IPSECKEY RRs?

Melbinger Christian Christian.Melbinger at wienit.at
Thu Dec 20 11:18:29 UTC 2012 

Hi

Does anyone have experience with a IPSECKEY RR? Especially how to make one?

Why do I need one, you ask?
Well, it's my best guest. I have to create a site2site vpn tunnel between a Westermo GPRS-Modem and a Checkpoint Firewall, and the Modem does not accept the certificate.
Instead it logs: "no RSA public key known for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure)"


I found an example of such an RR on the interwebs, it looks like this:
38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
                    192.0.2.38
                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
My BIND 9.8.2 accepts this record, but of course I need the correct one, not the example.
So, does anyone know how to convert the public key of my certificate into a signature like this?




Here some additional information:

Logentries of the Mestermo MRD-310:
<84>Dec 18 16:51:25 pluto[16214]: "VPN_ASA_TM0" #1: Main mode peer ID is ID_IPV4_ADDR: '62.99.190.155'
<84>Dec 18 16:51:25 pluto[16214]: "VPN_ASA_TM0" #1: issuer cacert not found
<84>Dec 18 16:51:25 pluto[16214]: "VPN_ASA_TM0" #1: X.509 certificate rejected
<84>Dec 18 16:51:25 pluto[16214]: "VPN_ASA_TM0" #1: issuer cacert not found
<84>Dec 18 16:51:25 pluto[16214]: "VPN_ASA_TM0" #1: X.509 certificate rejected
<84>Dec 18 16:51:26 pluto[16214]: "VPN_ASA_TM0" #1: no RSA public key known for '62.99.190.155'; DNS search for KEY failed (failure querying DNS for KEY of 155.190.99.62.in-addr.arpa.: Host name lookup failure)
<84>Dec 18 16:51:26 pluto[16214]: "VPN_ASA_TM0" #1: sending encrypted notification INVALID_KEY_INFORMATION to 62.99.190.155:500


IPSECKEY rfc:
https://tools.ietf.org/html/rfc4025


Thanks!

---
Ing. Christian Melbinger
Netzwerk & Security

WienIT EDV Dienstleistungsgesellschaft mbH & Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbinger at wienit.at

____________________________________________________________________________

WienIT EDV Dienstleistungsgesellschaft mbH & Co KG, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
Persönlich haftender Gesellschafter:
WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121220/68b23915/attachment.html>

More information about the bind-users mailing list