From owner-freebsd-security Wed Nov 20 13:53:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0C7E37B401 for ; Wed, 20 Nov 2002 13:53:02 -0800 (PST) Received: from saul.cis.upenn.edu (SAUL.CIS.UPENN.EDU [158.130.12.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D57143E4A for ; Wed, 20 Nov 2002 13:53:01 -0800 (PST) (envelope-from agoodloe@saul.cis.upenn.edu) Received: from saul.cis.upenn.edu (localhost [127.0.0.1]) by saul.cis.upenn.edu (8.12.5/8.12.5) with ESMTP id gAKLqpsx024431 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Wed, 20 Nov 2002 16:52:51 -0500 (EST) Received: from localhost (agoodloe@localhost) by saul.cis.upenn.edu (8.12.5/8.12.5/Submit) with ESMTP id gAKLqoPl024427 for ; Wed, 20 Nov 2002 16:52:50 -0500 (EST) Date: Wed, 20 Nov 2002 16:52:50 -0500 (EST) From: Alwyn Goodloe To: freebsd-security@freebsd.org Subject: IKE/RSA problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've done a number of ipsec configurations using shared keys but must now use racoon with RSA. I'm using FreeBSD 4.7. In this first little experiment I'm trying to get two machines (server--192.168.3.1 and client -- 192.168.3.2) to establish a connection. It never makes it into phase II. On the client side I keep getting the error message: >>2002-11-20 15:09:37: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: KAME/racoon >>2002-11-20 15:09:37: WARNING: ipsec_doi.c:3059:ipsecdoi_checkid1(): ID value mismatched. >>2002-11-20 15:09:37: ERROR: crypto_openssl.c:483:eay_get_x509subjectaltname(): >>2002-11-20 15:09:37: ERROR: oakley.c:1621:oakley_check_certid(): failed to get subjectAltName On the server side I keep getting: >>2002-11-20 17:06:25: DEBUG: isakmp.c:2245:isakmp_printpacket(): begin. >>2002-11-20 17:06:25: DEBUG: isakmp.c:1109:isakmp_parsewoh(): begin. >>2002-11-20 17:06:25: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=8(hash) >>2002-11-20 17:06:25: DEBUG: isakmp.c:1136:isakmp_parsewoh(): seen nptype=11(notify) >>2002-11-20 17:06:25: DEBUG: isakmp.c:1175:isakmp_parsewoh(): succeed. >>2002-11-20 17:06:25: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. >>2002-11-20 17:06:25: DEBUG: isakmp_inf.c:798:isakmp_info_recv_n(): notification message 20:INVALID-CERTIFICATE, doi=1 proto_id=1 spi=(size=0). >>2002-11-20 17:06:45: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.3.1[500] >>2002-11-20 17:06:45: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.3.1[500] >>2002-11-20 17:06:45: DEBUG: sockmisc.c:425:sendfromto(): send packet to 192.168.3.2[500] >>2002-11-20 17:06:45: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 1098 bytes message will be sent to 192.168.3.1[500] The conf files are provided below. Can anybody provide some insight ti this problem??? Alwyn Goodloe agoodloe@gradient.cis.upenn.edu -----------SERVER CONF----------------------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/racoon/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; #doi ipsec_doi; situation identity_only; my_identifier address 192.168.3.1; peers_identifier address 192.168.3.2; certificate_type x509 "seclab-dell3.crt" "seclab-dell3.key"; peers_certfile "seclab-micron5.crt"; initial_contact on; nonce_size 16; lifetime time 44 hour; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } -----------------CLIENT CONF ------------------- # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/racoon/certs" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { #exchange_mode main,aggressive; exchange_mode aggressive,main; #doi ipsec_doi; situation identity_only; my_identifier address 192.168.3.2; peers_identifier address 192.168.3.1; certificate_type x509 "seclab-micron5.crt" "seclab-micron5.key"; peers_certfile "seclab-dell3.crt"; nonce_size 16; lifetime time 44 hour; # sec,min,hour initial_contact on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method rsasig ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message