On 2019/10/16 15:49, Tristan Pilat" wrote: > On 10/16/19 at 08:31P, Stuart Henderson wrote: > > On 2019-10-07, Tristan Pilat <tris...@pilat.me> wrote: > > > I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication > > > with > > > iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no > > > section about setting up this with an OpenBSD client. Is there anybody > > > here > > > who's done that before? > > > > Hoping someone will tell me that I'm wrong, but iked's client-side support > > is > > not very flexible and I don't think it supports this - it definitely doesn't > > support username/password auth as a client. > > Does X.509 Certificate Authentication necessarily include the use of an > username/password auth mechanism?
No that is a different and very common mechanism that is definitely not supported as a client (but is supported as a server). I mentioned it because I think that the same thing may well apply for X.509 cert authentication. (And if iked *does* support X.509 cert auth, it is at the very least lacking documentation). My feeling is that iked usually works pretty well as the server-side of client/server, it has some capabilities for doing lan-to-lan, but there's not much in the way of client-side support. > ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 20 > ikev2_sa_negotiate: score 4 > sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth > Oct 11 16:13:02 xxxxx.example.net local4.warning Local:198.51.100.2:500 > Remote:198.51.100.1:1011 Username:198.51.100.1 IKEv2 Negotiation aborted due > to ERROR: Peer authentication method configured is mismatching with the > method proposed by peer That message is clear but I can't suggest how to change what iked is doing for this or say whether it *can* be changed.
