On Thu, Apr 20, 2017 at 04:03:38PM -0400, Igor V. Gubenko wrote:
> Hello everyone,
>
> OpenIKED just doesn't seem to like me much.
>
> I managed to get it working around 5.8 but from upgrade to upgrade I
> encountered different issues.
>
> I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA
> auth.
>
> They were working fine on 6.0. However the same configuration now fails
> with 6.1 - iked refuses to start.
>
> srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some
> dept/CN=some_cn_fqdn" \
> dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some
> dept2/CN=some_cn_fqdn2"
>
> set_policy: unknown type = 9
Thanks for the good report!
It seems that using ASN1_DN IDs got broken with parse.y 1.62.
Does the attached diff fix your problem?
Reyk
Index: sbin/iked/parse.y
===================================================================
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.64
diff -u -p -u -p -r1.64 parse.y
--- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64
+++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000
@@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct
{
char keyfile[PATH_MAX];
const char *prefix = NULL;
- EVP_PKEY *key;
+ EVP_PKEY *key = NULL;
switch (type) {
case IKEV2_ID_IPV4:
@@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct
case IKEV2_ID_UFQDN:
prefix = "ufqdn";
break;
+ case IKEV2_ID_ASN1_DN:
+ /* public key authentication is not supported with ASN.1 IDs */
+ goto done;
default:
/* Unspecified ID or public key not supported for this type */
log_debug("%s: unknown type = %d", __func__, type);
@@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct
keyfile);
}
+ done:
if (set_policy_auth_method(keyfile, key, pol) < 0) {
EVP_PKEY_free(key);
log_warnx("%s: failed to set policy auth method for %s",
