Hi,
I’m a little stuck getting two different clients connected to my OpenBSD
5.7 (i386) VPN ikev2 server. I suspect the clients are at fault as I can
get past the error when connecting one OpenBSDs iked to another iked.
FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
laptop, so I’m a little stuck with the VPN client I can use.
I have the following configuration:
ikev2 "road_warrior" passive esp \
from 192.168.20.0/24 to 192.168.40.0/24 \
local 192.168.20.4 peer any \
ikesa enc aes-128 prf hmac-sha2-256 \
auth hmac-sha2-256 group modp2048 \
childsa enc aes-128 auth hmac-sha2-256 \
srcid "local.example.net \
dstid "peer.example.net" \
config address 192.168.40.10/29 \
config netmask 255.255.255.0 \
config name-server 192.168.20.53 \
config protected-subnet 192.168.40.0/24
�(IPs and names have been changed to protect the innocent)
I have keys installed as follows:
/etc/iked/ca/example.net.crt
/etc/iked/certs/local.example.net.crt
/etc/iked/private/local.key
/etc/iked/pubkeys/fqdn/peer.example.net
/etc/iked/local.pub
I believe the client isn’t sending the certificate request, but I
could be completely wrong, the error appears to be:
ikev2_sa_negotiate: score 4
sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x77286c80
ca_getreq: no valid local certificate found
The client is sending peer.example.net.crt to the server, which gets
validated correctly:
ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
I’ve been at this for a number of days and am completely stuck, so if
anyone has any ideas/advice/clue-sticks I’d be very grateful. If you
need any further log information please let me know.
thanks
Rob
