|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[4.0] ipsecctl, public key authentication, and keynote
From: Albert Chin (openbsd-misc
mlists.thewrittenword.com)
Date: Tue Nov 07 2006 - 22:06:30 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm trying to get an ipsec tunnel working between two OpenBSD 4.0
hosts. I'm running isakmpd on both with the -K option. Yet, on the VPN
server, I'm seeing:
215415.359192 Mesg 70 DATA:
215415.359314 Negt 40 ike_phase_1_recv_ID: FQDN:
215415.359428 Negt 40 73637275 622e7468 65777269 7474656e 776f7264 2e636f6d
215415.359628 Plcy 30 keynote_cert_obtain: failed to open "/etc/isakmpd/keynote//[FQDN]/credentials"
215415.360314 Default rsa_sig_decode_hash: RSA_public_decrypt () failed
215415.360407 Default dropped message from [CLIENT IP] port 4500 due to notification type INVALID_ID_INFORMATION
215415.360506 Timr 10 timer_add_event: event exchange_free_aux(0x84d61000) added last, expiration in 120s
I doubt it matters but the client is connecting to a VPN server behind
a firewall.
The ipsec.conf on the client:
ike esp from 192.168.0.0/24 to 192.168.1.0/24 peer [VPN SERVER IP] \
srcid [CLIENT FQDN] dstid [VPN SERVER FQDN]
ike esp from [CLIENT IP] to [VPN SERVER IP] \
srcid [CLIENT FQDN] dstid [VPN SERVER FQDN]
The ipsec.conf on the VPN server:
ike passive from 192.168.1.0/24 to 192.168.0.0/24 peer [CLIENT IP] \
srcid [VPN SERVER FQDN] dstid [CLIENT FQDN]
ike passive from [VPN SERVER IP] to [CLIENT IP] \
srcid [VPN SERVER FQDN] dstid [CLIENT FQDN]
Considering the lack of "psk <string>", I'd expect authentication to
happen with public key authentication, not keynote credentials.
Any ideas?
--
albert chin (chinathewrittenword.com)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]