OpenBSD | IDAKMPD | x509 certificate authentication

Prepare OpenBSD

Prepare the network interfaces.

Delete /etc/mygate when using dhcp.

Create /etc/sysctl.conf.

net.inet.esp.enable=1 # Enable the ESP IPsec protocol
net.inet.ah.enable=1 # Enable the AH IPsec protocol
net.inet.ip.forwarding=1 # Enable IP forwarding for the host.
net.inet.ipcomp.enable=1 # Optional: compress IP datagrams

Create /etc/rc.conf.local

isakmpd_flags="" # Avoid keynote(4) policy checking
ipsec=YES # Load ipsec.conf(5) rules

Some basics

There are three types of ISAKMPD authentication (passphrase, public key, x509 certs). I didn’t use the passphrase method, so i can’t say anything about it. Personally I’ve used the public key method, because i run into some problems using the cert method on OpenBSD.

x509 certificate authentication – preparing the certs

Preparing the CA cert.


#!/bin/sh
echo "CREATING CA's PRIVATE KEY..."
openssl genrsa -des3 -out ca.key 4096

echo "CREATING CA'S CERT REQUEST..."
openssl req -new -key ca.key -out ca.req


echo "SELF CERTIFYING... "
openssl x509 -req -days $(($VALIDYEARS * 365)) -in ca.req -signkey ca.key -extfile $SSLDIR/x509v3.cnf -extensions x509v3_CA -out ca.crt
exit $?

Preparing a fqdn cert.


MHD=$(($VALIDYEARS * 365))

echo "GENERATING MY PRIVATE KEY..."
openssl genrsa -out $FQDN.key 4096

echo "GENERATING A CERTIFICATE REQUEST..."
openssl req -new -key $FQDN.key -out $FQDN.req

echo "GENERATING THE CERTIFICATE..."
export CERTFQDN=$FQDN
openssl x509 -req -days $MHD -in $FQDN.req -CA ca.crt -CAkey ca.key -CAcreateserial -extfile $SSLDIR/x509v3.cnf -extensions x509v3_FQDN -out $FQDN.crt

echo "VERIFYING THE CERTIFICATE..."
openssl verify -CAfile ca.crt $FQDN.crt 2>&1 | grep error
if [ $? -eq 0 ]; then
echo "FAILED!"
echo "Possible reason: Your Organization Name should differ from CA's Organization Name."
exit 1;
fi

echo "KEEPING PRIVACY..."
chmod 600 $FQDN.key

echo "SHOW YOUR CERT..."
openssl x509 -in $FQDN.crt -text -noout
exit $?

You can create these certs on any machine.
Place the certs on the opposite machines:
Put the ca.crt into the /etc/isakmpd/ca folders.
The $FQDN.crt files belong into the /etc/isakmpd/certs folders.

isakmpd.policy


Keynote-version:2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";

isakmpd.conf for a static ip partner


[Phase 1]
Default= dynamicpartners

[Phase 2]
Passive-Connections= VPN-potsdam-nordost

# ISAKMP phase 1 peers (from [Phase 1])

[dynamicpartners]
Phase= 1
Transport= udp
Configuration= main-mode
ID= my-ID

[my-ID]
ID-type= FQDN
Name= potsdam

# IPSEC phase 2 connections (from [Phase 2])

[VPN-potsdam-nordost]
Phase= 2
ISAKMP-peer= nordost
Configuration= quick-mode
Local-ID= potsdam-internal-network
Remote-ID= nordost-internal-network

# ID sections (as used in [VPN-A-B])

[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0

[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0

[x509-certificates]
Accept-self-signed= 1
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
#Private-key= /etc/isakmpd/private/potsdam.key

[main-mode]
# ATTENTION: THE SUFFIX '-RSA_SIG' ENABLES PUBLIC KEY AUTH METHOD
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG

[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE

[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600

isakmpd.conf for a dynamic ip partner


[Phase 1]
XXX.XXX.XXX.XXX= potsdam

# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.

[Phase 2]
Connections= VPN-nordost-potsdam

# ISAKMP phase 1 peers (from [Phase 1])

[potsdam]
Phase= 1
Transport= udp
Address= XXX.XXX.XXX.XXX
Configuration= main-mode
ID= my-ID

[my-ID]
ID-type= FQDN
Name= nordost

# IPSEC phase 2 connections (from [Phase 2])

[VPN-nordost-potsdam]
Phase= 2
ISAKMP-peer= potsdam
Configuration= quick-mode
Local-ID= nordost-internal-network
Remote-ID= potsdam-internal-network

# ID sections (as used in [VPN-A-B])

[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0

[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0

[x509-certificates]
Accept-self-signed= 1
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
#Private-key= /etc/isakmpd/private/nordost.key

[main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG

[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE

[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600

Status check


# ipsecctl -s all

My problem

It’s important that the certs contain a subjectAltName value that corresponds exactly with your $FQDN value. The cert $FQDN creation command includes the x509v3.cnf file who refers to an environment variable named $CERTFQDN. Thats the reason why my creation script runs the export CERTFQDN=$FQDN command. Unfortunately on my OpenBSD version 6.7 the openssl command whó creates the cert does ignore my exported $CERTFQDN env variable. In result the prepared cert contains a subjectAltName value but it was set to nohost.nodomain. This causes the authentication process to fail, the opposite site got my ID but could not identify/find the proper corresponding cert. I’ve had to tune the x509v3.cnf for every creation process.

My recommendation

Use the public key auth method if this is possible in your environment, its much more easy to implement.

Hints

A reboot will recreate these local.key and local.pub standard files. You can’t delete them. :)

The -RSA_SIG Transforms suffix will switch the auth method to x509.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.