Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ISAKMPD errors with aggressive mode and certificates

64 views
Skip to first unread message

Juha Luoma

unread,
Sep 10, 2002, 5:08:52 PM9/10/02
to
Hello,

I'm trying to set up a IPSec VPN with ISAKMPD. I first set it up with
preshared secrets authentication and it worked fine.

Now I'm trying to set it up using certificates and RSA_SIG as an
authentication method. I have CA cert, local cert and local private key
in correct directories. In phase 1 I'm using aggressive mode, USER_FQDN
as local ID and the remote ID is IPV4_ADDR. These ID's are correctly in
respective certificates in subject alternative name extension.

My OpenBSD 3.1 box initiates aggressive mode correctly and remote
gateway responds to it correctly. With Ethereal I have verified that IKE
packets seem to contain correct ID payloads.

However, I'm getting following error when my box receives aggressive
mode responce from remote peer:

144537.146663 Misc 95 conf_get_str: [Outlaw-eunet]:Remote-ID->Outlaw-ID
144537.146772 Misc 95 conf_get_str: [Outlaw-ID]:ID-type->IPV4_ADDR
144537.146876 Misc 95 conf_get_str: [Outlaw-ID]:Address->XXX.XXX.XXX.XXX
144537.147044 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR:
144537.147139 Negt 40 XXXXXXXX
144537.147278 Cryp 70 x509_hash_find: no certificate matched query
144537.161336 Default x509_cert_subjectaltname: subjectaltname invalid length
144537.161575 Default rsa_sig_decode_hash: can not get subject from CERT
144537.161705 Misc 95 conf_get_str: configuration value not found [General]:Pubkey-directory
144537.161987 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys/ipv4/XXX.XXX.XXX.XXX not found
144537.181102 Default rsa_sig_decode_hash: no public key found
144537.181275 Default dropped message from XXX.XXX.XXX.XXX port 500 due
to notification type INVALID_ID_INFORMATION

Remote end sent certificate and certificate request payloads in it's
response. What does above errors really mean? Can't isakmpd decode
remote certificate from the certificate payload? It seems to look for
the remote certificate (or public key) locally, but I don't want to do
that.

Any glue anyone?

- Juha

Hakan Olsson

unread,
Sep 10, 2002, 7:32:33 PM9/10/02
to
On Wed, 11 Sep 2002, Juha Luoma wrote:
...

>
> 144537.146663 Misc 95 conf_get_str: [Outlaw-eunet]:Remote-ID->Outlaw-ID
> 144537.146772 Misc 95 conf_get_str: [Outlaw-ID]:ID-type->IPV4_ADDR
> 144537.146876 Misc 95 conf_get_str: [Outlaw-ID]:Address->XXX.XXX.XXX.XXX
> 144537.147044 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR:
> 144537.147139 Negt 40 XXXXXXXX
> 144537.147278 Cryp 70 x509_hash_find: no certificate matched query
> 144537.161336 Default x509_cert_subjectaltname: subjectaltname invalid length

The received certificate seems bogus. Does 'openssl x509 -in foo.crt
-noout -text' produce good results? (I've actually never seen a
certificate that produces that error...)

And because this fails...

> 144537.161575 Default rsa_sig_decode_hash: can not get subject from CERT

we cannot use the certificate, meaning we are unable to get a public key
from it, so instead we fallback to ...

> 144537.161705 Misc 95 conf_get_str: configuration value not found [General]:Pubkey-directory
> 144537.161987 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys/ipv4/XXX.XXX.XXX.XXX not found

try some additional methods to find a trusted public key to use (see
isakmpd(8) for more info), but when all of them fail, we give up ...

> 144537.181102 Default rsa_sig_decode_hash: no public key found
> 144537.181275 Default dropped message from XXX.XXX.XXX.XXX port 500 due
> to notification type INVALID_ID_INFORMATION

and tell the other peer that we cannot verify it's ID. Authentication
failed. Negotiation failed.

/H

--
Håkan Olsson <h...@crt.se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB

Juha Luoma

unread,
Sep 11, 2002, 1:49:55 AM9/11/02
to
Many thanks for the log message explanations!

On Wed, 11 Sep 2002, Hakan Olsson wrote:

> On Wed, 11 Sep 2002, Juha Luoma wrote:
> ...
> >
> > 144537.146663 Misc 95 conf_get_str: [Outlaw-eunet]:Remote-ID->Outlaw-ID
> > 144537.146772 Misc 95 conf_get_str: [Outlaw-ID]:ID-type->IPV4_ADDR
> > 144537.146876 Misc 95 conf_get_str: [Outlaw-ID]:Address->XXX.XXX.XXX.XXX
> > 144537.147044 Negt 40 ike_phase_1_recv_ID: IPV4_ADDR:
> > 144537.147139 Negt 40 XXXXXXXX
> > 144537.147278 Cryp 70 x509_hash_find: no certificate matched query
> > 144537.161336 Default x509_cert_subjectaltname: subjectaltname invalid length
>
> The received certificate seems bogus. Does 'openssl x509 -in foo.crt
> -noout -text' produce good results? (I've actually never seen a
> certificate that produces that error...)

Yes. For the local certificate (USER_FQDN as ID):
...
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
email:tes...@xxx.xxx.xxx
Signature Algorithm: md5WithRSAEncryption
50:d7:f9:94:bf:f4:8a:4c:cf:b2:83:fe:22:e8:76:a7:c1:bd:
...

For the remote certificate (IPV4_ADDR as ID):
...
X509v3 Subject Alternative Name:
IP Address:10.0.23.254, IP Address:xxx.xxx.xxx.xxx, IP
Address:xxx.xxx.xxx.xxx, IP Address:192.168.23.254
Signature Algorithm: md5WithRSAEncryption
69:b0:99:96:98:c2:36:a2:56:03:20:f0:5d:8e:9d:89:7a:a2:
...

Could the problem be that remote gateway certificate has several subject
alternative names? One of them is what I have configured as remote ID.
Remote gateway is not OpenBSD, and I'm not able to configure it with a
certificate that has only one subject alternative name (the gateway really
has more than one ipsec endpoint, so that's a requirement).

- Juha

0 new messages