• February 23, 2025, 01:39:01 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: DFL-800, IPSec and x509  (Read 4377 times)

me255

  • Level 1 Member
  • *
  • Posts: 1
DFL-800, IPSec and x509
« on: April 28, 2010, 03:07:22 AM »

Hello,

I am currently building a LAN-to-LAN VPN with some DFL-800 (v2.26.00) and x509 certificates.
The certs were generated with OpenBSD 4.6 :
Code: [Select]
# openssl genrsa -out private/ca.key 2048
# openssl req -new -key private/ca.key -out private/ca.csr
# openssl x509 -req -days 6000 -in private/ca.csr -signkey private/ca.key -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA -out ca.crt
# openssl genrsa -out private/siege.key 2048
# openssl req -new -key private/siege.key -out private/siege.csr
# env CERTFQDN=siege.vpn.com openssl x509 -req -days 6000 -in private/siege.csr -CA ca.crt -CAkey private/ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN -out siege.crt
# openssl genrsa -out private/bureau.key 2048
# openssl req -new -key private/bureau.key -out private/bureau.csr
# env CERTFQDN=bureau.vpn.com openssl x509 -req -days 6000 -in private/bureau.csr -CA ca.crt -CAkey private/ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN -out bureau.crt


The certs ahve been tested with an inter-OpenBSD VPN and the tunnel came up without problem.
Now I'm replacing an OpenBSD with a DFL-800
I uploaded the CA to the DFL :


Did some rules for the tunnel :


And the tunnel itself :



But it doesn't work. I have a line in "IKE SA List" (so phase1 is OK) but nothing in "IPSec SA" (in the status menu).
I tried remplacing teh certs with a PSK and the tunnel came up.
So I think the problem is with the certificates but as it works between 2 OpenBSD, I don't know where to check.

I have some traces with "ikesnoop" :
Code: [Select]
2010-04-27 19:27:22: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
2010-04-27 19:27:22: IkeSnoop: Other end retransmitted its packet
2010-04-27 19:27:31: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
2010-04-27 19:27:31: IkeSnoop: Other end retransmitted its packet
2010-04-27 19:27:42: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
2010-04-27 19:27:42: IkeSnoop: Other end retransmitted its packet

And on the OpenBSd side (isakmpd traces) :
Code: [Select]
192927.861810 Cryp 60 hash_get: requested algorithm 1
192928.040772 Cryp 50 crypto_update_iv: updated IV:
192928.041184 Cryp 50 2a40eff7 1c8fc020 290a2fed b32e65f0
192928.044819 Exch 40 exchange_run: exchange 0x868f1c00 finished step 4, advancing...
192928.045484 Trpt 30 transport_send_messages: message 0x7d709b00 scheduled for retransmission 1 in 7 secs
192928.045876 Timr 10 timer_add_event: event message_send_expire(0x7d709b00) added before connection_checker(0x8b14ffd0), expiration in 7s
192935.087580 Timr 10 timer_handle_expirations: event message_send_expire(0x7d709b00)
192935.091570 Trpt 30 transport_send_messages: message 0x7d709b00 scheduled for retransmission 2 in 9 secs
192935.091957 Timr 10 timer_add_event: event message_send_expire(0x7d709b00) added before connection_checker(0x8b14ffd0), expiration in 9s
192944.142884 Timr 10 timer_handle_expirations: event message_send_expire(0x7d709b00)
192944.146819 Trpt 30 transport_send_messages: message 0x7d709b00 scheduled for retransmission 3 in 11 secs
192944.147211 Timr 10 timer_add_event: event message_send_expire(0x7d709b00) added before connection_checker(0x8b14ffd0), expiration in 11s
192955.208245 Timr 10 timer_handle_expirations: event message_send_expire(0x7d709b00)
192955.212240 Default transport_send_messages: giving up on exchange peer-xxx.xxx.xxx.xxx-local-xxx.xxx.xxx.xxx, no response from peer xxx.xxx.xxx.xxx:500
192955.212641 Mesg 20 message_free: freeing 0x7d709b00

Can anyone help on this issue ?

Thank you in advance.
Logged

sav0808

  • Level 1 Member
  • *
  • Posts: 2
Re: DFL-800, IPSec and x509
« Reply #1 on: March 16, 2012, 12:55:14 AM »

Hi!
So, did you solve this problem with " Other end retransmitted its packet"?
Logged