Hi all, I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are helping me annouce an IPv4 allocation. We are having some trouble authenticating with isakmpd. We got it to connect with a PSK, but can't get certificates or public key auth working (they don't do secrets as a matter of policy).
They normally use a certificate setup, but it looks like isakmpd requires subjectaltname to be filled. Using certs without subjectaltname did not work. One thing I noticed is that looking at an ultra-verbose log, and using ktrace, isakmpd loads local.key, but never seems to load anything in the pubkeys directory. Before I dump my config files and debug info, I want to give some immense thanks to EO_ from HamWAN, who has gone way above the call of duty in helping me get connected. Here is a link to their instructions page for Mikrotik/RouterOS routers: https://hamwan.org/Labs/Open%20Peering%20Policy.html#setup-on-mikrotik-routeros-edge-router This is my ipsec.conf: ike active ah tunnel from 44.24.246.18/31 to 44.24.246.0/31 peer 44.24.221.2 main auth hmac-sha1 enc aes-128 group modp1024 lifetime 30m quick auth hmac-md5 group modp1024 lifetime 30m My /etc/isakmpd/: /etc/isakmpd/ |-- ca |-- certs |-- crls |-- keynote |-- local.pub |-- private | `-- local.key `-- pubkeys |-- fqdn |-- ipv4 | `-- 44.24.221.2 |-- ipv6 `-- ufqdn local.key is a 2048-bit RSA private key generated by me, and local.pub is the corresponding public key. pubkeys/ipv4/44.24.221.2 is the public key extracted from their certificate. All of these are in PEM format. Any isakmpd experts know how I might make this work? They can give me a client cert with an arbitrary subjectaltname if that would fix it. Would they need to add a subjectaltname field to their server cert? Thanks, Simon For understanding the below config, my IP address is 71.32.246.199. Output of isakmpd -K -d -T -v -D A=39: --------------------------------------------- 135329.733775 Default log_debug_cmd: log level changed from 0 to 39 for class 0 [priv] 135329.734769 Default log_debug_cmd: log level changed from 0 to 39 for class 1 [priv] 135329.734788 Default log_debug_cmd: log level changed from 0 to 39 for class 2 [priv] 135329.734804 Default log_debug_cmd: log level changed from 0 to 39 for class 3 [priv] 135329.734820 Default log_debug_cmd: log level changed from 0 to 39 for class 4 [priv] 135329.734835 Default log_debug_cmd: log level changed from 0 to 39 for class 5 [priv] 135329.734850 Default log_debug_cmd: log level changed from 0 to 39 for class 6 [priv] 135329.734865 Default log_debug_cmd: log level changed from 0 to 39 for class 7 [priv] 135329.734880 Default log_debug_cmd: log level changed from 0 to 39 for class 8 [priv] 135329.734896 Default log_debug_cmd: log level changed from 0 to 39 for class 9 [priv] 135329.734939 Default log_debug_cmd: log level changed from 0 to 39 for class 10 [priv] 135329.734954 Default isakmpd: starting [priv] 135329.737177 Misc 10 monitor_init: privileges dropped for child process 135330.101234 Plcy 30 policy_init: initializing 135330.103973 Misc 20 udp_make: transport 0x4d1d7733400 socket 8 ip ::1 port 500 135330.104497 Misc 20 udp_make: transport 0x4d1bc508b80 socket 9 ip fe80:5::1 port 500 135330.105066 Misc 20 udp_make: transport 0x4d1d7733680 socket 10 ip 127.0.0.1 port 500 135330.105565 Misc 20 udp_make: transport 0x4d1d7733700 socket 11 ip 192.168.0.1 port 500 135330.106023 Misc 20 udp_make: transport 0x4d16df1f480 socket 12 ip fe80:7::20d:b9ff:fe41:e7fc port 500 135330.106637 Misc 20 udp_make: transport 0x4d12e3ae980 socket 13 ip 71.32.246.199 port 500 135330.107060 Misc 20 udp_make: transport 0x4d1d7733c00 socket 14 ip 0.0.0.0 port 500 135330.107490 Misc 20 udp_make: transport 0x4d16df1fd80 socket 15 ip :: port 500 135336.262336 UI 30 ui_config: "C set [Phase 1]:44.24.221.2=peer-44.24.221.2 force" 135336.262557 UI 30 ui_config: "C set [peer-44.24.221.2]:Phase=1 force" 135336.262773 UI 30 ui_config: "C set [peer-44.24.221.2]:Address=44.24.221.2 force" 