On 2018-06-23, C. L. Martinez <carlopm...@gmail.com> wrote: > Hi all, > > I am using Easy-RSA to manage my home's CA (using elliptic curve > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > connections (using strongswan mainly). My question is where do I need to put > OpenBSD certs under /etc/iked? > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns > me the following error:
The CA cert needs to go in /etc/iked/ca, do you have that? > ikev2_msg_auth: initiator auth data length 960 > ikev2_msg_authverify: method SIG keylen 962 type X509_CERT > _dsa_verify_init: signature scheme 4 selected > ikev2_msg_authverify: authentication successful > sa_state: AUTH_REQUEST -> AUTH_SUCCESS > sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b > cert,certvalid,auth,authvalid,sa) > ikev2_sa_negotiate: score 0 > ikev2_sa_negotiate: score 10 > ikev2_sa_negotiate: score 0 > ikev2_sa_negotiate: score 4 > sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b > cert,certvalid,auth,authvalid,sa) > sa_stateok: VALID flags 0x0030, require 0x003b > cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > config_free_proposals: free 0xb9bb7e8a80 > config_free_proposals: free 0xb9bb7e8700 > config_free_proposals: free 0xb965e22400 > config_free_proposals: free 0xba238e1e80 > ca_getreq: found CA /C=ES/ST=Barcelona.............................. > ca_getreq: no valid local certificate found > ca_setauth: auth length 256 > ca_validate_pubkey: unsupported public key type ASN1_DN > ca_validate_cert: /C=ES/........................... ok > > Do i need to install user certificates also in OpenBSD gw? > > thanks