IPSEC: trying to understand ipsec.conf(5)

Sun, 24 Jan 2010 08:51:59 -0800 

Hi,

I'm running an IPSEC setup using iskampd.conf + isakmpd.policy, and
would like to move to using ipsec.conf instead.

First off, I noticed that, if isakmpd is running w/o the '-K' switch,
running 'ipsecctl -f somefile' results in a problem accessing
/var/run/isakmpd.fifo, with a "file does not exist" error.

I have cobbled together a very simple configuration, derived from the
classic East-West style config files that I already use (and which work
great). In /etc/isakmpd/certs I have the public part of an X.509
certificate for all affected parties, esp. the IPSEC peers, named like
this:

"1.2.3.4.crt" for a peer with id type IPV4_ADDR and an IP number of
1.2.3.4. For mobile users, I have certificates in the same directory
named "u...@example.com.crt" for an UFQDN id of "u...@example.com".
In /etc/isakmpd/private I have the machine's own private key file,
corresponding to their id (eg. "1.2.3.4.key" for a VPN gateway).

The tunnels are all set up mostly the same way, using main mode, X.509
certificates for authentication, PFS, tunnel mode, and IKE
configuration in case of mobile users.

To test my new ipsec.conf file, I temporarily moved the
isakmpd.{conf,policy} files out of the way, restarted isakmpd with -K,
and ran ipsecctl -f my-ipsec.conf file, which reads like this,
following the example closely:

ike esp from 172.17.16.0/24 to 172.17.0/20 peer 1.2.3.4 \
        srcid 1.2.3.5 dstid 1.2.3.4

ike esp from 1.2.3.5 to 1.2.3.4 \
        srcid 1.2.3.5 dstid 1.2.3.4


The tunnel doesn't come up, and the log files (-DA=90) shows:

Default ike_phase_1_recv_ID: received remote ID other than expected 1.2.3.4

Collecting some packets I can see:

17:33:56.358776 1.2.3.4.500 > 1.2.3.5.500: [udp sum ok] isakmp v1.0 exchange 
ID_PROT
        cookie: 10e2114ec84c8a9d->2cd65760e925dc55 msgid: 00000000 len: 1292
        payload: ID len: 12 type: IPV4_ADDR = 1.2.3.4
        payload: CERT len: 992
        payload: SIG len: 260 [ttl 0] (id 1, len 1320)


The ID is both in the CN and the subjectAltName attribute of the
certificate involved.

I've also tried without the 'srcid' and 'dstid' specifiers, as the man
page says that, in this case, the IP number(s) are taken as IDs, but
still no luck.

What gives?



Kind regards,
--Toni++

Reply via email to