A sample configuration: ikev2 "win10host" passive esp \ from 0.0.0.0/0 to 10.1.1.51 \ local any peer any \ ikesa auth hmac-sha2-384 enc aes-256 prf hmac-sha2-384 group modp2048 \ childsa enc aes-256-gcm group modp2048 \ srcid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=foo.stoo.org" \ dstid "/C=US/ST=New York/L=NYC/O=Stoo Labs/OU=iked/CN=bar.stoo.org" \ rsa \ config address 10.1.1.51 \ config name-server 10.1.1.5 \ config name-server 10.1.1.6 \ tag "$name-$id"
The above configuration worked fine with iked in OpenBSD 6.0. It broke as of 6.1 with the following error: set_policy_auth_method: ikeauth policy mismatch, rsa specified, but only rfc7427 possible set_policy: failed to set policy auth method for /etc/iked.conf: 17: create_ike failed /etc/iked.conf: no valid configuration rules found I use a CA certificate and signed host certificates generated using a process like the EXAMPLES section in ikectl(8). I'm a bit surprised that I could not find anyone else who has seen this problem, so maybe I'm doing something strange without realizing it. The following patch restores the old functionality, though I include it mainly for demonstration purposes. I'm happy to improve it and resubmit, depending on feedback. -TimS Index: parse.y =================================================================== RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.65 diff -u -p -r1.65 parse.y --- parse.y 24 Apr 2017 07:07:25 -0000 1.65 +++ parse.y 17 May 2017 04:58:34 -0000 @@ -1735,6 +1735,8 @@ set_policy_auth_method(const char *peeri method = IKEV2_AUTH_NONE; cert_type = IKEV2_CERT_NONE; + ikeauth = &pol->pol_auth; + if (key != NULL) { /* infer policy from key type */ if ((rsa = EVP_PKEY_get1_RSA(key)) != NULL) { @@ -1767,14 +1769,16 @@ set_policy_auth_method(const char *peeri if (method == IKEV2_AUTH_NONE || cert_type == IKEV2_CERT_NONE) return (-1); + } else if (ikeauth->auth_method == IKEV2_AUTH_RSA_SIG) { + /* default to IKEV2_CERT_X509_CERT otherwise */ + method = IKEV2_AUTH_RSA_SIG; + cert_type = IKEV2_CERT_X509_CERT; } else { /* default to IKEV2_CERT_X509_CERT otherwise */ method = IKEV2_AUTH_SIG; cert_type = IKEV2_CERT_X509_CERT; } - ikeauth = &pol->pol_auth; - if (ikeauth->auth_method == IKEV2_AUTH_SHARED_KEY_MIC) { if (key != NULL && method != IKEV2_AUTH_RSA_SIG) @@ -1784,6 +1788,7 @@ set_policy_auth_method(const char *peeri if (ikeauth->auth_method != IKEV2_AUTH_NONE && ikeauth->auth_method != IKEV2_AUTH_SIG_ANY && + ikeauth->auth_method != IKEV2_AUTH_RSA_SIG && ikeauth->auth_method != method) goto mismatch;