Ipsec vpn tunnel x509 phase 2 does not start.

Tue, 04 Oct 2005 19:28:34 -0700 

Having trouble brining up a tunnel.
I have followed these instructions
http://mirror.huxley.org.ar/ipsec/isakmpd.htm
and used the included script to gen my certs.

This seems to complete phase 1 see snip1

Though never seems to move on to phase 2 see snip 2
the licesnsees line gives me some pause as that is not the common can of the 
cert, though that is what prints in the debug.   The name in the subject field 
on the cert is loanerxppc2.xxx.gov

configs are included after snips


client is an XP box running ipsec.exe from e.bootis behind a nat on a Openbsd  
fw. This works with preshared keys through the fw

isakmpd -dDA=50 
--------snip 1 --------
173611.209764 Exch 40 exchange_run: exchange 0x893c00 finished step 5, 
advancing...
173611.210067 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for 
this exchange
173611.210410 Exch 10 exchange_finalize: 0x893c00 xpws Default-main-mode policy 
responder phase 1 doi 1 exchange 2 step 6
173611.210685 Exch 10 exchange_finalize: icookie 90d893da9f1f4816 rcookie 
83c51437d4efd48e
173611.210921 Exch 10 exchange_finalize: msgid 00000000 
173611.212348 Exch 10 exchange_finalize: phase 1 done: initiator id 
/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=loanerxppc2.xxxx.gov, 
responder id [EMAIL PROTECTED], src: 172.16.5.241 dst: 172.16.4.230
17361


----------snip 2 ---------
5555ghri_fw:root:/etc/isakmpd #isakmpd -dD9=99         
173331.863667 Default log_debug_cmd: log level changed from 0 to 99 for class 9 
[priv]
173332.317663 Plcy 30 policy_init: initializing
173332.321123 Default x509_read_from_dir: PEM_read_X509 failed for ca.srl
173338.331292 Plcy 90 x509_generate_kn: generating KeyNote policy for 
certificate 0x88da00
173338.332119 Plcy 60 x509_generate_kn: added credential
173338.332481 Plcy 80 x509_generate_kn: added credential:
Authorizer: 
"DN:/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=555ghrifw.xxxx.gov"
Licensees: "DN:/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=loanerxppc2.
173338.335104 Plcy 30 keynote_cert_obtain: failed to open 
"/etc/isakmpd/keynote//[EMAIL PROTECTED]/credentials"





5555ghri_fw:root:/etc/isakmpd #cat isakmpd.conf 
[General]
Retransmits=            5
Exchange-max-time=      120
Listen-on=             172.16.5.241 

# X.509 certificate locations
[X509-certificates]
Accept-self-signed=     1
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/[EMAIL PROTECTED]



[Phase 1]
172.16.4.230=          xpws

[xpws]
Phase=                  1
Transport=              udp
Local-address=          172.16.5.241 
Address=               0.0.0.0 
Configuration=          Default-main-mode 
ID=                     My-ID

[My-ID]
ID-type=                USER_FQDN
# this is the certificate for this gateway
Name=                   [EMAIL PROTECTED]

 

[Phase 2]
Connections=    winxp


[winxp]
Phase=                          2
ISAKMP-peer=        xpws 
Configuration=         Default-quick-mode 
Local-ID=             dmz 
Remote-ID=             Unknown-address 



  
[loanerxp]
ID-type=                IPV4_ADDR 
Address=                192.168.10.15

[dmz]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.12.0
Netmask=                255.255.255.0




[Unknown-address]
ID-Type=                IPV4_ADDR
Address=                0.0.0.0



[Default-quick-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-3DES-SHA-SUITE

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA-RSA_SIG


# Encryption/Authentication suite definitions

[3DES-SHA-RSA_SIG]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  RSA_SIG
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA







5555ghri_fw:root:/etc/isakmpd #cat isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
        $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
        $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: 
"DN:/C=US/ST=California/L=Martinez/O=ccchsd/OU=IS/CN=555ghrifw.ccchsd.gov" ||  
"passphrase:1234" || "passphrase:0291ff014dccdd03874d9e8e4cdf3e6"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true"; 

# --- [EMAIL PROTECTED] ---
authorizer: "[EMAIL PROTECTED]"
licensees:"DN:"
conditions: remote_id_type =="ASN1 DN" &&
            remote_id =="" -> "true";

# --- [EMAIL PROTECTED] ---
authorizer: "[EMAIL PROTECTED]"
licensees:"DN:"
conditions: remote_id_type =="ASN1 DN" &&
            remote_id =="" -> "true";

Reply via email to