Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
On Fri, Sep 28, 2007 at 07:02:28AM +0200, Otto Moerbeek wrote: On Thu, 27 Sep 2007, Brian A. Seklecki wrote: Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? This has to do with a bug in isakmpd, where scanning a dir could skip files. The bug could only be triggered on nfs mounts. pr 5557 has been fixed in isakmpd/monitor.c rev 1.70 d_type is not passed over NFS, unless you mount with readdir+
Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? ~BAS This runs just fine, except for isakmpd: It silently does not read any certificates from a NFS mounted directory. After moving /etc/isakmpd to a ramdisk, ipsec runs fine as well. Question: Is this a bug or a feature? If it is a feature, it really should be documented. If it is a bug, i am unable to fix it. I started digging into isakmpd's sources, but failed to further trace things in monitor.c's forking and privilege separation. Regards, Heinrich
Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
On Thu, 27 Sep 2007, Brian A. Seklecki wrote: Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? This has to do with a bug in isakmpd, where scanning a dir could skip files. The bug could only be triggered on nfs mounts. -Otto ~BAS This runs just fine, except for isakmpd: It silently does not read any certificates from a NFS mounted directory. After moving /etc/isakmpd to a ramdisk, ipsec runs fine as well. Question: Is this a bug or a feature? If it is a feature, it really should be documented. If it is a bug, i am unable to fix it. I started digging into isakmpd's sources, but failed to further trace things in monitor.c's forking and privilege separation. Regards, Heinrich
SOLVED? Re: 4.0 - 4.1 broke ipsec
Heinrich Rebehn wrote: Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. This runs just fine, except for isakmpd: It silently does not read any certificates from a NFS mounted directory. After moving /etc/isakmpd to a ramdisk, ipsec runs fine as well. Question: Is this a bug or a feature? If it is a feature, it really should be documented. If it is a bug, i am unable to fix it. I started digging into isakmpd's sources, but failed to further trace things in monitor.c's forking and privilege separation. Regards, Heinrich
Re: 4.0 - 4.1 broke ipsec
pf is probably the problem, 'keep state' is assumed unless explicitelly stated otherwise. On 7/6/07, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 -- almir
Re: 4.0 - 4.1 broke ipsec
Almir Karic wrote: pf is probably the problem, 'keep state' is assumed unless explicitelly stated otherwise. On 7/6/07, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 But how should keep state be harmfull for ipsec? Why would it cause verification of the certs to fail? Just tried passing port 500 and 4500 with no state. Does not help. --Heinrich
4.0 - 4.1 broke ipsec
Hello list, after using ipsec for some years now, i never experienced an upgrade breaking it. But after after moving to 4.1 (new install) i can not get it to work anymore. I have copied the complete /etc/isakmpd directory from the 4.0 installation to the new one and also copied /etc/imakmpd/private/local.pub to /etc/isakmpd Below is a snippet from the output of isakmpd -d -DA=70 on my gateway: The peer antbook3 is trying to establish a connection, but the local isakmpd cannot validate antbook3's cert. antbook3's installation has not changed at all. I have never seen the message unable to get local issuer certificate before. 111621.667743 Mesg 50 message_parse_payloads: offset 28 payload ID 111621.667812 Mesg 50 message_parse_payloads: offset 62 payload CERT 111621.667852 Mesg 50 message_parse_payloads: offset 799 payload SIG 111621.667924 Mesg 60 message_validate_payloads: payload ID at 0x8810241c of message 0x88f39500 111621.668011 Mesg 70 TYPE: 2 111621.668052 Mesg 70 DOI_DATA: 00 111621.668128 Mesg 70 DATA: 111621.668210 Mesg 40 ipsec_validate_id_information: proto 0 port 0 type 2 111621.668251 Mesg 60 message_validate_payloads: payload CERT at 0x8810243e of message 0x88f39500 111621.668313 Mesg 70 ENCODING: X509_SIG 111621.668348 Mesg 70 DATA: 111621.668431 Mesg 60 message_validate_payloads: payload SIG at 0x8810271f of message 0x88f39500 111621.668503 Mesg 70 DATA: 111621.668542 Trpt 70 transport_release: freeing 0x813c5c40 111621.668617 Misc 30 ipsec_responder: phase 1 exchange 2 step 4 111621.668707 Negt 40 ike_phase_1_recv_ID: FQDN: 111621.668755 Negt 40 616e7462 6f6f6b33 2e616e74 2e756e69 2d627265 6d656e2e 6465 111621.668827 Cryp 70 x509_hash_find: no certificate matched query 111621.669061 Default x509_cert_validate: unable to get local issuer certificate 111621.669224 Default rsa_sig_decode_hash: received CERT can't be validated 111621.672638 Negt 50 get_raw_key_from_file: file /etc/isakmpd/pubkeys//fqdn/antbook3.ant.uni-bremen.de not found 111621.672685 Default rsa_sig_decode_hash: no public key found 111621.672731 Default dropped message from 172.21.113.59 port 500 due to notification type INVALID_ID_INFORMATION Verifying the cert by hand: [EMAIL PROTECTED] [/etc/isakmpd/certs] # openssl verify -CAfile ../ca/ca.crt antbook3.crt antbook3.crt: OK [EMAIL PROTECTED] [/etc/isakmpd/certs] # md5 ../ca/ca.crt MD5 (../ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 Making sure that the gateway uses the same ca crt: [EMAIL PROTECTED] [~] # md5 /etc/isakmpd/ca/ca.crt MD5 (/etc/isakmpd/ca/ca.crt) = e83c31211832100dcd79ae6f4612cf00 I will happily post more information if needed, but i am unsure if i can post the output of openssl x509 -text ... of a cert. Would this enable someone else to use it? Thanks for any hints Heinrich -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341