I try to establish a VPN with isakmpd (OpenBSD 3.6) using certificates issued from a SubCA. When I use certificates which were issued directly from the RootCA the tunnel works correctly! Changing the certificates in /etc/isakmpd/certs and /etc/isakmpd/ca (with adjusted policy-file) make problems in the ike_phase_1 resp. with the received id information. I get these messages:
145552.710039 Exch 90 exchange_validate: checking for required AUTH 145552.710054 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 145552.710090 Negt 40 ike_phase_1_recv_ID: DER_ASN1_DN: 145552.710119 Negt 40 3081a631 0b300906 03550406 13024445 310f300d 06035504 08130642 61796572 145552.710214 Negt 40 6e742d43 65727431 20301e06 092a8648 86f70d01 09011611 68616e73 2e6d6569 145552.710228 Negt 40 65724077 65622e64 65 145552.710241 Default rsa_sig_decode_hash: cert_get (1) failed 145552.710265 Default dropped message from 192.168.42.241 port 500 due to notification type INVALID_ID_INFORMATION 145552.710305 Timr 10 timer_add_event: event exchange_free_aux(0x3c130c00) added last, expiration in 120s 145552.710326 Cryp 60 hash_get: requested algorithm 1 It seems (for me) that the isakmpd don't know the right certification path. I also tried to add the certificate from the SubCa in the (Root)Ca certificate (in /etc/isakmpd/ca) etc. but without any success. Thanx for any information regarding that problem
