Hi misc, I've been trying to configure the following IPSec client using certificates, but with no success. I want to use it a roadwarrior setup:
http://www.ncp-e.com/en/vpn-szenarien-produkte/vpn-produkte/secure-entry-client.html Of course, I'm using isakmpd on the OpenBSD side (4.3). I did manage to get it working with PSK though. The problem is reported on the client side like this (error line): Ike: phase1:name(NCP test) - error - PAYLOAD_MALFORMED isakmpd reports that phase 1 has finished though: 203820.350607 Default isakmpd: phase 1 done: [snip] There are a couple of odd things that I'm noticing. When I run isakmpd to dump everything to /var/run/isakmpd.pcap, I then review it with tcpdump, one of the packets is like this (I've changed the IP addresses to ficticious ones): 18:40:45.034602 200.1.2.3.500 > 190.1.8.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 6ae7205b40eda6dc->1673892cac8a5b55 msgid: 00000000 len: 200 payload: ID len: 12 type: IPV4_ADDR = 200.1.2.3 payload: SIG len: 132 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (6ae7205b40eda6dc->1673892cac8a5b55) [ttl 0] (id 1, len 228) As you can see, the length is of 200 octets. But then, when capturing the same thing on the Windows box, using wireshark, I get this: Frame 9 (260 bytes on wire, 260 bytes captured) Ethernet II, Src: Riverdel_c6:42:91 (00:30:b8:c6:42:91), Dst: Dell_58:de:fb (00:15:c5:58:de:fb) Internet Protocol, Src: 200.1.2.3 (200.1.2.3), Dst: 190.1.8.1 (190.1.8.1) User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500) Internet Security Association and Key Management Protocol Initiator cookie: 6AE7205B40EDA6DC Responder cookie: 1673892CAC8A5B55 Next payload: Identification (5) Version: 1.0 Exchange type: Identity Protection (Main Mode) (2) Flags: 0x81 Message ID: 0x00000000 Length: 204 Encrypted payload (176 bytes) It seems to be of 204 bytes. I got this very same result when capturing on the physical interface of the VPN gateway, but I can't find the pcap file right now. So there's nothing in the middle changing this value. Also the Flags fields seem to differ. Also, right now, for some reason, the client is trying to use udpencap (it wasn't in the previous example), and I'm getting udp checksum errors. I did get the certificates authentication working with thegreenbowclient, but couldn't get it to work when using Windows Mobile (my real objective), so I'm moving on with this one (by the way, did any of you have any luck configuring thegreenbow using Windows Mobile with a OpenBSD VPN gateway?). So I really don't know if isakmpd is messing with the packets somewhere. Here's my isakmpd.conf file: [General] Default-phase-1-lifetime=86400,60:86400 Default-phase-2-lifetime=3600,60:86400 Retransmits=5 Exchange-max-time=120 Listen-on=200.1.2.3 [Phase 1] default=checkpoint [checkpoint] Phase=1 Transport=udp Local-address=200.1.2.3 Address=200.1.2.3 Configuration=Default-main-mode [Phase 2] Connections=VPN-Checkpoint [VPN-Checkpoint] Phase=2 ISAKMP-peer=checkpoint Configuration=Default-quick-mode Local-ID=network_corporate Remote-ID=client_thegreenbow [network_corporate] ID-type=IPV4_ADDR_SUBNET Network=192.168.18.0 Netmask=255.255.255.0 [client_thegreenbow] ID-type=IPV4_ADDR_SUBNET Network=10.9.0.0 Netmask=255.255.0.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE=ID_PROT Transforms=3DES-SHA-GRP2-RSA_SIG #Transforms=3DES-SHA-GRP2 [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE=QUICK_MODE Suites=QM-ESP-3DES-SHA-SUITE [X509-certificates] CA-directory= /etc/isakmpd/ca/ Cert-directory= /etc/isakmpd/certs/ CRL-directory= /etc/isakmpd/crls/ Private-key= /etc/isakmpd/private/ncp.key My isakmpd.policy file: KeyNote-Version: 2 Authorizer: "POLICY" I haven't used ipsec.conf for this, as I haven't found examples using X.509 certificates. Any help with this will be greatly appreciated, Thanks Martmn.