Hello all,
I am continuing my assault on iked.... :)
Here is a perfectly working configuration that uses PSK's:
###########
local_ip = "A.B.1.153"
local_net = "172.16.0.0/20"
ikev2 "KBweb" \
passive ipcomp esp \
from $local_net to 10.33.33.0/27 \
local $local_ip \
peer C.D.65.236 \
ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid $local_ip \
dstid web01.domain.org \
psk thepsk
ikev2 "KBDB" \
passive ipcomp esp \
from $local_net to 10.34.34.0/27 \
local $local_ip \
peer C.D.65.237 \
ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
srcid $local_ip \
dstid db01.domain.org \
psk thepsk
###############
Now, I am adding a third connection, using certificates (presumably):
######
user "igor" "thepassword"
ikev2 "roaming" \
passive esp \
from $local_net to 192.168.200.0/26 \
local $local_ip \
peer any \
eap "mschap-v2" \
config address 192.168.200.1 \
tag "$name-$id"
######
This results in the first 2 connections never working anymore:
ikev2_msg_auth: responder auth data length 525
ikev2_msg_auth: initiator auth data length 488
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0038 -> 0x0038 auth,authvalid,sa (required 0x0079
cert,auth,authvalid,sa,eapvalid)
sa_stateok: VALID flags 0x0038, require 0x0079
cert,auth,authvalid,sa,eapvalid
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_ike_auth: no CERTREQ, using default
ikev2_policy2id: srcid IPV4/A.B.1.153 length 8
sa_stateflags: 0x0038 -> 0x003c certreq,auth,authvalid,sa (required
0x0079 cert,auth,authvalid,sa,eapvalid)
config_free_proposals: free 0x23ee58d3f80
ca_getreq: found CA /C=US/ST=New Jersey/O=Gubenko/OU=IT/CN=cainter.dom.com
ca_x509_subjectaltname: unsupported subjectAltName type 34
ca_getreq: found CA /C=US/ST=New
Jersey/L=Livingston/O=Gubenko/OU=IT/CN=caroot.dom.com
ca_getreq: no valid local certificate found
ikev2_getimsgdata: imsg 19 rspi 0xbd166184c4d2d33b ispi
0xd7fc1a37a3acdec4 initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
As a side note, the certificate does contain several subjectAltName's:
X509v3 Subject Alternative Name:
DNS:ip6.dom.com, DNS:www.dom.com, DNS:www.ip6.dom.com,
DNS:mail.dom.com, DNS:imap.dom.com, DNS:smtp.dom.com, DNS:proxy.dom.com,
DNS:vpn.dom.com, DNS:pbx.dom.com
As soon as the third section is commented out, and iked restarted, the
first two connections come back up.
Please help.
Many thanks,
- Igor
