Hi all, I am using Easy-RSA to manage my home's CA (using elliptic curve certificates). I have created a certificate for my OpenBSD gw for IKEv2 connections (using strongswan mainly). My question is where do I need to put OpenBSD certs under /etc/iked?
I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me the following error: ikev2_msg_auth: initiator auth data length 960 ikev2_msg_authverify: method SIG keylen 962 type X509_CERT _dsa_verify_init: signature scheme 4 selected ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 10 ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 4 sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0xb9bb7e8a80 config_free_proposals: free 0xb9bb7e8700 config_free_proposals: free 0xb965e22400 config_free_proposals: free 0xba238e1e80 ca_getreq: found CA /C=ES/ST=Barcelona.............................. ca_getreq: no valid local certificate found ca_setauth: auth length 256 ca_validate_pubkey: unsupported public key type ASN1_DN ca_validate_cert: /C=ES/........................... ok Do i need to install user certificates also in OpenBSD gw? thanks -- Greetings, C. L. Martinez
