Hi all,

 I am using Easy-RSA to manage my home's CA (using elliptic curve 
certificates). I have created a certificate for my OpenBSD gw for IKEv2 
connections (using strongswan mainly). My question is where do I need to put 
OpenBSD certs under /etc/iked?

 I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me 
the following error:

ikev2_msg_auth: initiator auth data length 960
ikev2_msg_authverify: method SIG keylen 962 type X509_CERT
_dsa_verify_init: signature scheme 4 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 10
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0xb9bb7e8a80
config_free_proposals: free 0xb9bb7e8700
config_free_proposals: free 0xb965e22400
config_free_proposals: free 0xba238e1e80
ca_getreq: found CA /C=ES/ST=Barcelona..............................
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=ES/........................... ok

 Do i need to install user certificates also in OpenBSD gw?

thanks
-- 
Greetings,
C. L. Martinez

Reply via email to