Home » Mailing list archives » openbsd-misc » 2008 » July » 9

isakmpd times out on rolled-over client certificate

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Markus Wernig <listener@...>
To: <misc@...>
Subject: isakmpd times out on rolled-over client certificate
Date: Wednesday, July 9, 2008 - 4:13 am

Hi all


I have an OBSD4.3 VPN gateway that authenticates users based on their

certificate and an isakmpd.policy, which works just fine. Now a user had

to renew his certificate: same CA, same CA certificate, same Subject DN,

same EVERYTHING. I'd have expected that he'd just need to close the VPN

tunnel, install the new certificate, authenticate again and that'd be

it. But not so. isakmpd logs and sends back: isakmpd[26674]: dropped

message from aaa.bbb.ccc.ddd port 500 due to notification type

INVALID_ID_INFORMATION


On one machine, I had to restart isakmpd to get it to accept the new

certificate, on the other one I can't because I connect to it through

the same VPN ... Obviously some part of the certificate gets cached

somewhere in memory (isakmpd? kernel?). Tearing down old SAs for the

user's IP (echo "t aaa.bbb.ccc.ddd" > /var/run/isakmpd.fifo) doen't help.


Is there any way (apart from bouncing isakmpd) to force (isakmpd?

kernel?) to forget the old and use the new certificate? On one occasion

I had to reboot a box ... which I consider a rather drastic measure for

the occasion of a user certificate renewal.


tx /markus
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
isakmpd times out on rolled-over client certificate, Markus Wernig, (Wed Jul 9, 4:13 am)