Hi,
just to add more information: INFORM works over dtlsudp with the same
configuration. Am I doing something wrong with TRAP sending and receiving?
Best regards,
Steph
2017-06-01 10:51 GMT+02:00 Stephanie Jakopec <steph50...@gmail.com>:
> Hi,
>
> I am trying to configure net-snmp over DTLS. The manager doesn't receive
> the TRAP message when sending TRAPs over dtlsudp. Sending TRAPs over tlstcp
> is successful. In wireshark I can see Client Hello, Hello Verify Request
> and then an ICMP Destination unreachable (Port unreachable).
> I think it is not a firewall or permission problem. I have checked
> everything regarding this.
> GET command works over DTLS.
> Certificates are created with help of the Using DTLS TUT. Manager has
> snmpdsteph.crt, agent has agent.crt and both are signed with
> hostname.example.com.
>
> Agent sends trap to manager:
> ./snmptrap -v 3 -T their_hostname=steph -Dtls,ssh,openssl,cert,
> dtlsudp,9:openssl:fingerprint,9:openssl:cert:san dtlsudp:<ip_addr1>:10162
> "" NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification
> netSnmpExampleHeartbeatRate i 123456
>
>
> Bellow is the snmptrapd.log :
> ==========================================================================
> dtlsudp: received 149 raw bytes on way to dtls
> dtlsudp: starting a new connection
> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 7980400
> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 7980400
> cert:find:params: hint = 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:
> 07:6F:8B:3E:97:0B:B8:E4:1C:3B
> cert:find:found: using cert snmpdsteph.crt /
> 47b2bbbd0fd5c63bc3b1076f8b3e970bb8e41c3b
> for identity(1) (uses=identity+remote_peer (3))
> cert:find:found: using cert snmpdsteph.crt /
> 47b2bbbd0fd5c63bc3b1076f8b3e970bb8e41c3b
> for identity(1) (uses=identity+remote_peer (3))
> sslctx_server: using public key: snmpdsteph.crt
> sslctx_server: using private key: snmpdsteph.key
> sslctx_client: Trying to load a trusted certificate:
> 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
> cert:find:params: looking for CA(8) in MULTIPLE(0x200), hint 7961792
> cert:find:params: looking for CA(8) in FINGERPRINT(0x2), hint 7961792
> cert:find:params: hint = 28:81:87:B3:A9:13:E0:03:C4:B4:
> D6:1F:F4:85:FE:12:DB:6F:DD:28
> cert:find:found: using cert hostname.example.com.crt /
> 288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
> (uses=CA+identity+remote_peer (11))
> cert:find:found: using cert hostname.example.com.crt /
> 288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
> (uses=CA+identity+remote_peer (11))
> cert:trust_ca: checking roots for 0x7343a0
> 9:openssl:fingerprint: alg -1, cert nid 65 (2)
> 9:openssl:fingerprint: fingerprint 288187b3a913e003c4b4d61ff485fe
> 12db6fdd28
> cert:trust: putting trusted cert 0x734660 =
> 288187b3a913e003c4b4d61ff485fe12db6fdd28
> in certstore 0x7928e0
> dtlsudp:cookie: generating cookie...
> dtlsudp: have 48 bytes to send
> ============================================================
> =================
>
> Agent log:
> ============================================================
> =================
> registered debug token tls, 1
> registered debug token ssh, 1
> registered debug token openssl, 1
> registered debug token cert, 1
> registered debug token dtlsudp, 1
> registered debug token 9:openssl:fingerprint, 1
> registered debug token 9:openssl:cert:san, 1
> cert:util:init: init
> cert:index:add: dir /home/snmp/share/snmp/tls/ca-certs at index 0
> cert:index:add: dir /home/snmp/share/snmp/tls/certs at index 1
> cert:index:add: dir /home/snmp/share/snmp/tls/private at index 2
> cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/ca-certs
> cert:index:lookup: /home/snmp/share/snmp/tls/ca-certs (0)
> /home/.snmp_persist/cert_indexes/0
> cert:index:parse: The index for /home/snmp/share/snmp/tls/ca-certs looks
> good
> cert:index:parse: added 1 certs from index
> cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/certs
> cert:index:lookup: /home/snmp/share/snmp/tls/certs (1)
> /home/.snmp_persist/cert_indexes/1
> cert:index:parse: The index for /home/snmp/share/snmp/tls/certs looks good
> cert:index:parse: added 1 certs from index
> cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/private
> cert:index:lookup: /home/snmp/share/snmp/tls/private (2)
> /home/.snmp_persist/cert_indexes/2
> cert:index:parse: The index for /home/snmp/share/snmp/tls/private looks
> good
> cert:key:struct:new: new key 0x0x628410 for hostname.example.com.key
> cert:key:struct:new: new key 0x0x628a00 for agent.key
> cert:index:parse: added 2 certs from index
> cert:partner: hostname.example.com.crt match found!
> cert:partner: agent.crt match found!
