Hi, folks, I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using OpenIKED but I have not copied any key material (public keys) from one host to the other. Still, authentication succeeds.
This is how it looks like in the logs of the initiator: ca_validate_pubkey: valid public key in file pubkeys/fqdn/openbsd2.my.domain ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi 0xac6ce70df4e79168 initiator 1 sa valid type 11 data length 0 ikev2_dispatch_cert: peer certificate is valid sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa) sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID The public key “openbsd2.my.domain” and its corresponding private key have been generated on the initiator host itself. Therefore the initiator should not be able to authenticate the responder using the key “openbsd2.my.domain”. Is anyone able to explain this behavior? I am probably just missing something here and would highly appreciate any hints. Cheers, Michael ______________________________________________________________________________________________________________________ Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 Geschäftsführung/Management Board: Dirk Kretzschmar TÜV NORD GROUP Expertise for your Success Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
