>Synopsis: iked fails to start with dstid type ASN1_DN
>Category: openiked
>Environment:
System : OpenBSD 6.1
Details : OpenBSD 6.1 (GENERIC) #21: Thu Aug 3 14:52:26 CEST 2017
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
iked fails to start with a configuration having dstid set to an ASN1_DN
(starting with "/")
In case i am doing something wrong: I am trying to match the DN of the
"road warrior" client
so i can assign the same ip every time with "config address".
>How-To-Repeat:
iked.conf:
ikev2 passive esp inet \
from any to any \
dstid "/C=DE/...value does not matter except first slash"
# iked -dvv
set_policy: unknown type = 9
create_ike: set_policy failed
/etc/iked.conf: 4: create_ike failed
/etc/iked.conf: no valid configuration rules found
man iked.conf
srcid string dstid string
srcid defines an ID of type "FQDN", "ASN1_DN", "IPV4", "IPV6", or
"UFQDN" that will be used by iked(8) as the identity of the local
peer. [...] The ASN1_DN type will be used if the string starts
with a slash `/'
(/C=DE/../CN=10.0.0.1/[email protected]).
[...]
dstid is similar to srcid, but instead specifies the ID to be used
by the remote peer.
