mechanism appears to truncate messages at 200 bytes, so
the message above appears to be normal to me. Also, both the east and west
certificate appear to be read and entered correctly (incidentally, if you
are using the CA certificate for authorization, you only need the
certificate of the local system to be in /etc/isakmpd/certs/).

If phase 1 is still failing, I can only think of the following
potential problems:
(1) the clock is set incorrectly on one or both systems so that the
system(s) think that the certificates are not yet valid, or not valid
anymore

(2) /etc/isakmpd/private/local.key is missing

(3) the ID for phase 1 on one of the systems is incorrect (but this wasn't
the case if I recall your isakmpd.conf files correctly)

(4) the policy file one of the systems is not correct. If you are using
the CA certificate to authorize, see my comment above. Otherwise, on
east.vpn.my you should have:
Licensees: "DN:/.../CN=west.vpn.my/..."
and on west.vpn.my you should have:
Licensees: "DN:/.../CN=east.vpn.my/..."

Unless my understanding is not correct, or I overlooked something, of
course... Anybody got any other suggestions?


Regards,
Daniel

<Prev in Thread]	Current Thread	[Next in Thread>
isakmpd/x.509 on OpenBSD-2.8-current, Christian Bahls Re: isakmpd/x.509 on OpenBSD-2.8-current, Daniel Lucq Re: isakmpd/x.509 on OpenBSD-2.8-current, Christian Bahls Re: isakmpd/x.509 on OpenBSD-2.8-current, Daniel Lucq <= Re: isakmpd/x.509 on OpenBSD-2.8-current, Christian Bahls

Previous by Date:	Re: kcon, Jan Johansson
Next by Date:	Problems with Tunnel-mode IPsec [was: Giftunnel + IPSec ..], Christian Bahls
Previous by Thread:	Re: isakmpd/x.509 on OpenBSD-2.8-current, Christian Bahls
Next by Thread:	Re: isakmpd/x.509 on OpenBSD-2.8-current, Christian Bahls
Indexes:	[Date] [Thread] [Top] [All Lists]