IPsec mezi FreeBSD a Win2k

Prib Pavel pavel.prib at i.cz
Wed Jul 3 15:24:10 CEST 2002

Previous message: ipfw versus ipf
Next message: IPsec mezi FreeBSD a Win2k
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahojky.

Zkusil jsem vse smazat, vytvorit nove certifikaty a postupovat podle
navodu od Dana Lukese.
Pravda, postoupil jsem asi o stupinek dal, ale presto to porad neni
ono. No proste na urovni 
isakmp neprojde nic a v logu na W2K je nula.

Vytvoreni CA certifikatu a kopie ve formatu PKCS#12 pro Win

#openssl req -new -x509 -keyout private/CAkey.pem -out
private/CAcert.pem -config openssl.conf
#openssl pkcs12 -export -in private/CAcert.pem -inkey
private/CAkey.pem -nokeys -out CA.p12

Vytvoreni certifikatu pro server

#openssl req -new -keyout server-key.pem -out server.pem -days 360
-config openssl.conf
#cat server.pem server-key.pem > server-req.pem
#openssl ca -policy policy_match -out server-signed.pem -config
openssl.conf -infiles server-req.pem
#openssl rsa -in server-key.pem -out server-key.pem

Vytvoreni sertifikatu pro W2k PC, vytvoreni kopie ve formatu PKCS#12

#openssl req -new -keyout user-key.pem -out user.pem -days 360 -config
openssl.conf
#cat user.pem user-key.pem > user-req.pem
#openssl ca -policy policy_match -out user-signed.pem -config
openssl.conf -infiles user-req.pem
#openssl pkcs12 -export -in user-signed.pem -inkey user-key.pem -name
"Pavel Prib pro test IPsec" -certfile private/CAcert.pem -out user.p12

Vse probehlo OK, podepsani certifikatu je take OK.

> Klic CA, ktera certifikovala klice, ktere nyni mate 
> na Voknech  mate n FreeBSD pojmenovan "hash".0 jmenem ?

Nejak tomu nerozumim

Na PC jsem pretahl .p12 soubory a naimportoval jsem je do mmc.
Konfiguraci racoon/na mam vicemene stejnou (jine casy)

remote anonymous
{
        exchange_mode main,aggressive;
        doi ipsec_doi;
        my_identifier address;
        situation identity_only;
        certificate_type x509 "server-signed.pem" "server-key.pem";
        generate_policy on;
        nonce_size 16;
        lifetime time 4 hour;
        initial_contact on;
        support_mip6 on;
        proposal_check obey;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method rsasig;
                dh_group 2 ;
        }
}

Zkusim-li ping z W2K na BSD vynada mi racoon nasledujicim zpusobem:

2002-07-03 15:04:46: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond
new phase 1 negotiation: rn       <=>192.168.51.49[500]
2002-07-03 15:04:46: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
mode.
2002-07-03 15:04:46: INFO: vendorid.c:128:check_vendorid(): received
Vendor ID:
2002-07-03 15:04:47: ERROR: crypto_openssl.c:337:cb_check_cert():
U((134875904) at depth:0 SubjectName:`o
2002-07-03 15:04:47: ERROR: oakley.c:1288:oakley_validate_auth():
Invalid authority of the CERT.

a pri ping-u z BSD na W2K to dopadne takto:

2002-07-03 15:07:12: INFO: isakmp.c:1681:isakmp_post_acquire():
IPsec-SA request for @ED  queued due to no phase1 found.
2002-07-03 15:07:12: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: <=>192.168.51.49[500]
2002-07-03 15:07:12: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin
mode.
2002-07-03 15:07:12: INFO: vendorid.c:128:check_vendorid(): received
Vendor IDEl
2002-07-03 15:07:12: ERROR: oakley.c:1532:oakley_getsign(): failed to
get private key.
2002-07-03 15:07:12: ERROR: isakmp.c:623:ph1_main(): failed to process
packet.
2002-07-03 15:07:12: ERROR: isakmp.c:437:isakmp_main(): phase1
negotiation failed.

   Pavel

Previous message: ipfw versus ipf
Next message: IPsec mezi FreeBSD a Win2k
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list