Re: OpenBSD IPSec setup

Thu, 29 Jun 2017 00:46:35 -0700 

On 28 June 2017, Rupert Gallagher <r...@protonmail.com> wrote:
> You need a server-signed certificate.

    Ok, let me redo this from scratch:

(1) On the server:

        ikectl ca vpn create
        ikectl ca vpn install
        ikectl ca vpn certificate x.y.z.t create
        ikectl ca vpn certificate x.y.z.t install
        ikectl ca vpn certificate 10.0.0.1 create
        ikectl ca vpn certificate 10.0.0.1 export

        ... copy 10.0.0.1.tgz to the home router

(2) On the home router:

        tar -C /etc/iked -xzpf 10.0.0.1.tgz

    Nothing seems to have changed:

    On the server:

# iked -d
ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 
msgid 0, 471 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 1, 1520 bytes
ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 
1, 1440 bytes
sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 
'sb1'
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes

    On the home router:

# iked -d
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 
0, 510 bytes
ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 
89.136.163.27:500 policy 'home' id 0, 471 bytes
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 
1520 bytes
ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 
policy 'home' id 1, 1440 bytes
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 
1520 bytes

    The warning about pubkey doesn't go away if I copy the server's
certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
/etc/iked/certs.  And then there's this, which doesn't look normal:

ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG

    I'm using 6.1 release on the server, and the current snapshot on the
home router:

OpenBSD sb1.xxxxx.net 6.1 GENERIC#10 amd64
OpenBSD router.xxxxx.net 6.1 GENERIC.MP#44 amd64

    Regards,

    Liviu Daia

Reply via email to