Certificate Exchange and Delete Notification

From: Catalin Visinescu (catalin.visinescu_at_sympatico.ca)
Date: 08/23/04

  • Next message: brionius: "Re: How to generate a list of currently available devices?" 
    Date: Sun, 22 Aug 2004 22:38:40 -0400

    Hello,

    I was wondering if someone can help on this issue...

    I have a set of security gateways (SG) running isakmpd. The OpenBSD
    version is 3.2.

    I would like to dynamically exchange the certificates once they expire. I
    have the means of getting the new certificate once the old one is about to
    expire. Since all certificates are created by the same CA, there is no
    problem with compatibility.

    I tried to simply replace the certificates (local.crt and local.key) with
    the new ones and wait for the main-mode (MM) to be performed. However I
    have noticed that the SG that got the new certificates will not create
    tunnels with the ones that have old ceritificates.

    Here is what I get on the ethereal log:
    # SG A SG B Packet size
    1 -> 122
    2 <- 122
    3 -> 222
    4 <- 222
    5 -> 1455
    6 <- 82

    I see the problem is in the authentication phase, the last message is just
    an INVALID-ID message (code 18).

    Sometimes I get as 6th message response to authentication (message size
    1455) and the 7th message is INVALID-ID.

    I tried to restart the isakmpd that is changing the certificate, but still
    nothing. There must be something with the other peers because if I restart
    them as well everything is fine. The certificates are therefore ok.

    When I restart the SG that has a new certificate, I see that messages (110
    in length) are sent to all peers. Hakan confirmed these are SA delete
    notifications. However, the peers are not actually removing the SAs, as
    they later try quick-mode (QM) exhanges using the old cookies. I would
    think the delete notification is also removin the IKE SA, is it?

    Ok now... so how to I change the darn certificates?

    Well I have noticed that when I change a certificate on SG A, sending a
    SIGHUP to all its peers sure helps. The peers are now creating tunnels
    with the one with new certificate. However, during I test that I ran I
    realized that this approach does not always work. I set QM to 10 min, MM
    to 30 min and getting new certif every hour. Even though I did run "kill
    -SIGHUP `cat /var/run/isakmpd.pid` " every minute (cron job), pairs of
    peers would ont create tunnels until I restart them (the message exchange
    is the same... I get an INVALID-ID instead of the last authentication
    message).

    Hakan told me that there might be a problem with the way older isakmpd
    versions deal with delete notifications (i.e. do not work).

    Please let me know if you've done certificate exchange on your SG and
    please let me know how to solve the above issue. Million-thanks!

    Right now I cannot upgrade to OpenBSD 3.5, but I am hoping somebody can
    give me some pointers to where I can get the latest isakmpd version that I
    can run on 3.2.

    Thank you very much for your time. I truly appreciate your support.

    Regards,
    Catalin

  • Next message: brionius: "Re: How to generate a list of currently available devices?"