135336.262852 UI 30 ui_config: "C set [peer-44.24.221.2]:Configuration=phase1-peer-44.24.221.2 force" 135336.262953 UI 30 ui_config: "C set [phase1-peer-44.24.221.2]:EXCHANGE_TYPE=ID_PROT force" 135336.263286 UI 30 ui_config: "C add [phase1-peer-44.24.221.2]:Transforms=phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024 force" 135336.263376 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force" 135336.263478 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:HASH_ALGORITHM=SHA force" 135336.263580 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force" 135336.263651 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:KEY_LENGTH=128,128:128 force" 135336.263747 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force" 135336.263819 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:Life=phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024-life force" 135336.263901 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024-life]:LIFE_TYPE=SECONDS force" 135336.263976 UI 30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024-life]:LIFE_DURATION=1800 force" 135336.264057 UI 30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Phase=2 force" 135336.264155 UI 30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:ISAKMP-peer=peer-44.24.221.2 force" 135336.264239 UI 30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Configuration=phase2-from-44.24.246.18/31-to-44.24.246.0/31 force" 135336.264289 UI 30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Local-ID=from-44.24.246.18/31 force" 135336.264326 UI 30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Remote-ID=to-44.24.246.0/31 force" 135336.264396 UI 30 ui_config: "C set [phase2-from-44.24.246.18/31-to-44.24.246.0/31]:EXCHANGE_TYPE=QUICK_MODE force" 135336.264499 UI 30 ui_config: "C set [phase2-from-44.24.246.18/31-to-44.24.246.0/31]:Suites=phase2-suite-from-44.24.246.18/31-to-44.24.246.0/31 force" 135336.264538 UI 30 ui_config: "C set [phase2-suite-from-44.24.246.18/31-to-44.24.246.0/31]:Protocols=phase2-protocol-from-44.24.246.18/31-to-44.24.246.0/31 force" 135336.264621 UI 30 ui_config: "C set [phase2-protocol-from-44.24.246.18/31-to-44.24.246.0/31]:PROTOCOL_ID=IPSEC_AH force" 135336.264707 UI 30 ui_config: "C set [phase2-protocol-from-44.24.246.18/31-to-44.24.246.0/31]:Transforms=phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL force" 135336.264788 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:TRANSFORM_ID=MD5 force" 135336.264909 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force" 135336.265032 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_MD5 force" 135336.265131 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force" 135336.265243 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:Life=phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL-life force 135336.265300 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL-life]:LIFE_TYPE=SECONDS force" 135336.265371 UI 30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL-life]:LIFE_DURATION=1800 force" 135336.265425 UI 30 ui_config: "C set [from-44.24.246.18/31]:ID-type=IPV4_ADDR_SUBNET force" 135336.265531 UI 30 ui_config: "C set [from-44.24.246.18/31]:Network=44.24.246.18 force" 135336.265613 UI 30 ui_config: "C set [from-44.24.246.18/31]:Netmask=255.255.255.254 force" 135336.265662 UI 30 ui_config: "C set [to-44.24.246.0/31]:ID-type=IPV4_ADDR_SUBNET force" 135336.265751 UI 30 ui_config: "C set [to-44.24.246.0/31]:Network=44.24.246.0 force" 135336.265789 UI 30 ui_config: "C set [to-44.24.246.0/31]:Netmask=255.255.255.254 force" 135336.265861 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s 135336.265880 UI 30 ui_config: "C add [Phase 2]:Connections=from-44.24.246.18/31-to-44.24.246.0/31" 135341.271924 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0) 135341.271996 Misc 30 connection_reinit: reinitializing connection list 135341.272042 Timr 10 timer_add_event: event connection_checker(0x4d1dca9b000) added last, expiration