Quantcast

Trouble with isakmpd authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Trouble with isakmpd authentication

Simon McFarlane-2
Hi all,

I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are helping
me annouce an IPv4 allocation. We are having some trouble authenticating with
isakmpd. We got it to connect with a PSK, but can't get certificates or public
key auth working (they don't do secrets as a matter of policy).

They normally use a certificate setup, but it looks like isakmpd requires
subjectaltname to be filled. Using certs without subjectaltname did not
work.

One thing I noticed is that looking at an ultra-verbose log, and using ktrace,
isakmpd loads local.key, but never seems to load anything in the pubkeys
directory.

Before I dump my config files and debug info, I want to give some immense thanks
to EO_ from HamWAN, who has gone way above the call of duty in helping me get
connected.

Here is a link to their instructions page for Mikrotik/RouterOS routers:
https://hamwan.org/Labs/Open%20Peering%20Policy.html#setup-on-mikrotik-routeros-edge-router

This is my ipsec.conf:
ike active ah tunnel from 44.24.246.18/31 to 44.24.246.0/31 peer 44.24.221.2 main auth hmac-sha1 enc aes-128 group modp1024 lifetime 30m quick auth hmac-md5 group modp1024 lifetime 30m

My /etc/isakmpd/:
/etc/isakmpd/
|-- ca
|-- certs
|-- crls
|-- keynote
|-- local.pub
|-- private
|   `-- local.key
`-- pubkeys
    |-- fqdn
    |-- ipv4
    |   `-- 44.24.221.2
    |-- ipv6
    `-- ufqdn

local.key is a 2048-bit RSA private key generated by me, and local.pub is the
corresponding public key. pubkeys/ipv4/44.24.221.2 is the public key extracted
from their certificate. All of these are in PEM format.

Any isakmpd experts know how I might make this work? They can give me a client cert
with an arbitrary subjectaltname if that would fix it. Would they need to add a
subjectaltname field to their server cert?