> cert:key:read: Checking file hostname.example.com.key
> cert:key:read: Checking file agent.key
> cert:dump: -------------------- Certificates -----------------
> cert:dump: cert hostname.example.com.crt in /home/snmp/share/snmp/tls/ca-
> certs
> cert:dump: type 1 flags 0xb (CA+identity+remote_peer)
> cert:dump: cert agent.crt in /home/snmp/share/snmp/tls/certs
> cert:dump: type 1 flags 0x3 (identity+remote_peer)
> cert:dump: key hostname.example.com.key in /home/snmp/share/snmp/tls/
> private
> cert:dump: type 4 flags 0x1 (identity)
> cert:dump: key agent.key in /home/snmp/share/snmp/tls/private
> cert:dump: type 4 flags 0x1 (identity)
> cert:dump: ------------------------ End ----------------------
> dtlsudp: netsnmp_dtlsudp_transport(): transports/snmpDTLSUDPDomain.c,
> 1421:
> dtlsudp: sending 131 bytes
> dtlsudp: starting a new connection
> dtlsudp: starting a new connection as a client to sock: 3
> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 6795536
> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 6795536
> cert:find:params: hint = BF:AD:00:CC:9D:61:6C:2C:5F:6D:
> 3F:1A:05:E8:27:6E:C8:2A:C9:A0
> cert:find:found: using cert agent.crt /
> bfad00cc9d616c2c5f6d3f1a05e8276ec82ac9a0
> for identity(1) (uses=identity+remote_peer (3))
> cert:find:found: using cert agent.crt /
> bfad00cc9d616c2c5f6d3f1a05e8276ec82ac9a0
> for identity(1) (uses=identity+remote_peer (3))
> cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
> cert:find:params: looking for CA(8) in MULTIPLE(0x200), hint 6876544
> cert:find:params: looking for CA(8) in FINGERPRINT(0x2), hint 6876544
> cert:find:params: hint = 28:81:87:B3:A9:13:E0:03:C4:B4:
> D6:1F:F4:85:FE:12:DB:6F:DD:28
> cert:find:found: using cert hostname.example.com.crt /
> 288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
> (uses=CA+identity+remote_peer (11))
> cert:find:found: using cert hostname.example.com.crt /
> 288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
> (uses=CA+identity+remote_peer (11))
> cert:trust_ca: checking roots for 0x628490
> 9:openssl:fingerprint: alg -1, cert nid 65 (2)
> 9:openssl:fingerprint: fingerprint 288187b3a913e003c4b4d61ff485fe
> 12db6fdd28
> cert:trust: putting trusted cert 0x628670 =
> 288187b3a913e003c4b4d61ff485fe12db6fdd28
> in certstore 0x6bbd60
> dtlsudp: have 149 bytes to send
> dtlsudp:close: closing dtlsudp transport 0x6bf990
> dtlsudp:close: 131 bytes remain in write_cache
> dtlsudp:close: dumping 131 bytes from write_cache
> dtlsudp:close: closing SSL socket
> tlsbase: Freeing TLS Base data for a session
> cert:util:shutdown: shutdown
> cert:key:struct:free: freeing key 0x0x628410, hostname.example.com.key
> cert:key:struct:free: freeing key 0x0x628a00, agent.key
> ==========================================================================
>
> Agent snmp.conf:
> ==========================================================================
> defSecurityModel tsm
> defSecurityLevel authPriv
> localCert BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
> trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
> persistentDir /home/.snmp_persist
>
> Manager snmpd.conf
> ==========================================================================
> rwuser -s tsm "traptest"
> rouser NoAuthUser
> rouser MD5User
> rwuser MD5DESUser
> createUser NoAuthUser
> createUser MD5User MD5 "The Net-SNMP Demo Password"
> createUser MD5DESUser MD5 "The Net-SNMP Demo Password" DES
> rocommunity public localhost
>
> agentXSocket tcp:localhost:705,udp:localhost:705
> master agentx
> [snmp] localCert 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:
> 07:6F:8B:3E:97:0B:B8:E4:1C:3B
> [snmp] trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:
> D6:1F:F4:85:FE:12:DB:6F:DD:28
> certSecName 20 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
> --sn "traptest"
> agentaddress udp:161,tcp:161,dtlsudp:10161,tlstcp:10161
> =========================================================================
>
> Manager snmptrapd.conf
> =========================================================================
> authCommunity log,execute,net public
> snmpTrapdAddr dtlsudp:10162,tlstcp:10162
>
> createUser -e 0x8000000001020304 traptest SHA mypassword AES
> authuser log traptest
> authUser log "steph"
> disableAuthorization yes
>
> [snmp] localCert 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:
> 07:6F:8B:3E:97:0B:B8:E4:1C:3B
> [snmp] trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:
> D6:1F:F4:85:FE:12:DB:6F:DD:28
> certSecName 20 BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
> --sn traptest
> =========================================================================
>
> I would really appreciate your help.
> Regards,
>
> Steph
>
>
>
>
>
>
>
>
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
