Hello,
I am trying to set up an ipsec vpn between two networks. But, I can't
figure out why it doesn't work.
I get some errors like (here on the "malenfant gate", see network map
below) :
Plcy 30 keynote_cert_obtain: failed to open
"/etc/isakmpd/keynote//192.168.1.159/credentials"
Default rsa_sig_decode_hash: no public key found
Default dropped message from $dugny_addr port 4500 due to notification
type INVALID_ID_INFORMATION
I don't understand why I have messages about keynote, because isakmpd is
launched with the -K flag (and why 192.168.1.159 instead of
$dugny_addr ?).
And, I don't understand why it doesn't find the public key. I have
correctly copied for each gate /etc/isakmpd/local.pub to the other gate
at /etc/isakmpd/pubkeys/ipv4/gate_ip
Here is my network map :
{ st_cyr_net : 192.168.2.0/24 }
|
xl1 : 192.168.2.1
[gate "malenfant"] Openbsd 4.4-current (as of 10/18) on the
"livebox"'s DMZ
xl0 : 192.168.1.183
|
192.168.1.1
[adsl router/modem "livebox"]
$st_cyr_addr
"
"
@@@@@@@
@@@@@@@@@@@ Internet
@@@@@@@
"
"
$dugny_addr
[adsl router/modem "livebox"]
192.168.1.1
|
xl0 : 192.168.1.159
[gate "nemoto"] Openbsd 4.4-release on the "livebox"'s DMZ
xl1 : 192.168.3.1
|
{ dugny_net : 192.168.3.0/24 }
By DMZ I mean that all ports for tcp and udp are rediriged on the gate.
I don't see why the liveboxes can be the problem, they redirect all the
traffic. How nat on the liveboxes can cause troubles ?
Because the two gates run a different version of OpenBSD ?
I don't think so, however malenfant will be upgraded to 4.4-release
tomorrow evening.
My ipsec.confs :
- on nemoto :
st_cyr_net="192.168.2.0/24"
dugny_net="192.168.3.0/24"
st_cyr_addr="xx.xx.xx.xx"
ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr
- on malenfant :
st_cyr_net="192.168.2.0/24"
dugny_net="192.168.3.0/24"
dugny_addr="yy.yy.yy.yy"
ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr
pf is correctly (I hope) configured on both gates with (here is a
snippet from malenfant's pf.conf) :
set skip on { lo enc0 }
block in
pass out
pass in on $ext_if proto { tcp udp } \
from $dugny_addr to ($ext_if) port ipsec-nat-t
pass in on $ext_if proto udp to ($ext_if) port isakmp
My two enc0 interfaces are up.
If you find my mistake(s), have ideas, or need more informations please
tell me. Full configuration files and isakmpd log are available at :
http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz
Best Regards, Louis Opter.
