Re: [Ipsec-tools-devel] x509 certificate in trsport mode failed

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,
I have tested a similar scenario and it seems to work. A part of the
racoon.conf configuration is 
copied below. 

 remote anonymous {
         exchange_mode main;
         certificate_type x509 "server_cert.pem" "server_key.pem";
         peers_certfile x509 "client_certificate.pem"
         verify_cert on;
         my_identifier asn1dn;
         peers_identifier asn1dn;
         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm md5;
                 authentication_method rsasig;
                 dh_group modp1024;
         }
 }

 Differences  in line 1 and line 4, compared to your configuration, 
can be noticed. I have  copied 
peer's certificate file to  "/etc/cert" of the server. Similarly, the
certificate file 
of the server (server_cert.pem) should be copied in the /etc/cert of
the client and
 similar configurational changes apply in the client side as well.
The rest of the configuration is similar to what you have done.

In this case everything seem to be working as expected.

>>> <hui...@ho...> 08/30/05 5:52 AM >>>
Hello! I test racoon using x509 certificate between two matchine in
trsport mode.I use IPV6 address.Server's address is 3ffe:302:2700::2,
Client's address is 3ffe:302:2700::4.
In both side, run
setkey -f setkey.conf
racoon -F -f racoon.conf
After client run ping6 server's address,server got following message:

2005-08-26 10:44:04: INFO: begin Identity Protection mode.
2005-08-26 10:44:14: NOTIFY: the packet is retransmitted by
3ffe:302:2700::4[500].
2005-08-26 10:44:24: NOTIFY: the packet is retransmitted by
3ffe:302:2700::4[500].
2005-08-26 10:44:34: NOTIFY: the packet is retransmitted by
3ffe:302:2700::4[500].
2005-08-26 10:44:35: ERROR: phase2 negotiation failed due to time up
waiting for phase1. ESP 3ffe:302:2700::4->3ffe:302:2700::2
2005-08-26 10:44:35: INFO: delete phase 2 handler.
2005-08-26 10:44:44: NOTIFY: the packet is retransmitted by
3ffe:302:2700::4[500].
2005-08-26 10:44:47: ERROR: no configuration found for
3ffe:302:2700::2.
2005-08-26 10:44:47: ERROR: failed to begin ipsec sa negotication.

I donnot know why it say no configuration for 3ffe:302:2700::2.

Following is some message

server's racoon.conf
path certificate "/etc/cert";

remote 3ffe:0302:2700::2 {
        exchange_mode main;
        certificate_type x509 "hacert.pem" "hakey.pem";
        verify_cert on;
        my_identifier asn1dn;
        peers_identifier asn1dn;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method rsasig;
                dh_group modp1024;
        }
}

sainfo anonymous {
        pfs_group modp1024;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
server's setkey.conf
spdadd 3ffe:0302:2700::2/64 3ffe:0302:2700::4/64 any -P out ipsec
           esp/transport//require;

spdadd 3ffe:0302:2700::4/64 3ffe:0302:2700::2/64 any -P in ipsec
           esp/transport//require;

In client,I reverse IP address ,take out passive on and change client's
certificate instead.

cd /etc/cert
ls -la 
drwxr-xr-x    2 root     root         4096  8 25 09:28 .
drwxr-xr-x    5 root     root         4096  8 25 08:36 ..
lrwxrwxrwx    1 root     root           10  8 25 08:50 5daae32b.0
->cacert.pem
lrwxrwxrwx    1 root     root            7  8 25 09:27 5daae32b.r0
->crl.pem
-rw-r--r--    1 root     root         1147  8 25 08:46 cacert.pem
-rw-r--r--    1 root     root          471  8 25 08:53 crl.pem
-rw-r--r--    1 root     root         3390  8 25 08:36 mncert.pem
-rw-r--r--    1 root     root          887  8 26 10:24 mnkey.pem