On Thu, Apr 20, 2017 at 04:03:38PM -0400, Igor V. Gubenko wrote: > Hello everyone, > > OpenIKED just doesn't seem to like me much. > > I managed to get it working around 5.8 but from upgrade to upgrade I > encountered different issues. > > I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA > auth. > > They were working fine on 6.0. However the same configuration now fails > with 6.1 - iked refuses to start. >
> srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some > dept/CN=some_cn_fqdn" \ > dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some > dept2/CN=some_cn_fqdn2" > > set_policy: unknown type = 9 Thanks for the good report! It seems that using ASN1_DN IDs got broken with parse.y 1.62. Does the attached diff fix your problem? Reyk Index: sbin/iked/parse.y =================================================================== RCS file: /cvs/src/sbin/iked/parse.y,v retrieving revision 1.64 diff -u -p -u -p -r1.64 parse.y --- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64 +++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000 @@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct { char keyfile[PATH_MAX]; const char *prefix = NULL; - EVP_PKEY *key; + EVP_PKEY *key = NULL; switch (type) { case IKEV2_ID_IPV4: @@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct case IKEV2_ID_UFQDN: prefix = "ufqdn"; break; + case IKEV2_ID_ASN1_DN: + /* public key authentication is not supported with ASN.1 IDs */ + goto done; default: /* Unspecified ID or public key not supported for this type */ log_debug("%s: unknown type = %d", __func__, type); @@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct keyfile); } + done: if (set_policy_auth_method(keyfile, key, pol) < 0) { EVP_PKEY_free(key); log_warnx("%s: failed to set policy auth method for %s",