Hello,
I am currently building a LAN-to-LAN VPN with some DFL-800 (v2.26.00) and x509 certificates.
The certs were generated with OpenBSD 4.6 :
# openssl genrsa -out private/ca.key 2048
# openssl req -new -key private/ca.key -out private/ca.csr
# openssl x509 -req -days 6000 -in private/ca.csr -signkey private/ca.key -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA -out ca.crt
# openssl genrsa -out private/siege.key 2048
# openssl req -new -key private/siege.key -out private/siege.csr
# env CERTFQDN=siege.vpn.com openssl x509 -req -days 6000 -in private/siege.csr -CA ca.crt -CAkey private/ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN -out siege.crt
# openssl genrsa -out private/bureau.key 2048
# openssl req -new -key private/bureau.key -out private/bureau.csr
# env CERTFQDN=bureau.vpn.com openssl x509 -req -days 6000 -in private/bureau.csr -CA ca.crt -CAkey private/ca.key -CAcreateserial -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN -out bureau.crtThe certs ahve been tested with an inter-OpenBSD VPN and the tunnel came up without problem.
Now I'm replacing an OpenBSD with a DFL-800
I uploaded the CA to the DFL :
Did some rules for the tunnel :
And the tunnel itself :
But it doesn't work. I have a line in "IKE SA List" (so phase1 is OK) but nothing in "IPSec SA" (in the status menu).
I tried remplacing teh certs with a PSK and the tunnel came up.
So I think the problem is with the certificates but as it works between 2 OpenBSD, I don't know where to check.
I have some traces with "ikesnoop" :
2010-04-27 19:27:22: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
2010-04-27 19:27:22: IkeSnoop: Other end retransmitted its packet
2010-04-27 19:27:31: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
2010-04-27 19:27:31: IkeSnoop: Other end retransmitted its packet
2010-04-27 19:27:42: IkeSnoop: Received IKE packet from xxx.xxx.xxx.xxx:500
2010-04-27 19:27:42: IkeSnoop: Other end retransmitted its packetAnd on the OpenBSd side (isakmpd traces) :
192927.861810 Cryp 60 hash_get: requested algorithm 1
192928.040772 Cryp 50 crypto_update_iv: updated IV:
192928.041184 Cryp 50 2a40eff7 1c8fc020 290a2fed b32e65f0
192928.044819 Exch 40 exchange_run: exchange 0x868f1c00 finished step 4, advancing...
192928.045484 Trpt 30 transport_send_messages: message 0x7d709b00 scheduled for retransmission 1 in 7 secs
192928.045876 Timr 10 timer_add_event: event message_send_expire(0x7d709b00) added before connection_checker(0x8b14ffd0), expiration in 7s
192935.087580 Timr 10 timer_handle_expirations: event message_send_expire(0x7d709b00)
192935.091570 Trpt 30 transport_send_messages: message 0x7d709b00 scheduled for retransmission 2 in 9 secs
192935.091957 Timr 10 timer_add_event: event message_send_expire(0x7d709b00) added before connection_checker(0x8b14ffd0), expiration in 9s
192944.142884 Timr 10 timer_handle_expirations: event message_send_expire(0x7d709b00)
192944.146819 Trpt 30 transport_send_messages: message 0x7d709b00 scheduled for retransmission 3 in 11 secs
192944.147211 Timr 10 timer_add_event: event message_send_expire(0x7d709b00) added before connection_checker(0x8b14ffd0), expiration in 11s
192955.208245 Timr 10 timer_handle_expirations: event message_send_expire(0x7d709b00)
192955.212240 Default transport_send_messages: giving up on exchange peer-xxx.xxx.xxx.xxx-local-xxx.xxx.xxx.xxx, no response from peer xxx.xxx.xxx.xxx:500
192955.212641 Mesg 20 message_free: freeing 0x7d709b00Can anyone help on this issue ?
Thank you in advance.
Author
Topic: DFL-800, IPSec and x509 (Read 4375 times)