Re: iked ikev2 x509 authentication problem - no valid local certificate found

Thu, 01 Oct 2015 12:40:27 -0700 

http://marc.info/?l=openbsd-tech&m=144362542514318&w=2
<http://marc.info/?l=openbsd-tech&m=144362542514318&w=2>

> On 1 okt. 2015, at 21:25, Rob <lists-openbsd....@somerandom.net> wrote:
>
> Hi,
>
> I’m a little stuck getting two different clients connected to my OpenBSD
> 5.7 (i386) VPN ikev2 server.  I suspect the clients are at fault as I can
> get past the error when connecting one OpenBSDs iked to another iked.
>
> FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
> laptop, so I’m a little stuck with the VPN client I can use.
>
> I have the following configuration:
>
> ikev2 "road_warrior" passive esp \
>    from 192.168.20.0/24 to 192.168.40.0/24 \
>    local 192.168.20.4 peer any \
>    ikesa enc aes-128 prf hmac-sha2-256 \
>    auth hmac-sha2-256 group modp2048 \
>    childsa enc aes-128 auth hmac-sha2-256 \
>    srcid "local.example.net \
>    dstid "peer.example.net" \
>    config address 192.168.40.10/29 \
>    config netmask 255.255.255.0 \
>    config name-server 192.168.20.53 \
>    config protected-subnet 192.168.40.0/24
>
> (IPs and names have been changed to protect the innocent)
>
> I have keys installed as follows:
>
> /etc/iked/ca/example.net.crt
> /etc/iked/certs/local.example.net.crt
> /etc/iked/private/local.key
> /etc/iked/pubkeys/fqdn/peer.example.net
> /etc/iked/local.pub
>
>
> I believe the client isn’t sending the certificate request, but I
> could be completely wrong, the error appears to be:
>
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x77286c80
> ca_getreq: no valid local certificate found
>
> The client is sending peer.example.net.crt to the server, which gets
> validated correctly:
>
> ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
>
> I’ve been at this for a number of days and am completely stuck, so if
> anyone has any ideas/advice/clue-sticks I’d be very grateful.  If you
> need any further log information please let me know.
>
>
> thanks
>
> Rob

Reply via email to