Thanks,
Simon

For understanding the below config, my IP address is 71.32.246.199.
Output of isakmpd -K -d -T -v -D A=39:
---------------------------------------------
135329.733775 Default log_debug_cmd: log level changed from 0 to 39 for class 0 [priv]
135329.734769 Default log_debug_cmd: log level changed from 0 to 39 for class 1 [priv]
135329.734788 Default log_debug_cmd: log level changed from 0 to 39 for class 2 [priv]
135329.734804 Default log_debug_cmd: log level changed from 0 to 39 for class 3 [priv]
135329.734820 Default log_debug_cmd: log level changed from 0 to 39 for class 4 [priv]
135329.734835 Default log_debug_cmd: log level changed from 0 to 39 for class 5 [priv]
135329.734850 Default log_debug_cmd: log level changed from 0 to 39 for class 6 [priv]
135329.734865 Default log_debug_cmd: log level changed from 0 to 39 for class 7 [priv]
135329.734880 Default log_debug_cmd: log level changed from 0 to 39 for class 8 [priv]
135329.734896 Default log_debug_cmd: log level changed from 0 to 39 for class 9 [priv]
135329.734939 Default log_debug_cmd: log level changed from 0 to 39 for class 10 [priv]
135329.734954 Default isakmpd: starting [priv]
135329.737177 Misc 10 monitor_init: privileges dropped for child process
135330.101234 Plcy 30 policy_init: initializing
135330.103973 Misc 20 udp_make: transport 0x4d1d7733400 socket 8 ip ::1 port 500
135330.104497 Misc 20 udp_make: transport 0x4d1bc508b80 socket 9 ip fe80:5::1 port 500
135330.105066 Misc 20 udp_make: transport 0x4d1d7733680 socket 10 ip 127.0.0.1 port 500
135330.105565 Misc 20 udp_make: transport 0x4d1d7733700 socket 11 ip 192.168.0.1 port 500
135330.106023 Misc 20 udp_make: transport 0x4d16df1f480 socket 12 ip fe80:7::20d:b9ff:fe41:e7fc port 500
135330.106637 Misc 20 udp_make: transport 0x4d12e3ae980 socket 13 ip 71.32.246.199 port 500
135330.107060 Misc 20 udp_make: transport 0x4d1d7733c00 socket 14 ip 0.0.0.0 port 500
135330.107490 Misc 20 udp_make: transport 0x4d16df1fd80 socket 15 ip :: port 500
135336.262336 UI   30 ui_config: "C set [Phase 1]:44.24.221.2=peer-44.24.221.2 force"
135336.262557 UI   30 ui_config: "C set [peer-44.24.221.2]:Phase=1 force"
135336.262773 UI   30 ui_config: "C set [peer-44.24.221.2]:Address=44.24.221.2 force"
135336.262852 UI   30 ui_config: "C set [peer-44.24.221.2]:Configuration=phase1-peer-44.24.221.2 force"
135336.262953 UI   30 ui_config: "C set [phase1-peer-44.24.221.2]:EXCHANGE_TYPE=ID_PROT force"
135336.263286 UI   30 ui_config: "C add [phase1-peer-44.24.221.2]:Transforms=phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024 force"
135336.263376 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force"
135336.263478 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:HASH_ALGORITHM=SHA force"
135336.263580 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force"
135336.263651 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:KEY_LENGTH=128,128:128 force"
135336.263747 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force"
135336.263819 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024]:Life=phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024-life force"
135336.263901 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024-life]:LIFE_TYPE=SECONDS force"
135336.263976 UI   30 ui_config: "C set [phase1-transform-peer-44.24.221.2-RSA_SIG-SHA-AES128-MODP_1024-life]:LIFE_DURATION=1800 force"
135336.264057 UI   30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Phase=2 force"
135336.264155 UI   30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:ISAKMP-peer=peer-44.24.221.2 force"
135336.264239 UI   30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Configuration=phase2-from-44.24.246.18/31-to-44.24.246.0/31 force"
135336.264289 UI   30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Local-ID=from-44.24.246.18/31 force"
135336.264326 UI   30 ui_config: "C set [from-44.24.246.18/31-to-44.24.246.0/31]:Remote-ID=to-44.24.246.0/31 force"
135336.264396 UI   30 ui_config: "C set [phase2-from-44.24.246.18/31-to-44.24.246.0/31]:EXCHANGE_TYPE=QUICK_MODE force"
135336.264499 UI   30 ui_config: "C set [phase2-from-44.24.246.18/31-to-44.24.246.0/31]:Suites=phase2-suite-from-44.24.246.18/31-to-44.24.246.0/31 force"
135336.264538 UI   30 ui_config: "C set [phase2-suite-from-44.24.246.18/31-to-44.24.246.0/31]:Protocols=phase2-protocol-from-44.24.246.18/31-to-44.24.246.0/31 force"
135336.264621 UI   30 ui_config: "C set [phase2-protocol-from-44.24.246.18/31-to-44.24.246.0/31]:PROTOCOL_ID=IPSEC_AH force"
135336.264707 UI   30 ui_config: "C set [phase2-protocol-from-44.24.246.18/31-to-44.24.246.0/31]:Transforms=phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL force"
135336.264788 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:TRANSFORM_ID=MD5 force"
135336.264909 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force"
135336.265032 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_MD5 force"
135336.265131 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force"
135336.265243 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL]:Life=phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL-life force
