I found this solution in the summary of a related thread on [email protected] (mailing list).
- Thanks for the various assists on this, I’m glad to say that the problem I was having is now solved. I am now successfully interworking dynamically addressed (DHCP) Win2K-pro and XP clients with OpenBSD isakmpd using X.509 certificate-based authentication. I believe this to be a lot more scalable and manageable than using pre-shared secrets.
- For reference, the problem I was having was caused by incorrectly entering the X.509 certificates into the cert stores on the Windows machines using the MMC snap-in. So it wasn’t an OBSD issue at all ��
- If anyone has the same problem, you need to make sure you are entering the CA and client certs into the cert stores for the LOCAL COMPUTER *not* the CURRENT USER (which is the default if you just double-click on the cert bundle on the desktop). Doh! Instead click start->run and enter “mmc” then add the snap-in for ‘Manage Certificates’ making sure you select ‘local computer’ in the dialogue. Obviously you will also need to add the snap-in for ‘manage IPsec policies’ too.
- All-in-all not entirely a pain-free process, but a great learning experience (and now at last I am confident my wireless LAN is *properly* secure).
- For ref, below are the isakmpd.conf and isakmp.policy files which I am using on the OPENBSD server.
- Generating the X.509 certs correctly requires some care. I do it using the ‘ca’ command on openssl (this avoids the need to use certpatch, but make sure you read the relevant parts of the IPSEC/ISAKMPD/VPN manpages about what is needed here – because you are using DHCP clients, you need to put the FQDN in the subjectAltName part of the cert). I also use the ‘pkcs12’ command on openssl to produce a cert-bundle which is the easiest way to safely transport and import the certs and private key onto the windows boxes. I have some basic scripts for doing the openssl bits, which I guess I can email to anyone who’s interested.
- By the way, if you are using PF don’t forget you will additionally need to create some relevant filtering rules to allow traffic on esp0…
- Rgds to all
MC
===# This is the isakmpd.conf file for the SERVER#[General]Listen-on= 10.0.0.1[Phase 1]Default= ISAKMP-peer-dhcp[Phase 2]Passive-connections= IPsec-connection[ISAKMP-peer-dhcp]Phase= 1Local-address= 10.0.0.1ID= server-fqdn-idConfiguration= IKE-main-mode-config[server-fqdn-id]ID-type= FQDNName= server[IKE-main-mode-config]DOI= IPSECEXCHANGE_TYPE= ID_PROTTransforms= AES-SHA-RSA_SIG, 3DES-SHA-RSA_SIG[IPsec-connection]Phase= 2ISAKMP-peer= ISAKMP-peer-dhcpConfiguration= IKE-quick-mode-configLocal-ID= server-ipv4-idRemote-ID= generic-ipv4-id[IKE-quick-mode-config]DOI= IPSECEXCHANGE_TYPE= QUICK_MODESuites= QM-ESP-TRP-AES-SHA-SUITE, QM-ESP-TRP-AES-MD5-SUITE, QM-ESP-TRP-3DES-SHA-SUITE, QM-ESP-TRP-3DES-MD5-SUITE[server-ipv4-id]ID-type= IPV4_ADDRAddress= 10.0.0.1[generic-ipv4-id]ID-type= IPV4_ADDRAddress= 0.0.0.0[X509-certificates]Ca-directory= /etc/isakmpd/ca/Cert-directory= /etc/isakmpd/certs/Private-key= /etc/isakmpd/private/local.key===# this is the matching isakmpd.policy file for the SERVERAuthorizer: "POLICY"Licensees: "DN:/C=My Country/O=My Org/OU=PKI Infrastructure/CN=My Root CA"conditions:app_domain == "IPsec policy" && doi == "ipsec" && esp_present == "yes" && esp_enc_alg != "null" -> "true";