[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem with isakmpd with certs

* Angelos D. Keromytis (angelos@cis.upenn.edu) [010105 20:36]:
> Err..you're supposed to copy your certificate to /etc/isakmpd/certs/,
> your private key to /tec/isakmpd/private/, and any CA certs to
> /etc/isakmpd/ca/

there was a typo: I wrote ca.ctr instead of ca.crt. 
But there must be something else:

> >Why would it not find the public key? It is sitting in
> >/etc/isakmpd/private/lokal.key, like specified in the config file. 
> 
> It didn't find a public key for the *peer*, because no certificate was
> sent *by the peer*. One reason this may have happened is because you
> don't have the files in the correct directories, as outlined
> above. Another reason is because you may be using a different Phase 1
> ID in isakmpd from the one encoded in the certificate (via certpatch).

With more verbose debugging I found this:
215026.452546 Mesg 70 MSG_TYPE: INITIAL_CONTACT
215026.452675 Misc 30 ipsec_responder: phase 1 exchange 2 step 4
215156.767289 Misc 40 ike_phase_1_recv_ID: IPV4_ADDR:
215156.767430 Misc 40 c354b55b
215156.767593 Cryp 70 x509_hash_find: no certificate matched query
215156.770216 Misc 60 conf_get_str: configuration value not found [X509-certificates]:Accept-self-signed
215156.770640 Default rsa_sig_decode_hash: received CERT can't be validated
215156.770736 Default rsa_sig_decode_hash: no public key found
215156.770872 Default dropped message from 195.84.181.91 port 500 due to notification type INVALID_ID_INFORMATION

But now I do not understand what he wants. He looks for the certificat for
c354b55b, which (surprise!) matches the IP of my peer. So does he actually
look for the file /etc/isakmpd/certs/195.84.181.91.crt? I have only put the
certificate for my local machine there. Because I would create a certification
request for my local machine and get a certificate for my local machine, not
every one else, right? 

Am I makeing a gross error here? 

My script says precicely what happens; it does not change the configuration of
anything outside of the local directory (exept it generates a private key and
a ca.crt if it is not there allready), so it should be save to run.

But to know what I am doing it is not necessary to run it. 



#!/bin/sh
# Done:
# switch to certificates
# add entries for firewalls, too
# Todo:
# add named.boot for nameservers
# ipfilter?
# ipnat?



#set -x

# takes two args: start and end value, start must be less then
# end
function SEQ {
  N=$1
  while [ "0" != $(( $N <= $2 )) ] 
    do 
      echo  $N  
      let $((N++))    
    done
}

#SECRET=$(openssl rand 20 | hexdump -e '20/1 "%02x"')

I=0
while read NAME[$I] IP[$I] NET[$I] NETMASK[$I]
  do 
    if echo ${NAME[$I]} | grep '^#' > /dev/null
    	then continue
    fi
    if [[ "" == ${NAME[$I]}  ]]
    	then continue
    fi	
    I=$(($I+1)) 
  done < vpn.conf
I=$(($I-1)) 



# PKI and friends
# generate the CA first

(cat << 'EOF'
[ req ]
default_bits                = 1024 
distinguished_name          = req_DN

[ req_DN ]
countryName                 = "Country Name"
countryName_value           = $ENV::CERT_COUNTRY
localityName                = "Locality Name"
localityName_value          = $ENV::CERT_LOCALITY
organizationName            = "Organisation"
organizationName_value      = $ENV::CERT_ORG
commonName                  = "Common Name"
commonName_value            = $ENV::CERT_CN

[ x509v3 ]
subjectAltName_value        = $ENV::CERT_EMAIL
EOF
)> local_openssl.conf

# key and cert for the CA

export CERT_COUNTRY="se"
export CERT_LOCALITY="${NAME[0]}"
export CERT_ORG=Frontyard
export CERT_CN="${IP[0]}"
export CERT_EMAIL="root@utilator.com"


