Hi all,
I have configured a routerboard to establish an ipsec transport policy to an openswan peer, where both sides are authenticated with digital certificates, each one signed by a separate CA, one CA for (what will become) the concentrator, and a second CA for (what will become) the Mikrotik client(s).
The two sides attempt to connect to each other, but the Mikrotik side triggers the following error and the exchange fails:
time=00:07:21 topics=ipsec message="begin Identity Protection mode."
time=00:07:21 topics=ipsec message="received Vendor ID: DPD"
time=00:07:21 topics=ipsec message="received Vendor ID: RFC 3947"
time=00:07:21 topics=ipsec message="Selected NAT-T version: RFC 3947"
time=00:07:21 topics=ipsec
message="Hashing X.X.X.X[500] with algo #2 "
time=00:07:21 topics=ipsec
message="Hashing X.X.X.X[500] with algo #2 "
time=00:07:21 topics=ipsec message="Adding remote and local NAT-D payloads."
time=00:07:21 topics=ipsec
message="Hashing X.X.X.X[500] with algo #2 "
time=00:07:21 topics=ipsec message="NAT-D payload #0 verified"
time=00:07:21 topics=ipsec
message="Hashing X.X.X.X[500] with algo #2 "
time=00:07:21 topics=ipsec message="NAT-D payload #1 verified"
time=00:07:21 topics=ipsec message="NAT not detected "
time=00:07:22 topics=ipsec message="Invalid ID length in phase 1."
time=00:07:22 topics=ipsec message="none message must be encrypted"
time=00:07:32 topics=ipsec message="Invalid ID length in phase 1."
time=00:07:32 topics=ipsec message="none message must be encrypted"
A thorough trawl of the net reveals that "Invalid ID length in phase 1." apparently makes reference to the DN of a certificate, not sure if it is the remote cert or the local one. I am struggling to understand both the error, and where my configuration might have gone wrong.
This is my peer config:
[minfrin@router] /ip ipsec peer> print
Flags: X - disabled
0 address=X.X.X.X/32:500 auth-method=rsa-signature
certificate=client-cert1 remote-certificate=radius-server-ca
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=5
Most specifically, the "client-cert1" refers to the certificate used to present to the peer, and the "radius-server-ca" refers to the CA certificate that verifies the peer's certificate presented to us. Am I interpreting the remote-certificate option correctly?
Regards,
Graham
--
Re: ipsec with remote-certificate: Invalid ID length in phas
Adding some more information, the message "Invalid ID length in phase 1" appears inside the racoon code, and means one of two things:
- The DN of the certificate presented by server doesn't match the DN expected by the routerboard.
- The user FQDN provided inside the subjectAltName doesn't match the subjectAltName expected by the routerboard.
Unfortunately the message has been duplicated in the code, meaning it's impossible from the message alone to distinguish which case is which. The message also doesn't indicate what values are being compared, so it's impossible to determine what the routerboard is expecting as either a DN or a subjectAltName.
The digging continues.
- The DN of the certificate presented by server doesn't match the DN expected by the routerboard.
- The user FQDN provided inside the subjectAltName doesn't match the subjectAltName expected by the routerboard.
Unfortunately the message has been duplicated in the code, meaning it's impossible from the message alone to distinguish which case is which. The message also doesn't indicate what values are being compared, so it's impossible to determine what the routerboard is expecting as either a DN or a subjectAltName.
The digging continues.
Who is online
Users browsing this forum: No registered users and 84 guests