IKE/RSA problems
From: Alwyn Goodloe (agoodloe@saul.cis.upenn.edu)
Date: 11/20/02
- Next message: Josef Pojsl: "Re: IKE/RSA problems"
- Previous message: Stephan Eckner: "Blocking non-IP traffic on an IPFW-Bridge"
- Next in thread: Josef Pojsl: "Re: IKE/RSA problems"
- Reply: Josef Pojsl: "Re: IKE/RSA problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Nov 2002 16:52:50 -0500 (EST) From: Alwyn Goodloe <agoodloe@saul.cis.upenn.edu> To: freebsd-security@freebsd.org
Hi,
I've done a number of ipsec configurations using shared keys but
must now use racoon with RSA. I'm using FreeBSD 4.7.
In this first little experiment I'm trying to get two machines
(server--192.168.3.1 and client -- 192.168.3.2) to establish a
connection. It never makes it into phase II.
On the client side I keep getting the error message:
>>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon
>>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched.
>>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname():
>>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName
On the server side I keep getting:
>>2002-11-20 17:06:25: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin.
>>2002-11-20 17:06:25: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin.
>>2002-11-20 17:06:25: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash)
>>2002-11-20 17:06:25: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify)
>>2002-11-20 17:06:25: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed.
>>2002-11-20 17:06:25: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
>>2002-11-20 17:06:25: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 20:INVALID-CERTIFICATE, doi=1 proto_id=1 spi=(size=0).
>>2002-11-20 17:06:45: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.3.1[500]
>>2002-11-20 17:06:45: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.3.1[500]
>>2002-11-20 17:06:45: DEBUG: sockmisc.c:425:sendfromto(): send packet to 192.168.3.2[500]
>>2002-11-20 17:06:45: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 1098 bytes message will be sent to 192.168.3.1[500]
The conf files are provided below.
Can anybody provide some insight ti this problem???
Alwyn Goodloe
agoodloe@gradient.cis.upenn.edu
-----------SERVER CONF-----------------------
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/racoon/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
#doi ipsec_doi;
situation identity_only;
my_identifier address 192.168.3.1;
peers_identifier address 192.168.3.2;
certificate_type x509 "seclab-dell3.crt" "seclab-dell3.key";
peers_certfile "seclab-micron5.crt";
initial_contact on;
nonce_size 16;
lifetime time 44 hour; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 203.178.141.209 any address 203.178.141.218 any
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 1;
lifetime time 60 sec;
encryption_algorithm 3des, cast128, blowfish 448, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
-----------------CLIENT CONF -------------------
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/usr/local/etc/racoon" ;
#include "remote.conf" ;
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/usr/local/etc/racoon/certs" ;
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
#doi ipsec_doi;
situation identity_only;
my_identifier address 192.168.3.2;
peers_identifier address 192.168.3.1;
certificate_type x509 "seclab-micron5.crt" "seclab-micron5.key";
peers_certfile "seclab-dell3.crt";
nonce_size 16;
lifetime time 44 hour; # sec,min,hour
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
sainfo address 203.178.141.209 any address 203.178.141.218 any
{
pfs_group 1;
lifetime time 30 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 1;
lifetime time 60 sec;
encryption_algorithm 3des, cast128, blowfish 448, des ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Josef Pojsl: "Re: IKE/RSA problems"
- Previous message: Stephan Eckner: "Blocking non-IP traffic on an IPFW-Bridge"
- Next in thread: Josef Pojsl: "Re: IKE/RSA problems"
- Reply: Josef Pojsl: "Re: IKE/RSA problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