in 0s 135341.272572 Timr 10 timer_handle_expirations: event connection_checker(0x4d1dca9b000) 135341.272670 Timr 10 timer_add_event: event connection_checker(0x4d1dca9b000) added last, expiration in 60s 135341.273075 Timr 10 timer_add_event: event exchange_free_aux(0x4d207e15a00) added last, expiration in 120s 135341.273153 Exch 10 exchange_establish_p1: 0x4d207e15a00 peer-44.24.221.2 phase1-peer-44.24.221.2 policy initiator phase 1 doi 1 exchange 2 step 0 135341.273174 Exch 10 exchange_establish_p1: icookie cefe98ef23d00ea7 rcookie 0000000000000000 135341.273189 Exch 10 exchange_establish_p1: msgid 00000000 135341.273756 Trpt 30 transport_send_messages: message 0x4d15a66be00 scheduled for retransmission 1 in 7 secs 135341.273809 Timr 10 timer_add_event: event message_send_expire(0x4d15a66be00) added before connection_checker(0x4d1dca9b000), expiration in 7s 135341.279266 Mesg 20 message_free: freeing 0x4d15a66be00 135341.279302 Timr 10 timer_remove_event: removing event message_send_expire(0x4d15a66be00) 135341.279414 Exch 10 dpd_check_vendor_payload: DPD capable peer detected 135341.279471 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok 135341.279636 Negt 20 ike_phase_1_validate_prop: success 135341.279686 Negt 30 message_negotiate_sa: proposal 1 succeeded 135341.279702 Misc 20 ipsec_decode_transform: transform 0 chosen 135341.284636 Trpt 30 transport_send_messages: message 0x4d141433600 scheduled for retransmission 1 in 7 secs 135341.284661 Timr 10 timer_add_event: event message_send_expire(0x4d141433600) added before connection_checker(0x4d1dca9b000), expiration in 7s 135341.301433 Mesg 20 message_free: freeing 0x4d141433600 135341.301477 Timr 10 timer_remove_event: removing event message_send_expire(0x4d141433600) 135341.305925 Mesg 20 message_free: freeing 0x4d13c879300 135341.306270 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//71.32.246.199/credentials" 135341.306311 Misc 10 rsa_sig_encode_hash: no certificate to send for id ipv4/71.32.246.199 135341.320741 Trpt 30 transport_send_messages: message 0x4d13c879e00 scheduled for retransmission 1 in 7 secs 135341.320796 Timr 10 timer_add_event: event message_send_expire(0x4d13c879e00) added before connection_checker(0x4d1dca9b000), expiration in 7s 135341.333423 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800 135341.333450 Mesg 20 message_free: freeing 0x4d141433a00 135348.333912 Timr 10 timer_handle_expirations: event message_send_expire(0x4d13c879e00) 135348.334583 Trpt 30 transport_send_messages: message 0x4d13c879e00 scheduled for retransmission 2 in 9 secs 135348.334609 Timr 10 timer_add_event: event message_send_expire(0x4d13c879e00) added before connection_checker(0x4d1dca9b000), expiration in 9s 135348.340632 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800 135348.340660 Mesg 20 message_free: freeing 0x4d161c36e00 135351.304464 Mesg 20 message_free: freeing 0x4d13c879100 135357.346543 Timr 10 timer_handle_expirations: event message_send_expire(0x4d13c879e00) 135357.347090 Trpt 30 transport_send_messages: message 0x4d13c879e00 scheduled for retransmission 3 in 11 secs 135357.347158 Timr 10 timer_add_event: event message_send_expire(0x4d13c879e00) added before connection_checker(0x4d1dca9b000), expiration in 11s 135357.353110 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800 135357.353139 Mesg 20 message_free: freeing 0x4d161c36300 135401.301590 Mesg 20 message_free: freeing 0x4d15a66b400 135408.359643 Timr 10 timer_handle_expirations: event message_send_expire(0x4d13c879e00) 135408.360293 Default transport_send_messages: giving up on exchange peer-44.24.221.2, no response from peer 44.24.221.2:500 135408.360314 Mesg 20 message_free: freeing 0x4d13c879e00 135408.367511 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800 135408.367556 Mesg 20 message_free: freeing 0x4d13c879f00 135411.302047 Mesg 20 message_free: freeing 0x4d13c879b00 135419.285081 Default isakmpd: shutting down... 135419.285370 Default isakmpd: exit
