Am 06.03.2009 um 22:56 schrieb Toni Mueller:
Hi,
I'm trying to get a VPN connection to work which should actually be a
no-brainer (and I have quite similar things out there, for years):
network 1
|
Linux w/ isakmpd ("u...@road-warrior")
|
|
Internet
|
|
OpenBSD w/ isakmpd ("office-router")
|
network 2
Authentication should be done with X.509 certificates. I have my small
CA that issues these certificates. On startup, OpenBSD reads all
required certificates from /etc/isakmpd/{certs,ca} plus its key from
/etc/isakmpd/private just fine (I double-checked using openssl and
grep), but when it comes to checking the client's incoming cert, it
goes
like this:
223644.842092 Plcy 30 keynote_cert_obtain: failed to open "/etc/
isakmpd/keynote//u...@road-warrior/credentials"
223644.842516 Default get_raw_key_from_file: monitor_fopen ("/etc/
isakmpd/pubkeys//ufqdn/u...@road-warrior", "r") failed: Permission
denied
?? Permission denied? Could this be the problem?
-Heinrich
223644.842707 Default rsa_sig_decode_hash: no public key found
223644.842903 Default dropped message from 1.2.3.4 port 500 due to
notification type INVALID_ID_INFORMATION
In isakmpd.policy(5), I read:
"When X509-based authentication is performed in Main Mode, any
X509 cer-
tificates received from the remote IKE daemon are converted to
very sim-
ple KeyNote credentials. The conversion is straightforward: the
issuer
of the X509 certificate becomes the Authorizer of the KeyNote
credential,
the subject becomes the only Licensees entry, while the
Conditions field
simply asserts that the credential is only valid for "IPsec
policy" use
(see the app_domain action attribute below)."
Please note that the Linux box can identify the OpenBSD box just fine,
too. It's only that the OpenBSD box (various 4.5 snapshots, actually,
the latest being "4.5 GENERIC.MP#63 i386" of Feb 10th, don't seem to
do
this conversion of certificates to credentials anymore, or I'm making
some stupid mistake that I'm too blind to see.
Any help is much appreciated!
--
Kind regards,
--Toni++