i've been trying to write an isakmpd.conf for two peers to establish IPsec after using x509 certs for Phase 1. each peer has a copy of the CA cert in /etc/isakmpd/ca, has their own public cert in /etc/isakmpd/certs, and their private key in /etc/isakmpd/private. i used the procedure documented in 3.5's isakmpd(8) because i'm not sure how to get a subjectAltName of a user_fqdn without certpatch yet. all x509s were made by me recently, and there are no other x509 certs/keys in the above dirs other than mentioned.
both hosts are current from sep.1 snapshots/i386. isakmpd.policy is just 'authorizer: "POLICY"' on both. basically everything works great if i put my <Phase 1 ID> in a 'default-phase-1-id' line under "[general]", but if i do not use the 'default-phase-1-id', and instead, put reference my <Phase 1 ID> via 'ID=' in the <ISAKMP-peer> section, both peers use their own IP address as their phase 1 ID instead of their user_fqdn certificate. here are the full configs: -[peer a]---------------------------------------- [general] #default-phase-1-id= id1hklocal [phase 2] connections= cx [id1p54c] id-type= user_fqdn name= [EMAIL PROTECTED] [id1hklocal] id-type= user_fqdn name= [EMAIL PROTECTED] [cx] phase= 2 isakmp-peer= peerp54c configuration= poo local-id= id2hklocal remote-id= id2p54c [peerp54c] phase= 1 address= 67.50.143.54 id= id1hklocal remote-id= id1p54c [id2p54c] id-type= ipv4_addr address= 172.16.4.1 [id2hklocal] id-type= ipv4_addr address= 172.16.7.30 [poo] exchange_type= quick_mode suites= qm-esp-aes-sha2-512-pfs-grp14-suite [general] #default-phase-1-id= id1p54c [phase 2] Connections= cx [id1p54c] id-type= user_fqdn Name= [EMAIL PROTECTED] [id1hklocal] id-type= user_fqdn name= [EMAIL PROTECTED] [cx] phase= 2 isakmp-peer= peerhklocal configuration= poo local-id= id2p54c remote-id= id2hklocal [peerhklocal] phase= 1 address= 67.139.90.84 id= id1p54c remote-id= id1hklocal [id2p54c] id-type= ipv4_addr address= 172.16.4.1 [id2hklocal] id-type= ipv4_addr address= 172.16.7.30 [poo] exchange_type= quick_mode suites= qm-esp-aes-sha2-512-pfs-grp14-suite ------------------------------------------------- on one of the hosts, it reports "received remote ID other than expected", and the other reports having the remote peer using user_fqdn, but itself using IP_ADDR. this is the case if peer-a is the initator or if peer-b is the intiator. ----------- 073427.151804 Mesg 70 MSG_TYPE: INITIAL_CONTACT 073427.152991 Exch 90 exchange_validate: checking for required ID 073427.154109 Exch 90 exchange_validate: checking for required AUTH 073427.155461 Default ike_phase_1_recv_ID: received remote ID other than expected [EMAIL PROTECTED] 073427.156619 Mesg 20 message_free: freeing 0x8b64aa80 ----------- ----------- 063405.054306 Exch 40 exchange_run: exchange 0x88748300 finished step 5, advancing... 063405.065988 Exch 10 exchange_finalize: 0x88748300 Default-phase-1 Default-phase-1-configuration policy responder phase 1 doi 1 exchange 2 step 6 063405.072617 Exch 10 exchange_finalize: icookie 966027ecedf981b6 rcookie f4b41b4b452b46f0 063405.079576 Exch 10 exchange_finalize: msgid 00000000 063405.084959 SA 90 sa_find: no SA matched query 063405.097162 Exch 10 exchange_finalize: phase 1 done: initiator id [EMAIL PROTECTED], responder id 438b5a54: 67.139.90.84, src: 67.139.90.84 dst: 67.50.143.54 ----------- i put full -dDA=99 -D0=90 up at: http://www.ice-nine.org/jrrs/isakmpd ----- [ ] output.hklocal 08-Sep-2005 05:47 252k [ ] output.hklocal.works 08-Sep-2005 06:36 552k [ ] output.p54c 08-Sep-2005 05:51 162k [ ] output.p54c.works 08-Sep-2005 06:25 443k ----- the ones with '*.works' are using the 'default-phase-1-id' in [general], other two are with using 'id=' in the <ISAKMP-peer> instead. looks like the output is the same, per host, except on the ".works" one, you can see it say: --[output.hklocal.works]-- 072112.524384 Misc 30 ipsec_responder: phase 1 exchange 2 step 5 072112.524755 Negt 40 ike_phase_1_send_ID: USER_FQDN: 072112.525196 Negt 40 686b6c6f 63616c40 76706e2e 6e6f6465 6c657373 2e6e6574 072112.530235 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//[EMAIL PROTECTED]/credentials" 072112.533600 Cryp 70 cert_cmp: --------------------------- as opposed to : --[output.hklocal]-- 064155.710215 Misc 30 ipsec_responder: phase 1 exchange 2 step 5 064155.712450 Negt 40 ike_phase_1_send_ID: IPV4_ADDR: 064155.714199 Negt 40 438b5a54 064155.717882 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//67.139.90.84/credentials" 064155.719676 Cryp 70 x509_hash_find: no certificate matched query 064155.721740 Misc 10 rsa_sig_encode_hash: no certificate to send 064155.746668 Cryp 60 hash_get: requested algorithm 1 --------------------- i might be misunderstanding the scenario, but the manpage (isakmpd.conf(5)) seems to say that "id" in the <isakmpd-peer> section is "i send this id to the remote peer", and "default-phase-1-id" to mean "use this ID info if the isakmpd-peer section doesn't otherwise reference a specific 'id' section": --- [General] Default-phase-1-ID Optional default phase 1 ID name. <...> <ISAKMP-peer> ID If existent, the name of the section that describes the local client ID that we should present to our peer. If not present, it defaults to the address of the local in- terface we are sending packets over to the remote daemon. Look at <Phase1-ID> below. --- is it possible to setup an <ISAKMP-peer> section using an "ID" subsection who references a user_fqdn x509 certificate, and not have to otherwise rely on 'default-phase-1-id' to provide that x509 ID ? please yell at me if i didn't provide the right details. jared -- [ openbsd 3.8 GENERIC ( sep 1 ) // i386 ]
