Re: isakmpd: unknown id type user_fqdn

[Hakan Olsson <ho@crt.se>]

On Sat, 8 Jun 2002, Hanspeter Roth wrote:

> Hello,
>
> I'm using isakmpd on Openbsd which I've upgraded to 3.1.
> I get `unknown ID type "USER_FQDN"' from isakmpd.
>
>
> 161843.301991 Misc 95 conf_get_str: [IPsec-east-west]:Local-ID->Road-Warrior-east
> 161843.302017 Misc 95 conf_get_str: [IPsec-east-west]:Remote-ID->Net-west
> 161843.319415 Misc 95 conf_get_str: [Road-Warrior-east]:ID-type->USER_FQDN
> 161843.319623 Default ipsec_get_id: unknown ID type "USER_FQDN" in section Road-Warrior-east

It's ok to use a USER_FQDN ID when referring to a certificate etc, but not
as you do here as the Local-ID in phase 2 (Quick-Mode).  A phase 2 ID is
usually an address or a network, i.e IP-addresses.

>
> isakmpd.conf looks like:
>
> [General]
> Listen-on=		1.1.1.1
> Default-phase-1-ID=	Road-Warrior-east
>
> [Phase 1]
> 2.2.2.2=		ISAKMP-peer-west
>
> [Phase 2]
> Connections=		IPsec-east-west
>
> [ISAKMP-peer-west]
> Phase=			1
> Transport=		udp
> Local-address=		1.1.1.1
> Address=		2.2.2.2
> Configuration=		Default-main-mode
> Authentication=		myauth
> ID=			Road-Warrior-east
> Remote-ID=		Net-west

ID is ok to have here, even though you don't use X509 auth.
Remote-ID should not be here.

>
> [IPsec-east-west]
> Phase=			2
> ISAKMP-peer=		ISAKMP-peer-west
> Configuration=		Default-quick-mode
> Local-ID=		Road-Warrior-east
> Remote-ID=		Net-west

Local-ID is wrong. Remote-ID is ok.

>
> [Net-west]
> ID-type=		IPV4_ADDR_SUBNET
> Address=		2.2.2.2
> Network=		3.3.3.0
> Netmask=		255.255.255.0
>
> [Road-Warrior-east]
> ID-type=		USER_FQDN
> Name=			user@fqdn.net
>
> [Default-main-mode]
> DOI=			IPSEC
> EXCHANGE_TYPE=		ID_PROT
> Transforms=		3DES-SHA
>
> [Default-quick-mode]
> DOI=			IPSEC
> EXCHANGE_TYPE=		QUICK_MODE
> Suites=			QM-ESP-3DES-SHA-SUITE,QM-ESP-AES-SHA-PFS-SUITE
>
>

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB