i'd like to know if i'm parsing this right:
-[ isakmpd.policy(5) ]--------
When X509-based authentication is performed in Main Mode, any X509 cer-
tificates received from the remote IKE daemon are converted to very sim-
ple KeyNote credentials. The conversion is straightforward: the issuer
of the X509 certificate becomes the Authorizer of the KeyNote credential,
the subject becomes the only Licensees entry, while the Conditions field
simply asserts that the credential is only valid for "IPsec policy" use
(see the app_domain action attribute below).
<...>
app_domain
Always set to IPsec policy.
------------------------------
so if isakmpd on '[EMAIL PROTECTED]' shows me the following (-dD9=95):
------------------------------
220746.579540 Plcy 40 check_policy: kn_do_query returned 1
220747.231701 Plcy 30 keynote_cert_obtain: failed to open
"/etc/isakmpd/keynote//[EMAIL PROTECTED]/credentials"
220747.916508 Plcy 40 check_policy: adding authorizer
[rsa-hex:30818902818100acc3f1207cf63cade898032f5d1ab704a948a3450b1d5ec181e25fad29f9162ef29e32193a59354dab37ceec29797a022296fe726dbd286faba07da6f4b4b2fce2db1b28fe3952e9
220747.917162 Plcy 40 check_policy: adding authorizer
[DN:/C=US/ST=NewYork/L=Rochester/O=vpn.sanitized.net/OU=p54c/[EMAIL
PROTECTED]/[EMAIL PROTECTED]
220747.918147 Plcy 80 Policy context (action attributes):
220747.918539 Plcy 80 esp_present == yes
220747.918983 Plcy 80 ah_present == no
220747.919353 Plcy 80 comp_present == no
220747.919713 Plcy 80 ah_hash_alg ==
220747.920171 Plcy 80 esp_enc_alg == aes
220747.920511 Plcy 80 comp_alg ==
220747.920872 Plcy 80 ah_auth_alg ==
220747.921328 Plcy 80 esp_auth_alg == hmac-sha
220747.921698 Plcy 80 ah_life_seconds ==
220747.922121 Plcy 80 ah_life_kbytes ==
220747.922496 Plcy 80 esp_life_seconds == 1200
220747.922871 Plcy 80 esp_life_kbytes ==
220747.923324 Plcy 80 comp_life_seconds ==
220747.923689 Plcy 80 comp_life_kbytes ==
220747.924047 Plcy 80 ah_encapsulation ==
220747.924503 Plcy 80 esp_encapsulation == tunnel
220747.924874 Plcy 80 comp_encapsulation ==
220747.925373 Plcy 80 comp_dict_size ==
220747.925712 Plcy 80 comp_private_alg ==
220747.926078 Plcy 80 ah_key_length ==
220747.926534 Plcy 80 ah_key_rounds ==
220747.926876 Plcy 80 esp_key_length == 256
220747.927243 Plcy 80 esp_key_rounds ==
220747.927688 Plcy 80 ah_group_desc ==
220747.928050 Plcy 80 esp_group_desc == 14
220747.928500 Plcy 80 comp_group_desc ==
220747.928838 Plcy 80 ah_ecn == no
220747.929209 Plcy 80 esp_ecn == no
220747.929658 Plcy 80 comp_ecn == no
220747.930029 Plcy 80 remote_filter_type == IPv4 address
220747.930450 Plcy 80 remote_filter_addr_upper == 172.016.004.001
220747.930823 Plcy 80 remote_filter_addr_lower == 172.016.004.001
220747.931194 Plcy 80 remote_filter == 172.016.004.001
220747.931670 Plcy 80 remote_filter_port == 0
220747.932016 Plcy 80 remote_filter_proto == 0
220747.932409 Plcy 80 local_filter_type == IPv4 address
220747.932863 Plcy 80 local_filter_addr_upper == 172.016.007.017
220747.933238 Plcy 80 local_filter_addr_lower == 172.016.007.017
220747.933688 Plcy 80 local_filter == 172.016.007.017
220747.934032 Plcy 80 local_filter_port == 0
220747.934399 Plcy 80 local_filter_proto == 0
220747.934855 Plcy 80 remote_id_type == User FQDN
220747.935343 Plcy 80 remote_id_addr_upper ==
220747.935683 Plcy 80 remote_id_addr_lower ==
220747.936055 Plcy 80 remote_id == [EMAIL PROTECTED]
220747.936425 Plcy 80 remote_id_port == 0
220747.936847 Plcy 80 remote_id_proto == 0
220747.937218 Plcy 80 remote_negotiation_address == 067.050.143.054
220747.937591 Plcy 80 local_negotiation_address == 067.139.090.084
220747.938034 Plcy 80 pfs == yes
220747.938405 Plcy 80 initiator == yes
220747.938773 Plcy 80 phase1_group_desc == 14
220747.939446 Plcy 40 check_policy: kn_do_query returned 1
