Hello Nils, Nils Decker <[email protected]> writes:
>>Synopsis:iked fails to start with dstid type ASN1_DN >>Category:openiked >>Environment: > System: OpenBSD 6.1 > Details: OpenBSD 6.1 (GENERIC) #21: Thu Aug3 14:52:26 CEST 2017 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine: amd64 >>Description: > iked fails to start with a configuration having dstid set to an ASN1_DN > (starting with "/") > > In case i am doing something wrong: I am trying to match the DN of the > "road warrior" client > so i can assign the same ip every time with "config address". > >>How-To-Repeat: > iked.conf: > ikev2 passive esp inet \ > from any to any \ > dstid "/C=DE/...value does not matter except first slash" > > # iked -dvv > set_policy: unknown type = 9 > create_ike: set_policy failed > /etc/iked.conf: 4: create_ike failed > /etc/iked.conf: no valid configuration rules found > > man iked.conf > > srcid string dstid string > srcid defines an ID of type "FQDN", "ASN1_DN", "IPV4", "IPV6", or > "UFQDN" that will be used by iked(8) as the identity of the local > peer.[...] The ASN1_DN type will be used if the string starts > with a slash `/' > (/C=DE/../CN=10.0.0.1/[email protected]). > [...] > dstid is similar to srcid, but instead specifies the ID to be used > by the remote peer. Does the patch in the thread at https://marc.info/?l=openbsd-tech&m=149499756830666 resolve this for you? Make sure you use the latest patch (the second message in the thread), as the first did not preserve tabs. My error was different, but it feels like a similar issue. -TimS -- Tim Stewart ----------- Mail: [email protected] Matrix: @tim:stoo.org