# this assumes the script runs on the CA-box if not, this has to be changed

while [ ! -s /etc/ssl/private/ca.key ]
	do
	 rm -f /etc/ssl/private/ca.key
	 openssl genrsa -out /etc/ssl/private/ca.key 1024 
	done
    openssl req -new -key /etc/ssl/private/ca.key \
	-out /etc/ssl/private/ca.csr -config local_openssl.conf
    openssl x509 -req -days 31 -in /etc/ssl/private/ca.csr \
        -signkey /etc/ssl/private/ca.key -out /etc/ssl/ca.crt

# Main Loop
for LOCAL_HOST in $(SEQ 0 $I) 
  do
   mkdir ${NAME[$LOCAL_HOST]}

   # keys and certs for the peers

   export CERT_COUNTRY="se"
   export CERT_LOCALITY="${NAME[$LOCAL_HOST]}"
   export CERT_ORG=Frontyard
   export CERT_CN="${IP[$LOCAL_HOST]}"
   export CERT_EMAIL="root@utilator.com"

   while [ ! -s ${NAME[$LOCAL_HOST]}/local.key ]
        do
	  rm -f ${NAME[$LOCAL_HOST]}/local.key
          openssl genrsa -out ${NAME[$LOCAL_HOST]}/local.key 1024
        done
   chmod 600 ${NAME[$LOCAL_HOST]}/local.key

   openssl req -new -key ${NAME[$LOCAL_HOST]}/local.key \
        -out tmp.csr  -config local_openssl.conf
   openssl x509 -req -days 31 -in tmp.csr -CA /etc/ssl/ca.crt \
        -CAkey /etc/ssl/private/ca.key -CAcreateserial \
        -out ${NAME[$LOCAL_HOST]}/${IP[$LOCAL_HOST]}.crt
   certpatch -i ${IP[$LOCAL_HOST]} -k /etc/ssl/private/ca.key \
         ${NAME[$LOCAL_HOST]}/${IP[$LOCAL_HOST]}.crt \
         ${NAME[$LOCAL_HOST]}/${IP[$LOCAL_HOST]}.crt


# isakmpd configuration
#######################

# isakmpd.conf
#######################

   (cat << EOF
[General]
Retransmits=            5
Exchange-max-time=      120
Listen-on=              ${IP[$LOCAL_HOST]}

[my-ID]
ID-type=                IPV4_ADDR
Address=                ${IP[$LOCAL_HOST]}

[Phase 1]
EOF
   )> ${NAME[$LOCAL_HOST]}/isakmpd.conf

   for REMOTE_HOST in $(SEQ 0 $I) 
     do 
       if [[ $LOCAL_HOST  == $REMOTE_HOST  ]]
         then continue
       fi  
       (cat << EOF
${IP[$REMOTE_HOST]}=	${NAME[$REMOTE_HOST]}
EOF
       )>> ${NAME[$LOCAL_HOST]}/isakmpd.conf
     done 

(cat << EOF

[Phase 2]
EOF
)>> ${NAME[$LOCAL_HOST]}/isakmpd.conf


echo -n "Connections=" >> ${NAME[$LOCAL_HOST]}/isakmpd.conf

  for REMOTE_HOST in $(SEQ 0 $I) 
    do
      if [[ $LOCAL_HOST  == $REMOTE_HOST  ]]
         then continue
      fi  
        echo -n "incoming-from-${NAME[$REMOTE_HOST]}-net,incoming-from-${NAME[$REMOTE_HOST]}-host" \
             >> ${NAME[$LOCAL_HOST]}/isakmpd.conf
	if [[ ( $REMOTE_HOST < $I ) ]]
	   then if [[ ( $(($REMOTE_HOST + 1)) = $LOCAL_HOST) && ( $LOCAL_HOST = $I)  ]]
		  then continue
	          else echo -n "," >> ${NAME[$LOCAL_HOST]}/isakmpd.conf
		fi
	fi
  done
  echo "" >> ${NAME[$LOCAL_HOST]}/isakmpd.conf


  for REMOTE_HOST in $(SEQ 0 $I) 
    do 
      if [[ $LOCAL_HOST  == $REMOTE_HOST  ]]
         then continue
      fi  
(cat << EOF

