| View previous topic :: View next topic |
| Author |
Message |
stream
Guru
Joined: 04 Jan 2003
Posts: 401
|
 Posted: Sun Apr 04, 2004 5:55 pm Post subject: ipsec + kame (Probleme mit certificate) |
 |
|
so nachdem ich mit openswan nach 4 Tagen nicht wirklich weitergekommen bin. ( https://forums.gentoo.org/viewtopic.php?t=156842 ) Versuche ich es jetzt mit kame.
Die Configuration ist viel schnelller gegangen und nach kurzer Zeit, hat der Prozess auch schon auf Verbindung auf dem Port 500 gewartet.
| Code: |
racoon: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.10[500]
racoon: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: MS NT5 ISAKMPOAKLEY
racoon: ERROR: crypto_openssl.c:348:cb_check_cert(): unable to get local issuer certificate(20) at depth:0 SubjectName:/C=DE/ST=www/L=www/O=wlan/OU=wlan/CN=client/emailAddress=client@localhost
racoon: ERROR: oakley.c:1335:oakley_validate_auth(): the peer's certificate is not verified.
racoon: ERROR: isakmp.c:1454:isakmp_ph1resend(): phase1 negotiation failed due to time up.
|
So ich ich das jetzt Verstehe, ist das certificate des Clients nicht gültig.
Ich habe das certificate folgendermaßen erstellt:
./CA.sh -newreq
./CA.sh -sign
Habe ich beim Erstellen irgendwas noch vergessen? |
|
| Back to top |
|
 |
ruth
Retired Dev
Joined: 07 Sep 2003
Posts: 640
Location: M / AN / BY / GER
|
| Posted: Sun Apr 04, 2004 9:34 pm Post subject: |
|
|
hi,
bist du danach vorgegangen?
http://www.ipsec-howto.org/x507.html
oder wie sonst?
openssl ist tricky... 
so long
rootshell
_________________
"The compiler has tried twice to abort and cannot do so; therefore, compilation will now terminate."
-- IBM PL/I (F) error manual |
|
| Back to top |
|
|
stream
Guru
Joined: 04 Jan 2003
Posts: 401
|
| Posted: Sun Apr 04, 2004 11:23 pm Post subject: |
|
|
ich habe jetzt die Zertifikate nach dem HowTo erstellt und auf dem Client importiert.
| Code: |
racoon: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.10[500]
racoon: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
racoon: INFO: vendorid.c:128:check_vendorid(): received Vendor ID: MS NT5 ISAKMPOAKLEY
racoon: ERROR: isakmp_inf.c:145:isakmp_info_recv(): ignore information because ISAKMP-SA has not been established yet.
|
|
|
| Back to top |
|
|
ruth
Retired Dev
Joined: 07 Sep 2003
Posts: 640
Location: M / AN / BY / GER
|
| Posted: Mon Apr 05, 2004 1:50 pm Post subject: |
|
|
hi,
jetzt sei doch mal ein bisschen auskunftsfereudiger...
bitte beschreibe dein setup, configs, blah...
du weisst, was ich meine...
(wunderkugel z.zt. in reparatur...)
rootshell
_________________
"The compiler has tried twice to abort and cannot do so; therefore, compilation will now terminate."
-- IBM PL/I (F) error manual |
|
| Back to top |
|
|
stream
Guru
Joined: 04 Jan 2003
Posts: 401
|
| Posted: Mon Apr 05, 2004 2:45 pm Post subject: |
|
|
ok sorry,
Am Server:
cat /etc/setkey.conf
| Code: |
#!/usr/bin/setkey -f
flush;
spdflush;
|
cat /etc/racoon/racoon.conf
| Code: |
path certificate "/cert";
listen
{
#isakmp ::1 [7000];
isakmp 10.0.0.1 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
remote anonymous {
exchange_mode main;
generate_policy on;
passive on;
certificate_type x509 "server_cert.pem" "server_req.pem";
my_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp1024;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
|
Am Client (Windows  )
http://vpn.ebootis.de/
nach den "Installation Instructions" vorgegangen
| Code: |
conn vpn
left=10.0.0.10
right=10.0.0.1
rightca="C=DE,S=www,L=www,O=wlan,OU=wlan,CN=root,E=root@localhost"
network=auto
auto=start
rekey=1800S/30000K
authmode=MD5
pfs=yes
|
Wenn ich während des Verbindungsaufbau den Server anpinge, bekomme ich nach einigen erfolgreichen Pings -> IP-Sicherheit wird verhandelt.
Ich vermute mal, dass es am Client liegt, da ich über google groups folgendes gefunden habe
Irgendwo habe ich gelesen, dass es weniger Problem mit dem Cisco Vpn Client gibt. Stimmt das? Vielleicht mal ein Versuch wert. |
|
| Back to top |
|
|
stream
Guru
Joined: 04 Jan 2003
Posts: 401
|
| Posted: Tue Apr 06, 2004 2:30 pm Post subject: |
|
|
Ich hab das ganze jetzt mit dem Cisco VPN Client 4.0 versucht.
Am Client wird folgende Meldung ausgegeben:
| Code: | | Secure VPN Connection terminated locally by the client. Reason: the remote peer is no longer responding. |
Logs am Server
| Code: | racoon: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.10[500]
racoon: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: ipsec_doi.c:1938:check_attr_isakmp(): invalid auth method 65005.
racoon: ERROR: crypto_openssl.c:539:eay_get_x509text(): 6486:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 6486:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509_CINF 6486:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509
racoon: WARNING: isakmp_inf.c:1343:isakmp_check_notify(): ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
racoon: ERROR: crypto_openssl.c:401:eay_get_x509asn1subjectname(): 6486:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 6486:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509_CINF 6486:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509
racoon: ERROR: oakley.c:1635:oakley_check_certid(): failed to get subjectName
racoon: ERROR: isakmp.c:1454:isakmp_ph1resend(): phase1 negotiation failed due to time up. 42a84fd7d8ed8434:72dacfa6ab6c1978
racoon: ERROR: isakmp_inf.c:145:isakmp_info_recv(): ignore information because ISAKMP-SA has not been established yet.
|
 |
|
| Back to top |
|
|
|
Deutsches Forum (German)
