Hi,
Thanks for replying. answer below.
On 2023-04-07 16:45, Thomas Bohl wrote:
Hello,
ikev2 "vpn" passive esp \
from dynamic to 185.21.22.23/32 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 185.21.22.23 \
dstid p7.local \
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \
Any ideas / working config for a dynamic client hosting an iked on a
VPS?
When using certificates I always use ASN1_DN for srcid and dstid. It
should look something like this:
srcid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org
" \
dstid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org"
\
(I have never used "ikectl ca", so I'm not sure what the files a
called. But with something like this you should be able get the
srcid/dstid-lines:
openssl x509 -subject -noout -in 185.21.22.23.crt
openssl x509 -subject -noout -in p7.local.crt)
----
Hi,
I could successfully get the name from the certificate, as suggested:
myhost# openssl x509 -subject -noout -in
/etc/iked/certs/185.21.22.23.crt
subject= /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org
myhost#
myhost#
----
----
... and updated /etc/iked.conf accordingly:
ikev2 "vpn" passive esp \
from dynamic to 185.21.22.23/32 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org
" \
dstid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org"
\
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \
----
----
myhost# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0 to 185.21.22.23/32
local 185.21.22.23 peer any ikesa enc aes-256 prf hmac-sha2-256 auth
hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 esn noesn srcid /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org
dstid /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config name-server 172.24.24.1
spi=0x5e92324a01d56a7b: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0x5e92324a01d56a7b: send IKE_SA_INIT res 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 473 bytes
spi=0x5e92324a01d56a7b: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 496 bytes, policy 'vpn'
spi=0x5e92324a01d56a7b: ikev2_ike_auth_recv: no compatible policy found
spi=0x5e92324a01d56a7b: ikev2_send_auth_failed: authentication failed
for
spi=0x5e92324a01d56a7b: send IKE_AUTH res 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 80 bytes, NAT-T
spi=0x5e92324a01d56a7b: sa_free: authentication failed
spi=0xa5460ef7687cbbc8: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0xa5460ef7687cbbc8: send IKE_SA_INIT res 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 473 bytes
spi=0xa5460ef7687cbbc8: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 496 bytes, policy 'vpn'
spi=0xa5460ef7687cbbc8: ikev2_ike_auth_recv: no compatible policy found
spi=0xa5460ef7687cbbc8: ikev2_send_auth_failed: authentication failed
for
spi=0xa5460ef7687cbbc8: send IKE_AUTH res 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 80 bytes, NAT-T
spi=0xa5460ef7687cbbc8: sa_free: authentication failed
^Cikev2 exiting, pid 73990
control exiting, pid 75201
ca exiting, pid 38355
parent terminating
myhost#
----
If anyone has a working setup for iphone via 4G (dynamic) connecting to
a VPS (fixed IP) is much appreciated.