4.0 -> 4.1 broke ipsec

Fri, 06 Jul 2007 02:53:17 -0700 

Hello list,
after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd 

Below is a snippet from the output of "isakmpd -d -DA=70" on my gateway:


The peer antbook3 is trying to establish a connection, but the local 
isakmpd cannot validate antbook3's cert. antbook3's installation has not 
changed at all.
I have never seen the message "unable to get local issuer certificate" 
before.


111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID
111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT
111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG

111621.667924 Mesg 60 message_validate_payloads: payload ID at 
0x8810241c of message 0x88f39500

111621.668011 Mesg 70 TYPE: 2
111621.668052 Mesg 70 DOI_DATA: 000000
111621.668128 Mesg 70 DATA:
111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2

111621.668251 Mesg 60 message_validate_payloads: payload CERT at 
0x8810243e of message 0x88f39500

111621.668313 Mesg 70 ENCODING: X509_SIG
111621.668348 Mesg 70 DATA:

111621.668431 Mesg 60 message_validate_payloads: payload SIG at 
0x8810271f of message 0x88f39500

111621.668503 Mesg 70 DATA:
111621.668542 Trpt 70 transport_release: freeing 0x813c5c40
111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4
111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN:

111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 
6d656e2e 6465

111621.668827 Cryp 70 x509_hash_find: no certificate matched query

111621.669061 Default x509_cert_validate: unable to get local issuer 
certificate

111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated

111621.672638 Negt 50 get_raw_key_from_file: file 
/etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found

111621.672685 Default rsa_sig_decode_hash: no public key found

111621.672731 Default dropped message from 172.21.113.59 port 500 due to 
notification type INVALID_ID_INFORMATION



Verifying the cert by hand:


[EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt 
antbook3.crt

antbook3.crt: OK
[EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt
MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00

Making sure that the gateway uses the same ca crt:
[EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt
MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00


I will happily post more information if needed, but i am unsure if i can 
post the output of "openssl x509 -text ..." of a cert. Would this enable 
someone else to use it?


Thanks for any hints

        Heinrich
--

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :            -3341























					Reply via email to