Hi, I'm in the process of upgrading and existing netBSD gateway to a fresh new openBSD gateway. So I have to re-create IPSec tunnel between other netBSD and Linux gateways.
I have to precise I am more familiar with racoon/setkey than ipsectl/isakmpd couple (in fact, it's the first time I use ipsec on openbsd) So here is the way I proceed : o I created gif interfaces for tunneling traffic between my gateways : ifconfig gif0 create 10.20.31.1 10.20.31.2 netmask 255.255.255.255 tunnel x.x.x.190 x.x.x.145 The gif tunnels are working on both netBSD and Linux endpoints. Then I tried to convert my racoon and ipsec setup to openBSD scheme : - copying my ca cert on /etc/isakmpd/ca/ca.crt - copying my host private key on /etc/isakmpd/private/local.key - copying my host public key on /etc/isakmpd/keynote/<my FQDN>/credentials - editing /etc/ipsec.conf like this : ike dynamic esp transport from 10.20.31.1 to 10.20.31.2 \ local x.x.x.190 peer x.x.x.145 \ main auth hmac-sha1 enc 3des group modp1024 The thing I can't figure is HOW the x509 certificates are handled, because I'm not sure I did the right things : on the racoon side I get these errors : Mar 13 18:09:49 gw racoon: ERROR: no peer's CERT payload found. Mar 13 18:09:56 gw racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Mar 13 18:09:56 gw racoon: WARNING: No ID match. Mar 13 18:09:56 gw racoon: ERROR: no peer's CERT payload found. Mar 13 18:10:39 gw racoon: ERROR: phase1 negotiation failed due to time up. 69f8819d392c1514:0d37bc20084a06be Mar 13 18:11:12 gw racoon: ERROR: Invalid CERT type 11 Thanks for any pointers you could provide ! -- Eric Belhomme [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]