On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote: > On Sun, Jun 24, 2018 at 08:43:32AM +0000, Stuart Henderson wrote: > > On 2018-06-23, C. L. Martinez <carlopm...@gmail.com> wrote: > > > Hi all, > > > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > > connections (using strongswan mainly). My question is where do I need to > > > put OpenBSD certs under /etc/iked? > > > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" > > > returns me the following error: > > > > The CA cert needs to go in /etc/iked/ca, do you have that? > > > > > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 > /etc/iked/ca/ca.crt > >
But when I start iked using "-dvv" and client tries to connect, I see the following error: sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x0000 ) config_free_proposals: free 0x177c81779900 config_free_proposals: free 0x177c81773080 config_free_proposals: free 0x177c81773400 config_free_proposals: free 0x177c81773580 ca_getreq: found CA /C=ES/ST=Barcelona/........ ca_getreq: no valid local certificate found ca_setauth: auth length 256 ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x0000 ) But CA cert is loaded: ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user testusr ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpolicy: received policy ca_getkey: received private key type RSA_KEY length 1191 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: /C=ES/ST=Barcelona/.... ca_reload: loaded 1 ca certificate ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 But I am thinking that maybe exist some problems: - First, I am using strongswan for Android as a client, do I need to use some specific crypto algorithms on iked side? - Second, maybe is it best option to use EAP user auth instead of certificates? - I am using ECDSA certs, any problem with that? Thanks -- Greetings, C. L. Martinez
