Hi, I’m a little stuck getting two different clients connected to my OpenBSD 5.7 (i386) VPN ikev2 server. I suspect the clients are at fault as I can get past the error when connecting one OpenBSDs iked to another iked.
FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1 laptop, so I’m a little stuck with the VPN client I can use. I have the following configuration: ikev2 "road_warrior" passive esp \ from 192.168.20.0/24 to 192.168.40.0/24 \ local 192.168.20.4 peer any \ ikesa enc aes-128 prf hmac-sha2-256 \ auth hmac-sha2-256 group modp2048 \ childsa enc aes-128 auth hmac-sha2-256 \ srcid "local.example.net \ dstid "peer.example.net" \ config address 192.168.40.10/29 \ config netmask 255.255.255.0 \ config name-server 192.168.20.53 \ config protected-subnet 192.168.40.0/24 (IPs and names have been changed to protect the innocent) I have keys installed as follows: /etc/iked/ca/example.net.crt /etc/iked/certs/local.example.net.crt /etc/iked/private/local.key /etc/iked/pubkeys/fqdn/peer.example.net /etc/iked/local.pub I believe the client isn’t sending the certificate request, but I could be completely wrong, the error appears to be: ikev2_sa_negotiate: score 4 sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0x77286c80 ca_getreq: no valid local certificate found The client is sending peer.example.net.crt to the server, which gets validated correctly: ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok ikev2_dispatch_cert: peer certificate is valid sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f cert,certvalid,auth,authvalid,sa) I’ve been at this for a number of days and am completely stuck, so if anyone has any ideas/advice/clue-sticks I’d be very grateful. If you need any further log information please let me know. thanks Rob