4.0 -> 4.1 broke ipsec

Email lists > OpenBSD Miscellaneous topics

Thread: 4.0 -> 4.1 broke ipsec

Search this list only Search all lists
4.0 -> 4.1 broke ipsec
Germany	2007-07-06 04:41:22
Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message "unable to get local issuer certificate" before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 000000 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: rootantbook3 [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK rootantbook3 [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: rootfrw2 [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of "openssl x509 -text ..." of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax : -3341

Re: 4.0 -> 4.1 broke ipsec
	2007-07-07 07:59:31
pf is probably the problem, 'keep state' is assumed unless explicitelly stated otherwise. On 7/6/07, Heinrich Rebehn <rebehnant.uni-bremen.de> wrote: > Hello list, > > after using ipsec for some years now, i never experienced an upgrade > breaking it. But after after moving to 4.1 (new install) i can not get > it to work anymore. I have copied the complete /etc/isakmpd directory > from the 4.0 installation to the new one and also copied > /etc/imakmpd/private/local.pub to /etc/isakmpd > > Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway: > > The peer antbook3 is trying to establish a connection, but the local > isakmpd cannot validate antbook3's cert. antbook3's installation has not > changed at all. > I have never seen the message "unable to get local issuer certificate" > before. > > 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID > 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT > 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG > 111621.667924 Mesg 60 message_validate_payloads: payload ID at > 0x8810241c of message 0x88f39500 > 111621.668011 Mesg 70 TYPE: 2 > 111621.668052 Mesg 70 DOI_DATA: 000000 > 111621.668128 Mesg 70 DATA: > 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 > 111621.668251 Mesg 60 message_validate_payloads: payload CERT at > 0x8810243e of message 0x88f39500 > 111621.668313 Mesg 70 ENCODING: X509_SIG > 111621.668348 Mesg 70 DATA: > 111621.668431 Mesg 60 message_validate_payloads: payload SIG at > 0x8810271f of message 0x88f39500 > 111621.668503 Mesg 70 DATA: > 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 > 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 > 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: > 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 > 6d656e2e 6465 > 111621.668827 Cryp 70 x509_hash_find: no certificate matched query > 111621.669061 Default x509_cert_validate: unable to get local issuer > certificate > 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated > 111621.672638 Negt 50 get_raw_key_from_file: file > /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found > 111621.672685 Default rsa_sig_decode_hash: no public key found > 111621.672731 Default dropped message from 172.21.113.59 port 500 due to > notification type INVALID_ID_INFORMATION > > > Verifying the cert by hand: > > rootantbook3 [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt > antbook3.crt > antbook3.crt: OK > rootantbook3 [/etc/isakmpd/certs] # md5 ../ca/ca.crt > MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 > > Making sure that the gateway uses the same ca crt: > rootfrw2 [~] # md5 /etc/isakmpd/ca/ca.crt > MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 > > I will happily post more information if needed, but i am unsure if i can > post the output of "openssl x509 -text ..." of a cert. Would this enable > someone else to use it? > > Thanks for any hints > > Heinrich > -- > > Heinrich Rebehn > > University of Bremen > Physics / Electrical and Electronics Engineering > - Department of Telecommunications - > > Phone : +49/421/218-4664 > Fax : -3341 > > -- almir

Re: 4.0 -> 4.1 broke ipsec
Germany	2007-07-07 08:47:17
Almir Karic wrote: > pf is probably the problem, 'keep state' is assumed unless > explicitelly stated otherwise. > > > > On 7/6/07, Heinrich Rebehn <rebehnant.uni-bremen.de> wrote: >> Hello list, >> >> after using ipsec for some years now, i never experienced an upgrade >> breaking it. But after after moving to 4.1 (new install) i can not get >> it to work anymore. I have copied the complete /etc/isakmpd directory >> from the 4.0 installation to the new one and also copied >> /etc/imakmpd/private/local.pub to /etc/isakmpd >> >> Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway: >> >> The peer antbook3 is trying to establish a connection, but the local >> isakmpd cannot validate antbook3's cert. antbook3's installation has not >> changed at all. >> I have never seen the message "unable to get local issuer certificate" >> before. >> >> 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID >> 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT >> 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG >> 111621.667924 Mesg 60 message_validate_payloads: payload ID at >> 0x8810241c of message 0x88f39500 >> 111621.668011 Mesg 70 TYPE: 2 >> 111621.668052 Mesg 70 DOI_DATA: 000000 >> 111621.668128 Mesg 70 DATA: >> 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 >> type 2 >> 111621.668251 Mesg 60 message_validate_payloads: payload CERT at >> 0x8810243e of message 0x88f39500 >> 111621.668313 Mesg 70 ENCODING: X509_SIG >> 111621.668348 Mesg 70 DATA: >> 111621.668431 Mesg 60 message_validate_payloads: payload SIG at >> 0x8810271f of message 0x88f39500 >> 111621.668503 Mesg 70 DATA: >> 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 >> 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 >> 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: >> 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 >> 6d656e2e 6465 >> 111621.668827 Cryp 70 x509_hash_find: no certificate matched query >> 111621.669061 Default x509_cert_validate: unable to get local issuer >> certificate >> 111621.669224 Default rsa_sig_decode_hash: received CERT can't be >> validated >> 111621.672638 Negt 50 get_raw_key_from_file: file >> /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found >> 111621.672685 Default rsa_sig_decode_hash: no public key found >> 111621.672731 Default dropped message from 172.21.113.59 port 500 due to >> notification type INVALID_ID_INFORMATION >> >> >> Verifying the cert by hand: >> >> rootantbook3 [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt >> antbook3.crt >> antbook3.crt: OK >> rootantbook3 [/etc/isakmpd/certs] # md5 ../ca/ca.crt >> MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 >> >> Making sure that the gateway uses the same ca crt: >> rootfrw2 [~] # md5 /etc/isakmpd/ca/ca.crt >> MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 >> >> I will happily post more information if needed, but i am unsure if i can >> post the output of "openssl x509 -text ..." of a cert. Would this enable >> someone else to use it? >> >> Thanks for any hints >> >> Heinrich >> -- >> >> Heinrich Rebehn >> >> University of Bremen >> Physics / Electrical and Electronics Engineering >> - Department of Telecommunications - >> >> Phone : +49/421/218-4664 >> Fax : -3341 >> >> > > But how should "keep state" be harmfull for ipsec? Why would it cause verification of the certs to fail? Just tried passing port 500 and 4500 with "no state". Does not help. --Heinrich

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists