Almir Karic wrote:
pf is probably the problem, 'keep state' is assumed unless
explicitelly stated otherwise.
On 7/6/07, Heinrich Rebehn <[EMAIL PROTECTED]> wrote:
Hello list,
after using ipsec for some years now, i never experienced an upgrade
breaking it. But after after moving to 4.1 (new install) i can not get
it to work anymore. I have copied the complete /etc/isakmpd directory
from the 4.0 installation to the new one and also copied
/etc/imakmpd/private/local.pub to /etc/isakmpd
Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway:
The peer antbook3 is trying to establish a connection, but the local
isakmpd cannot validate antbook3's cert. antbook3's installation has not
changed at all.
I have never seen the message "unable to get local issuer certificate"
before.
111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID
111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT
111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG
111621.667924 Mesg 60 message_validate_payloads: payload ID at
0x8810241c of message 0x88f39500
111621.668011 Mesg 70 TYPE: 2
111621.668052 Mesg 70 DOI_DATA: 000000
111621.668128 Mesg 70 DATA:
111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0
type 2
111621.668251 Mesg 60 message_validate_payloads: payload CERT at
0x8810243e of message 0x88f39500
111621.668313 Mesg 70 ENCODING: X509_SIG
111621.668348 Mesg 70 DATA:
111621.668431 Mesg 60 message_validate_payloads: payload SIG at
0x8810271f of message 0x88f39500
111621.668503 Mesg 70 DATA:
111621.668542 Trpt 70 transport_release: freeing 0x813c5c40
111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4
111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN:
111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265
6d656e2e 6465
111621.668827 Cryp 70 x509_hash_find: no certificate matched query
111621.669061 Default x509_cert_validate: unable to get local issuer
certificate
111621.669224 Default rsa_sig_decode_hash: received CERT can't be
validated
111621.672638 Negt 50 get_raw_key_from_file: file
/etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found
111621.672685 Default rsa_sig_decode_hash: no public key found
111621.672731 Default dropped message from 172.21.113.59 port 500 due to
notification type INVALID_ID_INFORMATION
Verifying the cert by hand:
[EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt
antbook3.crt
antbook3.crt: OK
[EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt
MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00
Making sure that the gateway uses the same ca crt:
[EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt
MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00
I will happily post more information if needed, but i am unsure if i can
post the output of "openssl x509 -text ..." of a cert. Would this enable
someone else to use it?
Thanks for any hints
Heinrich
--
Heinrich Rebehn
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax : -3341
But how should "keep state" be harmfull for ipsec?
Why would it cause verification of the certs to fail?
Just tried passing port 500 and 4500 with "no state". Does not help.
--Heinrich