135336.265300 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL-life]:LIFE_TYPE=SECONDS force"
135336.265371 UI   30 ui_config: "C set [phase2-transform-from-44.24.246.18/31-to-44.24.246.0/31-NONE-MD5-MODP_1024-TUNNEL-life]:LIFE_DURATION=1800 force"
135336.265425 UI   30 ui_config: "C set [from-44.24.246.18/31]:ID-type=IPV4_ADDR_SUBNET force"
135336.265531 UI   30 ui_config: "C set [from-44.24.246.18/31]:Network=44.24.246.18 force"
135336.265613 UI   30 ui_config: "C set [from-44.24.246.18/31]:Netmask=255.255.255.254 force"
135336.265662 UI   30 ui_config: "C set [to-44.24.246.0/31]:ID-type=IPV4_ADDR_SUBNET force"
135336.265751 UI   30 ui_config: "C set [to-44.24.246.0/31]:Network=44.24.246.0 force"
135336.265789 UI   30 ui_config: "C set [to-44.24.246.0/31]:Netmask=255.255.255.254 force"
135336.265861 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s
135336.265880 UI   30 ui_config: "C add [Phase 2]:Connections=from-44.24.246.18/31-to-44.24.246.0/31"
135341.271924 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0)
135341.271996 Misc 30 connection_reinit: reinitializing connection list
135341.272042 Timr 10 timer_add_event: event connection_checker(0x4d1dca9b000) added last, expiration in 0s
135341.272572 Timr 10 timer_handle_expirations: event connection_checker(0x4d1dca9b000)
135341.272670 Timr 10 timer_add_event: event connection_checker(0x4d1dca9b000) added last, expiration in 60s
135341.273075 Timr 10 timer_add_event: event exchange_free_aux(0x4d207e15a00) added last, expiration in 120s
135341.273153 Exch 10 exchange_establish_p1: 0x4d207e15a00 peer-44.24.221.2 phase1-peer-44.24.221.2 policy initiator phase 1 doi 1 exchange 2 step 0
135341.273174 Exch 10 exchange_establish_p1: icookie cefe98ef23d00ea7 rcookie 0000000000000000
135341.273189 Exch 10 exchange_establish_p1: msgid 00000000
135341.273756 Trpt 30 transport_send_messages: message 0x4d15a66be00 scheduled for retransmission 1 in 7 secs
135341.273809 Timr 10 timer_add_event: event message_send_expire(0x4d15a66be00) added before connection_checker(0x4d1dca9b000), expiration in 7s
135341.279266 Mesg 20 message_free: freeing 0x4d15a66be00
135341.279302 Timr 10 timer_remove_event: removing event message_send_expire(0x4d15a66be00)
135341.279414 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
135341.279471 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok
135341.279636 Negt 20 ike_phase_1_validate_prop: success
135341.279686 Negt 30 message_negotiate_sa: proposal 1 succeeded
135341.279702 Misc 20 ipsec_decode_transform: transform 0 chosen
135341.284636 Trpt 30 transport_send_messages: message 0x4d141433600 scheduled for retransmission 1 in 7 secs
135341.284661 Timr 10 timer_add_event: event message_send_expire(0x4d141433600) added before connection_checker(0x4d1dca9b000), expiration in 7s
135341.301433 Mesg 20 message_free: freeing 0x4d141433600
135341.301477 Timr 10 timer_remove_event: removing event message_send_expire(0x4d141433600)
135341.305925 Mesg 20 message_free: freeing 0x4d13c879300
135341.306270 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//71.32.246.199/credentials"
135341.306311 Misc 10 rsa_sig_encode_hash: no certificate to send for id ipv4/71.32.246.199
135341.320741 Trpt 30 transport_send_messages: message 0x4d13c879e00 scheduled for retransmission 1 in 7 secs
135341.320796 Timr 10 timer_add_event: event message_send_expire(0x4d13c879e00) added before connection_checker(0x4d1dca9b000), expiration in 7s
135341.333423 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800
135341.333450 Mesg 20 message_free: freeing 0x4d141433a00
135348.333912 Timr 10 timer_handle_expirations: event message_send_expire(0x4d13c879e00)
135348.334583 Trpt 30 transport_send_messages: message 0x4d13c879e00 scheduled for retransmission 2 in 9 secs
135348.334609 Timr 10 timer_add_event: event message_send_expire(0x4d13c879e00) added before connection_checker(0x4d1dca9b000), expiration in 9s
135348.340632 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800
135348.340660 Mesg 20 message_free: freeing 0x4d161c36e00
135351.304464 Mesg 20 message_free: freeing 0x4d13c879100
135357.346543 Timr 10 timer_handle_expirations: event message_send_expire(0x4d13c879e00)
135357.347090 Trpt 30 transport_send_messages: message 0x4d13c879e00 scheduled for retransmission 3 in 11 secs
135357.347158 Timr 10 timer_add_event: event message_send_expire(0x4d13c879e00) added before connection_checker(0x4d1dca9b000), expiration in 11s
135357.353110 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800
135357.353139 Mesg 20 message_free: freeing 0x4d161c36300
135401.301590 Mesg 20 message_free: freeing 0x4d15a66b400
135408.359643 Timr 10 timer_handle_expirations: event message_send_expire(0x4d13c879e00)
135408.360293 Default transport_send_messages: giving up on exchange peer-44.24.221.2, no response from peer 44.24.221.2:500
135408.360314 Mesg 20 message_free: freeing 0x4d13c879e00
135408.367511 Default ipsec_get_keystate: no keystate in ISAKMP SA 0x4d1db4c0800
135408.367556 Mesg 20 message_free: freeing 0x4d13c879f00
135411.302047 Mesg 20 message_free: freeing 0x4d13c879b00
135419.285081 Default isakmpd: shutting down...
135419.285370 Default isakmpd: exit

