Good day,
I'm trying to get a better understanding of how iked does what I'm calling
policy
negotiation when there are many clients. Here's an example /etc/iked.conf
--- /etc/iked.conf ---
```
...
my_vether=10.0.0.1/32
my_network=172.16.0.0/20
my_fqdn="vpn-root.example.com"
laptop_1_vether=10.0.0.16/32
laptop_2_vether=10.0.0.17/32
device_1_vether=10.0.0.18/32
device_2_vether=10.0.0.19/32
laptop_1_name_="laptop_1.example.com"
laptop_2_name="laptop_2.example.com"
device_1_name="device_1.example.com"
device_2_name="device_2.example.com"
...
ikev2 "laptop_1" passive esp \
from $my_vether to $laptop_1_vether \
from $my_network to $laptop_1_vether \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
srcid $my_fqdn \
dstid $laptop_1_name \
psk "Not-my-real-psk" \
ikev2 "laptop_2" passive esp \
from $my_vether to $laptop_2_vether \
from $my_network to $laptop_2_vether \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
srcid $my_fqdn \
dstid $laptop_2_name \
psk "Not-my-real-psk" \
ikev2 "device_1" passive esp \
from $my_vether to $device_1_vether \
from $my_network to $device_1_vether \
local egress peer any \
ikesa enc aes-128 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
srcid $my_fqdn \
dstid $device_1_name \
psk "Not-my-real-psk" \
ikev2 "device_2" passive esp \
from $my_vether to $device_2_vether \
from $my_network to $device_2_vether \
local egress peer any \
ikesa enc aes-128 prf hmac-sha2-256 auth hmac-sha2-256 group modp2048 \
srcid $my_fqdn \
dstid $device_2_name \
psk "Not-my-real-psk" \
...
```
The "laptops" here are Macs running MacOS and the "devices" are iPhones or
iPads. The
remote side of the configuration is built using a profile written by the Apple
Configurator
tool. It reverses the configuration in /etc/iked.conf so:
srcid -> dstid
etc. I have this working for all four clients. What I don't completely
understand is how
`iked` when the device or laptop asks to create the SA and start the tunnel.
E.g. I try to
start the tunnel on my laptop, "laptop_1" and `iked` does what I expect. In the
order above
the laptops work but the devices don't. To make all four of them work, I had to
re-order the
config as follows:
```
ikev2 laptop_1 ...
ikev2 device_1 ...
ikev2 device_2 ...
ikev2 laptop_2 ...
```
The need to re-order things is what I don't understand. I've read the man page
for iked.conf
to try and get a better understanding of the policy matching but I still don't
get it. I get that
the code making the policy decision is looking at the IP addresses on both
sides of the
connection, `local egress` and `peer <peer_setting>`. The example there assumes
that you have
fully static IP addresses on both sides. You'll notice that all four of my
peers are
`any`. Since the devices are all "road-warriors".
Note well that each device has a single custom `dstid`. Is that field used in
the negotiation?
1. I've probably asked this question before in the distant past. I ask again
because I'm
still not getting it.
2. I plan to change the laptop authentication from PSK to certificates. There
are other
site-to-site vpns on this machine and they currently use certs but they are
OpenBSD-to-OpenBSD.
3. As a side question, has anyone successfully integrated the OpenBSD iked PKI
into their
own corporate PKI?
Thanks for any help you can provide
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
