On 2017-03-11, Simon McFarlane <s...@desu.ne.jp> wrote: > Hi all, > > I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are > helping > me annouce an IPv4 allocation. We are having some trouble authenticating with > isakmpd. We got it to connect with a PSK, but can't get certificates or public > key auth working (they don't do secrets as a matter of policy). > > They normally use a certificate setup, but it looks like isakmpd requires > subjectaltname to be filled. Using certs without subjectaltname did not > work. > > One thing I noticed is that looking at an ultra-verbose log, and using ktrace, > isakmpd loads local.key, but never seems to load anything in the pubkeys > directory. > > Before I dump my config files and debug info, I want to give some immense > thanks > to EO_ from HamWAN, who has gone way above the call of duty in helping me get > connected. > > Here is a link to their instructions page for Mikrotik/RouterOS routers: > https://hamwan.org/Labs/Open%20Peering%20Policy.html#setup-on-mikrotik-routeros-edge-router > > This is my ipsec.conf: > ike active ah tunnel from 44.24.246.18/31 to 44.24.246.0/31 peer 44.24.221.2 > main auth hmac-sha1 enc aes-128 group modp1024 lifetime 30m quick auth > hmac-md5 group modp1024 lifetime 30m > > My /etc/isakmpd/: > /etc/isakmpd/ >|-- ca >|-- certs >|-- crls >|-- keynote >|-- local.pub >|-- private >| `-- local.key > `-- pubkeys > |-- fqdn > |-- ipv4 > | `-- 44.24.221.2 > |-- ipv6 > `-- ufqdn > > local.key is a 2048-bit RSA private key generated by me, and local.pub is the > corresponding public key. pubkeys/ipv4/44.24.221.2 is the public key extracted > from their certificate. All of these are in PEM format. > > Any isakmpd experts know how I might make this work? They can give me a > client cert > with an arbitrary subjectaltname if that would fix it. Would they need to add > a > subjectaltname field to their server cert?
ipv4/* is for host key auth, not X509. Put the signed cert in certs/<whatever_is_in_subjectaltname>.crt, and the CA cert in ca/ca.crt. subjectAltName needs to be either "IP:10.0.0.1" or "DNS:fqdn.example.com" and the cert must have extendedKeyUsage=serverAuth,clientAuth. isakmpd must use the IP or DNS mentioned in the cert as an identifier, easiest to set this with "srcid".
