http://marc.info/?l=openbsd-tech&m=144362542514318&w=2 <http://marc.info/?l=openbsd-tech&m=144362542514318&w=2>
> On 1 okt. 2015, at 21:25, Rob <lists-openbsd....@somerandom.net> wrote: > > Hi, > > Iâm a little stuck getting two different clients connected to my OpenBSD > 5.7 (i386) VPN ikev2 server. I suspect the clients are at fault as I can > get past the error when connecting one OpenBSDs iked to another iked. > > FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1 > laptop, so Iâm a little stuck with the VPN client I can use. > > I have the following configuration: > > ikev2 "road_warrior" passive esp \ > from 192.168.20.0/24 to 192.168.40.0/24 \ > local 192.168.20.4 peer any \ > ikesa enc aes-128 prf hmac-sha2-256 \ > auth hmac-sha2-256 group modp2048 \ > childsa enc aes-128 auth hmac-sha2-256 \ > srcid "local.example.net \ > dstid "peer.example.net" \ > config address 192.168.40.10/29 \ > config netmask 255.255.255.0 \ > config name-server 192.168.20.53 \ > config protected-subnet 192.168.40.0/24 > > (IPs and names have been changed to protect the innocent) > > I have keys installed as follows: > > /etc/iked/ca/example.net.crt > /etc/iked/certs/local.example.net.crt > /etc/iked/private/local.key > /etc/iked/pubkeys/fqdn/peer.example.net > /etc/iked/local.pub > > > I believe the client isnât sending the certificate request, but I > could be completely wrong, the error appears to be: > > ikev2_sa_negotiate: score 4 > sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f cert,certvalid,auth,authvalid,sa) > sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > config_free_proposals: free 0x77286c80 > ca_getreq: no valid local certificate found > > The client is sending peer.example.net.crt to the server, which gets > validated correctly: > > ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok > ikev2_dispatch_cert: peer certificate is valid > sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f cert,certvalid,auth,authvalid,sa) > > Iâve been at this for a number of days and am completely stuck, so if > anyone has any ideas/advice/clue-sticks Iâd be very grateful. If you > need any further log information please let me know. > > > thanks > > Rob