Am 06.03.2009 um 22:56 schrieb Toni Mueller:

Hi,

I'm trying to get a VPN connection to work which should actually be a
no-brainer (and I have quite similar things out there, for years):


network 1
   |
Linux w/ isakmpd ("u...@road-warrior")
   |
   |
Internet
   |
   |
OpenBSD w/ isakmpd ("office-router")
   |
network 2


Authentication should be done with X.509 certificates. I have my small
CA that issues these certificates. On startup, OpenBSD reads all
required certificates from /etc/isakmpd/{certs,ca} plus its key from
/etc/isakmpd/private just fine (I double-checked using openssl and
grep), but when it comes to checking the client's incoming cert, it goes
like this:


223644.842092 Plcy 30 keynote_cert_obtain: failed to open "/etc/ isakmpd/keynote//u...@road-warrior/credentials" 223644.842516 Default get_raw_key_from_file: monitor_fopen ("/etc/ isakmpd/pubkeys//ufqdn/u...@road-warrior", "r") failed: Permission denied

?? Permission denied? Could this be the problem?

-Heinrich

223644.842707 Default rsa_sig_decode_hash: no public key found
223644.842903 Default dropped message from 1.2.3.4 port 500 due to notification type INVALID_ID_INFORMATION


In isakmpd.policy(5), I read:
"When X509-based authentication is performed in Main Mode, any X509 cer- tificates received from the remote IKE daemon are converted to very sim- ple KeyNote credentials. The conversion is straightforward: the issuer of the X509 certificate becomes the Authorizer of the KeyNote credential, the subject becomes the only Licensees entry, while the Conditions field simply asserts that the credential is only valid for "IPsec policy" use
    (see the app_domain action attribute below)."


Please note that the Linux box can identify the OpenBSD box just fine,
too. It's only that the OpenBSD box (various 4.5 snapshots, actually,
the latest being "4.5 GENERIC.MP#63 i386" of Feb 10th, don't seem to do
this conversion of certificates to credentials anymore, or I'm making
some stupid mistake that I'm too blind to see.

Any help is much appreciated!


--
Kind regards,
--Toni++

Reply via email to