220748.642877 Plcy 30 keynote_cert_obtain: failed to open
"/etc/isakmpd/keynote//[EMAIL PROTECTED]/credentials"
-------------------------------------
for the UFQDN peer "[EMAIL PROTECTED]", who has the following
output of 'openssl x509 -text < [EMAIL PROTECTED]':
-----------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Colorado, L=Boulder, O=vpn.sanitized.net, OU=CA,
[EMAIL PROTECTED]/[EMAIL PROTECTED]
Validity
Not Before: May 14 12:36:37 2005 GMT
Not After : May 14 12:36:37 2006 GMT
Subject: C=US, ST=NewYork, L=Rochester, O=vpn.sanitized.net, OU=p54c,
[EMAIL PROTECTED]/[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ac:c3:f1:20:7c:f6:3c:ad:e8:98:03:2f:5d:1a:
b7:04:a9:48:a3:45:0b:1d:5e:c1:81:e2:5f:ad:29:
f9:16:2e:f2:9e:32:19:3a:59:35:4d:ab:37:ce:ec:
29:79:7a:02:22:96:fe:72:6d:bd:28:6f:ab:a0:7d:
a6:f4:b4:b2:fc:e2:db:1b:28:fe:39:52:e9:d6:7e:
8b:e1:cf:73:bb:51:ff:9d:71:f4:44:ec:8c:8a:e8:
42:aa:4a:5d:e2:93:49:c1:51:c0:5c:1e:10:26:e1:
e1:a9:d1:86:e0:2b:4e:26:d3:61:1c:b9:04:55:ba:
0d:06:a8:17:4b:7f:a4:33:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
email:[EMAIL PROTECTED]
Signature Algorithm: md5WithRSAEncryption
54:e8:c7:55:81:be:c2:68:a0:b6:1c:c0:ed:66:0b:d0:dc:da:
3e:52:b9:ae:53:80:2d:c6:8a:00:d1:bb:fd:e5:63:99:3e:aa:
17:59:2d:11:65:4f:af:61:04:bd:17:f4:35:29:48:df:b7:69:
75:c5:cf:2e:8c:07:84:1f:a9:07:c1:a7:3a:be:28:06:96:d1:
b9:d4:62:50:6d:1c:36:71:e9:a0:a1:db:2f:d4:82:6c:0b:a1:
57:5c:31:b1:6a:36:28:72:ab:43:c4:31:00:bf:81:0d:5d:6a:
da:3c:43:ab:b3:47:b4:45:60:44:06:cd:e1:b4:2c:39:8d:05:
1e:bf
-----BEGIN CERTIFICATE----
<snip>
----------------------------------
does that manpage snippet mean that all of those policy
thingers (Plcy 80) are not going to be useful to me in
the context of a 'conditions: blahblah && blahblah' section
in the isakmpd.policy?
i'm trying to enforce some policy action, instead of just
being a punk and using the 2 line 'default accept' type of
policy that i bet lots of ppl are still using <G>, but
for instance, if that p54c@ host tries to make an IPsec
connection to gateway@, where p54c@ uses IPV4_ADDR in its
local-id/remote-id for the peer of '192.168.4.1' and '192.168.7.17'
respectively, i still get an encap flow on gateway@ for those
192.168 IPs ( didn't paste that Plcy 80 string, but it's identical
except for the in {local,remote}_filter{,_addr_{lower,upper}} lines)
in despite of the policy on gateway@ being:
------------------------
authorizer: "POLICY"
licensees: "DN:/C=US/ST=Colorado/L=Boulder/O=vpn.sanitized.net/OU=CA/[EMAIL
PROTECTED]/[EMAIL PROTECTED]"
authorizer: "DN:/C=US/ST=Colorado/L=Boulder/O=vpn.sanitized.net/OU=CA/[EMAIL
PROTECTED]/[EMAIL PROTECTED]"
local-constraints:
p54c="DN:/C=US/ST=NewYork/L=Rochester/O=vpn.sanitized.net/OU=p54c/[EMAIL
PROTECTED]/[EMAIL PROTECTED]"
licensees: p54c
conditions: ((esp_present == "yes") &&
(esp_encapsulation == "tunnel") &&
(remote_id_type == "User FQDN") &&
(remote_id == "[EMAIL PROTECTED]"));
# p54c
authorizer:"DN:/C=US/ST=NewYork/L=Rochester/O=vpn.sanitized.net/OU=p54c/[EMAIL
PROTECTED]/[EMAIL PROTECTED]
net"
conditions: ((remote_filter_addr_upper == "172.016.004.001") &&
remote_filter_addr_lower == "172.016.004.001") &&
local_filter_addr_upper == "172.016.007.017") &&
local_filter_addr_lower == "172.016.007.017"));
------------------------
in other words, should i be able to enforce conditions
such as what the remote/local filter addrs are, while using
X509 certificates, based on isakmpd.policy declarations,
and i'm being dense, or does the manpage snippet essentially
render out to mean that the only 'Condition:' that i can
check against using isakmpd.policy is: "app_domain == "IPsec policy"" ?
please let me know if this is insufficient info;
thank you !,
jared
--
[ openbsd 3.7 GENERIC ( may 17 ) // i386 ]
