On 28 June 2017, Rupert Gallagher <r...@protonmail.com> wrote: > You need a server-signed certificate.
Ok, let me redo this from scratch: (1) On the server: ikectl ca vpn create ikectl ca vpn install ikectl ca vpn certificate x.y.z.t create ikectl ca vpn certificate x.y.z.t install ikectl ca vpn certificate 10.0.0.1 create ikectl ca vpn certificate 10.0.0.1 export ... copy 10.0.0.1.tgz to the home router (2) On the home router: tar -C /etc/iked -xzpf 10.0.0.1.tgz Nothing seems to have changed: On the server: # iked -d ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 0, 510 bytes ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 msgid 0, 471 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 1, 1520 bytes ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 1, 1440 bytes sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes On the home router: # iked -d set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 0, 510 bytes ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 0, 471 bytes ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 1520 bytes ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 1, 1440 bytes ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 1520 bytes The warning about pubkey doesn't go away if I copy the server's certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in /etc/iked/certs. And then there's this, which doesn't look normal: ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG I'm using 6.1 release on the server, and the current snapshot on the home router: OpenBSD sb1.xxxxx.net 6.1 GENERIC#10 amd64 OpenBSD router.xxxxx.net 6.1 GENERIC.MP#44 amd64 Regards, Liviu Daia