Thank you, the patch appears to work. I haven't fully tested connecting/establishing connections, so I'll send another update.
Prior to the patch, iked also complained about lack of public keys for PSK connections 1 and 2 (in /etc/iked/pubkeys/fqdn/) It doesn't mind them being absent anymore though. - Igor On 4/20/17 5:44 PM, Reyk Floeter wrote: > --- sbin/iked/parse.y 28 Mar 2017 16:56:39 -0000 1.64 > +++ sbin/iked/parse.y 20 Apr 2017 21:40:14 -0000 > @@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct > { > char keyfile[PATH_MAX]; > const char *prefix = NULL; > - EVP_PKEY *key; > + EVP_PKEY *key = NULL; > > switch (type) { > case IKEV2_ID_IPV4: > @@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct > case IKEV2_ID_UFQDN: > prefix = "ufqdn"; > break; > + case IKEV2_ID_ASN1_DN: > + /* public key authentication is not supported with ASN.1 IDs */ > + goto done; > default: > /* Unspecified ID or public key not supported for this type */ > log_debug("%s: unknown type = %d", __func__, type); > @@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct > keyfile); > } > > + done: > if (set_policy_auth_method(keyfile, key, pol) < 0) { > EVP_PKEY_free(key); > log_warnx("%s: failed to set policy auth method for %s",