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Trouble with isakmpd authentication

Simon McFarlane-2
On 03/11/2017 02:47 PM, Simon McFarlane wrote:
> Any isakmpd experts know how I might make this work? They can give me a client cert
> with an arbitrary subjectaltname if that would fix it. Would they need to add a
> subjectaltname field to their server cert?

We toyed around with this, and after getting the correct SAN, something
still gets hung up at the same place, despite the certificate being
loaded. At this point, I'd just like to get host key auth working, which
the man page says should eschew the need for certificates, but isakmpd
still doesn't even seem to look at anything in the pubkeys folder.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Trouble with isakmpd authentication

Stuart Henderson
In reply to this post by Simon McFarlane-2
On 2017-03-11, Simon McFarlane <[hidden email]> wrote:

> Hi all,
>
> I'm trying to set up an IPSec tunnel with a remote peer (HamWAN) who are helping
> me annouce an IPv4 allocation. We are having some trouble authenticating with
> isakmpd. We got it to connect with a PSK, but can't get certificates or public
> key auth working (they don't do secrets as a matter of policy).
>
> They normally use a certificate setup, but it looks like isakmpd requires
> subjectaltname to be filled. Using certs without subjectaltname did not
> work.
>
> One thing I noticed is that looking at an ultra-verbose log, and using ktrace,
> isakmpd loads local.key, but never seems to load anything in the pubkeys
> directory.
>
> Before I dump my config files and debug info, I want to give some immense thanks
> to EO_ from HamWAN, who has gone way above the call of duty in helping me get
> connected.
>
> Here is a link to their instructions page for Mikrotik/RouterOS routers:
> https://hamwan.org/Labs/Open%20Peering%20Policy.html#setup-on-mikrotik-routeros-edge-router
>
> This is my ipsec.conf:
> ike active ah tunnel from 44.24.246.18/31 to 44.24.246.0/31 peer 44.24.221.2 main auth hmac-sha1 enc aes-128 group modp1024 lifetime 30m quick auth hmac-md5 group modp1024 lifetime 30m
>
> My /etc/isakmpd/:
> /etc/isakmpd/
>|-- ca
>|-- certs
>|-- crls
>|-- keynote
>|-- local.pub
>|-- private
>|   `-- local.key
> `-- pubkeys
>     |-- fqdn
>     |-- ipv4
>     |   `-- 44.24.221.2
>     |-- ipv6
>     `-- ufqdn
>
> local.key is a 2048-bit RSA private key generated by me, and local.pub is the
> corresponding public key. pubkeys/ipv4/44.24.221.2 is the public key extracted
> from their certificate. All of these are in PEM format.
>
> Any isakmpd experts know how I might make this work? They can give me a client cert
> with an arbitrary subjectaltname if that would fix it. Would they need to add a
> subjectaltname field to their server cert?

ipv4/* is for host key auth, not X509.

Put the signed cert in certs/<whatever_is_in_subjectaltname>.crt,
and the CA cert in ca/ca.crt.

subjectAltName needs to be either "IP:10.0.0.1" or "DNS:fqdn.example.com"
and the cert must have extendedKeyUsage=serverAuth,clientAuth.

isakmpd must use the IP or DNS mentioned in the cert as an identifier,
easiest to set this with "srcid".

Loading...