Eric Belhomme
2009-03-13 18:16:32 UTC
Hi,
I'm in the process of upgrading and existing netBSD gateway to a fresh
new openBSD gateway.
So I have to re-create IPSec tunnel between other netBSD and Linux
gateways.
I have to precise I am more familiar with racoon/setkey than
ipsectl/isakmpd couple (in fact, it's the first time I use ipsec on
openbsd)
So here is the way I proceed :
o I created gif interfaces for tunneling traffic between my gateways :
ifconfig gif0 create 10.20.31.1 10.20.31.2 netmask 255.255.255.255
tunnel x.x.x.190 x.x.x.145
The gif tunnels are working on both netBSD and Linux endpoints.
Then I tried to convert my racoon and ipsec setup to openBSD scheme :
- copying my ca cert on /etc/isakmpd/ca/ca.crt
- copying my host private key on /etc/isakmpd/private/local.key
- copying my host public key on /etc/isakmpd/keynote/<my
FQDN>/credentials
- editing /etc/ipsec.conf like this :
ike dynamic esp transport from 10.20.31.1 to 10.20.31.2 \
local x.x.x.190 peer x.x.x.145 \
main auth hmac-sha1 enc 3des group modp1024
The thing I can't figure is HOW the x509 certificates are handled,
because I'm not sure I did the right things :
on the racoon side I get these errors :
Mar 13 18:09:49 gw racoon: ERROR: no peer's CERT payload found.
Mar 13 18:09:56 gw racoon: WARNING: ignore INITIAL-CONTACT notification,
because it is only accepted after phase1.
Mar 13 18:09:56 gw racoon: WARNING: No ID match.
Mar 13 18:09:56 gw racoon: ERROR: no peer's CERT payload found.
Mar 13 18:10:39 gw racoon: ERROR: phase1 negotiation failed due to time
up. 69f8819d392c1514:0d37bc20084a06be
Mar 13 18:11:12 gw racoon: ERROR: Invalid CERT type 11
Thanks for any pointers you could provide !
--
Eric Belhomme
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
I'm in the process of upgrading and existing netBSD gateway to a fresh
new openBSD gateway.
So I have to re-create IPSec tunnel between other netBSD and Linux
gateways.
I have to precise I am more familiar with racoon/setkey than
ipsectl/isakmpd couple (in fact, it's the first time I use ipsec on
openbsd)
So here is the way I proceed :
o I created gif interfaces for tunneling traffic between my gateways :
ifconfig gif0 create 10.20.31.1 10.20.31.2 netmask 255.255.255.255
tunnel x.x.x.190 x.x.x.145
The gif tunnels are working on both netBSD and Linux endpoints.
Then I tried to convert my racoon and ipsec setup to openBSD scheme :
- copying my ca cert on /etc/isakmpd/ca/ca.crt
- copying my host private key on /etc/isakmpd/private/local.key
- copying my host public key on /etc/isakmpd/keynote/<my
FQDN>/credentials
- editing /etc/ipsec.conf like this :
ike dynamic esp transport from 10.20.31.1 to 10.20.31.2 \
local x.x.x.190 peer x.x.x.145 \
main auth hmac-sha1 enc 3des group modp1024
The thing I can't figure is HOW the x509 certificates are handled,
because I'm not sure I did the right things :
on the racoon side I get these errors :
Mar 13 18:09:49 gw racoon: ERROR: no peer's CERT payload found.
Mar 13 18:09:56 gw racoon: WARNING: ignore INITIAL-CONTACT notification,
because it is only accepted after phase1.
Mar 13 18:09:56 gw racoon: WARNING: No ID match.
Mar 13 18:09:56 gw racoon: ERROR: no peer's CERT payload found.
Mar 13 18:10:39 gw racoon: ERROR: phase1 negotiation failed due to time
up. 69f8819d392c1514:0d37bc20084a06be
Mar 13 18:11:12 gw racoon: ERROR: Invalid CERT type 11
Thanks for any pointers you could provide !
--
Eric Belhomme
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]