I have not tried ECDSA, however I've had iOS and macOS devices running with iked since it came into OpenBSD using certificate auth with RSA 2048 certs and a RSA 4096 CA.
I just recently wrote a blog post on it, it includes a general overview of how I did it and a fragment of my .mobileconfig and iked.conf. https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html My VPN endpoint is currently running: OpenBSD 6.4 (GENERIC) #7: Thu Feb 28 18:10:07 CET 2019 r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC --Matt > On Apr 4, 2019, at 20:08, Tim Stewart <t...@stoo.org> wrote: > > Hi Ted, > > On 6/2/18 12:26 PM, Theodore Wynnychenko wrote: >> Hello >> Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and >> RFC7427 authentication" diff was committed to current), I had set up and had >> been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have >> ikev2 >> VPN's happen, almost as if by, magic. >> Authentication was accomplished using certificates signed by a local >> authority >> and then distributed to the iOS devices. >> Since 3/27/17, this has not been working. I sent a couple of emails about >> this >> last year (the initial one: >> https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2). >> Over the last year, I have tried many things. Even though I don't know >> anything >> about programming (or C), I tried making little changes to the iked source, >> all >> without success. (Is that any surprise? No. I was amazed at times that my >> changes even resulted in a program that would actually start up and run.) >> I have tried creating several different CA's and certificates, using various >> different algorithms (ECDSA and RSA, with varying key lengths), all without >> success. For example, I just tried creating a CA and certificates with >> ECDSA384/SHA2-384; I distribute those to the iOS device (which supports >> them), >> but, iked will not accept them and create a tunnel. >> In iked.conf, if I don't explicitly state something like "ecdsa384" as the >> authentication method (and, this requires having a local copy of the public >> key >> on the openbsd machine), iked falls back to rfc7427 for authentication, but >> it >> appears that iOS does not support this (yet?). >> I have been downgrading iked to a version before the 3/27/17 (every time I >> update -current), and this still allows my old certificates to work. But, >> that >> doesn't seem sustainable. >> I have no idea how to proceed? >> Has anyone been able to get -current (or at least, a snapshot after 3/27/17) >> version of iked to work with any iOS devices using certificates successfully? >> If so, I would really appreciate some advice on how it can be done. >> Thanks >> Ted > > Last night I tried to set up my iPad for the first time and ran into a > similar issue. Today I remembered writing a patch for a similar issue after > RFC7427 was added: > > https://marc.info/?l=openbsd-tech&m=149499973130985 > > After applying this, and adding the `rsa' ikeauth parameter to the policy, > the iPad successfully connected. > > Can you try applying that patch and see if it resolves your issue? If it > also works for you, I'll reply on that thread and see if anyone wants to > opine on the patch. > > -TimS > > -- > Tim Stewart > t...@stoo.org >
