Heinrich Rebehn wrote:
Hello list,
after using ipsec for some years now, i never experienced an upgrade
breaking it. But after after moving to 4.1 (new install) i can not get
it to work anymore. I have copied the complete /etc/isakmpd directory
from the 4.0 installation to the new one and also copied
/etc/imakmpd/private/local.pub to /etc/isakmpd
Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway:
The peer antbook3 is trying to establish a connection, but the local
isakmpd cannot validate antbook3's cert. antbook3's installation has not
changed at all.
I have never seen the message "unable to get local issuer certificate"
before.
111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID
111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT
111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG
111621.667924 Mesg 60 message_validate_payloads: payload ID at
0x8810241c of message 0x88f39500
111621.668011 Mesg 70 TYPE: 2
111621.668052 Mesg 70 DOI_DATA: 000000
111621.668128 Mesg 70 DATA:
111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2
111621.668251 Mesg 60 message_validate_payloads: payload CERT at
0x8810243e of message 0x88f39500
111621.668313 Mesg 70 ENCODING: X509_SIG
111621.668348 Mesg 70 DATA:
111621.668431 Mesg 60 message_validate_payloads: payload SIG at
0x8810271f of message 0x88f39500
111621.668503 Mesg 70 DATA:
111621.668542 Trpt 70 transport_release: freeing 0x813c5c40
111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4
111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN:
111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265
6d656e2e 6465
111621.668827 Cryp 70 x509_hash_find: no certificate matched query
111621.669061 Default x509_cert_validate: unable to get local issuer
certificate
111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated
111621.672638 Negt 50 get_raw_key_from_file: file
/etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found
111621.672685 Default rsa_sig_decode_hash: no public key found
111621.672731 Default dropped message from 172.21.113.59 port 500 due to
notification type INVALID_ID_INFORMATION
Verifying the cert by hand:
[EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt
antbook3.crt
antbook3.crt: OK
[EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt
MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00
Making sure that the gateway uses the same ca crt:
[EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt
MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00
I will happily post more information if needed, but i am unsure if i can
post the output of "openssl x509 -text ..." of a cert. Would this enable
someone else to use it?
Thanks for any hints
Heinrich
Ok, it's running now. The cause was not the move from 4.0 -> 4.1, but
the move from a diskful to a diskless setup: The machine mounts its root
fs via nfs. This runs just fine, except for isakmpd: It silently does
not read any certificates from a NFS mounted directory. After moving
/etc/isakmpd to a ramdisk, ipsec runs fine as well.
Question: Is this a bug or a feature? If it is a feature, it really
should be documented. If it is a bug, i am unable to fix it. I started
digging into isakmpd's sources, but failed to further trace things in
monitor.c's forking and privilege separation.
Regards,
Heinrich
