Re: problem with isakmpd with certs

["Angelos D. Keromytis" <angelos@cis.upenn.edu>]

In message <20010105191034.A18898@sigrid.schuldei.com>, Andreas Schuldei writes
:
>
>173351.104824 Default keynote_cert_obtain: failed to stat "/etc/isakmpd/keynot
>e//195.84.105.112/credentials"
>173358.439092 Mesg 00 ipsec_validate_id_information: proto 0 port 0 type 1
>173358.442331 Default rsa_sig_decode_hash: received CERT can't be validated
>173358.442659 Default rsa_sig_decode_hash: no public key found
>173358.442987 Default dropped message from 195.84.181.91 port 500 due to notif
>ication type INVALID_ID_INFORMATION
>
>The first line tells me that it does not have any credentials yet. Do I need
>to create the directory or is this done once the credentials are transmitted?
>in The mailinglist archive I read that they are automatically generated by
>isakmpd. Is that correct?

Ignore the first line, unless you want to use KeyNote credentials (as
opposed to X.509 certificates, which is what README.PKI says).

>But what does the 'received CERT can't be validated' mean? My script generated
>all all the certs in one go and I would guess that they must fit.
>How can I make sure that all certs are correct? could it be that some old
>certificates in /etc/openssl/ come into the way?

Err..you're supposed to copy your certificate to /etc/isakmpd/certs/,
your private key to /tec/isakmpd/private/, and any CA certs to
/etc/isakmpd/ca/

>Why would it not find the public key? It is sitting in
>/etc/isakmpd/private/lokal.key, like specified in the config file. 

It didn't find a public key for the *peer*, because no certificate was
sent *by the peer*. One reason this may have happened is because you
don't have the files in the correct directories, as outlined
above. Another reason is because you may be using a different Phase 1
ID in isakmpd from the one encoded in the certificate (via certpatch).
-Angelos