[${NAME[$REMOTE_HOST]}]
Phase=                  1
Transport=              udp
Address=                ${IP[$REMOTE_HOST]}
Configuration=          Default-main-mode
ID=                     my-ID
EOF
)>> ${NAME[$LOCAL_HOST]}/isakmpd.conf
  done 

  for REMOTE_HOST in $(SEQ 0 $I) 
    do 
      if [[ $LOCAL_HOST  == $REMOTE_HOST  ]]
         then continue
      fi  
(cat << EOF

[incoming-from-${NAME[$REMOTE_HOST]}-net]
Phase=                  2
ISAKMP-peer=            ${NAME[$REMOTE_HOST]}
Configuration=          Default-quick-mode
Local-ID=               ${NAME[$LOCAL_HOST]}-net
Remote-ID=              ${NAME[$REMOTE_HOST]}-net

[incoming-from-${NAME[$REMOTE_HOST]}-host]
Phase=                  2
ISAKMP-peer=            ${NAME[$REMOTE_HOST]}
Configuration=          Default-quick-mode
Local-ID=               ${NAME[$LOCAL_HOST]}-host
Remote-ID=              ${NAME[$REMOTE_HOST]}-host
EOF
)>> ${NAME[$LOCAL_HOST]}/isakmpd.conf
  done 
 
  for HOST in $(SEQ 0 $I) 
    do 
(cat << EOF

[${NAME[$HOST]}-net]
ID-type=                IPV4_ADDR_SUBNET
Network=                ${NET[$HOST]}
Netmask=                ${NETMASK[$HOST]}

[${NAME[$HOST]}-host]
ID-type=                IPV4_ADDR
Address=                ${IP[$HOST]}
EOF
)>> ${NAME[$LOCAL_HOST]}/isakmpd.conf
  done 

done

  for HOST in $(SEQ 0 $I) 
    do 
(cat << EOF

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-MD5

[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  RSA_SIG
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_60_SECS,LIFE_1000_KB

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-MD5-PFS-SUITE

[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols=              QM-ESP-3DES-MD5-PFS

[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-PFS-XF

[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID=           3DES
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_60_SECS

[LIFE_60_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          60,45:72

[LIFE_1000_KB]
LIFE_TYPE=              KILOBYTES
LIFE_DURATION=          1000,768:1536
EOF
)>> ${NAME[$HOST]}/isakmpd.conf

  chmod 600 ${NAME[$HOST]}/isakmpd.conf

  done 

  rm local_openssl.conf tmp.csr  # clean up

  for HOST in $(SEQ 0 $I) 
    do 
(cat << EOF
keynote-version: 2
Authorizer: "POLICY"
licensees: "DN:\ORG=Frontyard"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg  != "null" -> "true";
EOF
)> ${NAME[$HOST]}/isakmpd.policy
  
  chmod 600 ${NAME[$HOST]}/isakmpd.policy
  
  done 

  for HOST in $(SEQ 0 $I) 
    do 
(cat << EOF
#!/bin/sh
scp isakmpd.conf root@${IP[$HOST]}:/etc/isakmpd/
scp isakmpd.policy root@${IP[$HOST]}:/etc/isakmpd/
scp ${IP[$HOST]}.crt root@${IP[$HOST]}:/etc/isakmpd/certs/
scp local.key root@${IP[$HOST]}:/etc/isakmpd/private/
scp /etc/ssl/ca.crt root@${IP[$HOST]}:/etc/isakmpd/ca/
EOF
)> ${NAME[$HOST]}/put

  chmod 700 ${NAME[$HOST]}/put
 
  (
    cd ${NAME[$HOST]}
    ./put
  )
 
  done 


#general_name, IP_Address, privat_NET
# the host that should be the CA goes in the first line!
utilator	195.84.181.91	10.0.1.0	255.255.255.0
schuldei	195.84.105.112 	192.168.1.0 	255.255.255.0
#frontyard	212.181.69.225	192.168.1.0	255.255.255.0