Hi, Tobias, Thanks for your response!
I am pasting the contents of the iked.confs as well as the list of files in /etc/iked on both hosts below. Kind regards, Michael -------------------------------------------------- /etc/iked.conf on initiator: local_IP="192.168.5.10" local_NW="192.168.5.10/32" peer_IP="192.168.5.11" peer_NW="192.168.5.11/32" local_FQDN="openbsd.my.domain" peer_FQDN="openbsd2.my.domain" allowed_enc="enc aes-128 enc aes-256" allowed_enc_esp="enc aes-128 enc aes-256 enc aes-128-ctr enc aes-256-ctr" allowed_enc_auth_esp="enc aes-128-gcm enc aes-256-gcm" allowed_prf="prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512" allowed_group="group modp2048 group modp3072 group modp4096 group ecp256 group ecp384 group ecp521 group brainpool256 group brainpool384 group brainpool512" allowed_auth="auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512" ikev2 "initiator-ESP-tunnel" active tunnel esp \ from $local_NW to $peer_NW \ local $local_IP peer $peer_IP \ ikesa $allowed_auth $allowed_enc $allowed_prf $allowed_group \ childsa $allowed_auth $allowed_enc_esp $allowed_group \ childsa $allowed_enc_auth_esp $allowed_group \ srcid $local_FQDN dstid $peer_FQDN \ ikelifetime 0 \ lifetime 0 bytes 0 \ ecdsa384 -------------------------------------------------- /etc/iked.conf on responder: local_IP="192.168.5.11" local_NW="192.168.5.11/32" peer_IP="192.168.5.10" peer_NW="192.168.5.10/32" local_FQDN="openbsd2.my.domain" peer_FQDN="openbsd.my.domain" allowed_enc="enc aes-128 enc aes-256" allowed_enc_esp="enc aes-128 enc aes-256 enc aes-128-ctr enc aes-256-ctr" allowed_enc_auth_esp="enc aes-128-gcm enc aes-256-gcm" allowed_prf="prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512" allowed_group="group modp2048 group modp3072 group modp4096 group ecp256 group ecp384 group ecp521 group brainpool256 group brainpool384 group brainpool512" allowed_auth="auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512" ikev2 "responder-ESP-tunnel" passive tunnel esp \ from $local_NW to $peer_NW \ local $local_IP peer $peer_IP \ ikesa $allowed_auth $allowed_enc $allowed_prf $allowed_group \ childsa $allowed_auth $allowed_enc_esp $allowed_group \ childsa $allowed_enc_auth_esp $allowed_group \ srcid $local_FQDN dstid $peer_FQDN \ ikelifetime 0 \ lifetime 0 bytes 0 \ ecdsa384 -------------------------------------------------- List of files in /etc/iked on initiator: total 32 drwxr-xr-x 7 root wheel 512 Jul 8 13:54 . drwxr-xr-x 22 root wheel 1536 Jul 10 15:33 .. drwxr-xr-x 2 root wheel 512 May 7 18:51 ca drwxr-xr-x 2 root wheel 512 Jul 9 15:09 certs drwxr-xr-x 2 root wheel 512 May 7 18:51 crls -rw-r--r-- 1 root wheel 451 Jul 8 13:54 local.pub drwx------ 2 root wheel 512 Jul 8 13:54 private drwxr-xr-x 6 root wheel 512 May 7 18:51 pubkeys /etc/iked/ca: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. /etc/iked/certs: total 8 drwxr-xr-x 2 root wheel 512 Jul 9 15:09 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. /etc/iked/crls: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. /etc/iked/private: total 12 drwx------ 2 root wheel 512 Jul 8 13:54 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. -rw------- 1 root wheel 1675 Jul 8 13:54 local.key /etc/iked/pubkeys: total 24 drwxr-xr-x 6 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 13:54 .. drwxr-xr-x 2 root wheel 512 Jul 10 11:09 fqdn drwxr-xr-x 2 root wheel 512 May 7 18:51 ipv4 drwxr-xr-x 2 root wheel 512 May 7 18:51 ipv6 drwxr-xr-x 2 root wheel 512 May 7 18:51 ufqdn /etc/iked/pubkeys/fqdn: total 16 drwxr-xr-x 2 root wheel 512 Jul 10 11:09 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. -rw-r--r-- 1 root wheel 215 Jul 10 11:07 openbsd2.my.domain -rw-r--r-- 1 root wheel 215 Jul 9 15:11 openbsd2.my.domain.old /etc/iked/pubkeys/ipv4: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. /etc/iked/pubkeys/ipv6: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. /etc/iked/pubkeys/ufqdn: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. -------------------------------------------------- List of files in /etc/iked on responder: total 32 drwxr-xr-x 7 root wheel 512 Jul 8 15:43 . drwxr-xr-x 22 root wheel 1536 Jul 22 17:08 .. drwxr-xr-x 2 root wheel 512 May 7 18:51 ca drwxr-xr-x 2 root wheel 512 May 7 18:51 certs drwxr-xr-x 2 root wheel 512 May 7 18:51 crls -rw-r--r-- 1 root wheel 451 Jul 8 15:43 local.pub drwx------ 2 root wheel 512 Jul 8 15:43 private drwxr-xr-x 6 root wheel 512 May 7 18:51 pubkeys /etc/iked/ca: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 15:43 .. /etc/iked/certs: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 15:43 .. /etc/iked/crls: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 15:43 .. /etc/iked/private: total 12 drwx------ 2 root wheel 512 Jul 8 15:43 . drwxr-xr-x 7 root wheel 512 Jul 8 15:43 .. -rw------- 1 root wheel 1675 Jul 8 15:43 local.key /etc/iked/pubkeys: total 24 drwxr-xr-x 6 root wheel 512 May 7 18:51 . drwxr-xr-x 7 root wheel 512 Jul 8 15:43 .. drwxr-xr-x 2 root wheel 512 Jul 9 15:20 fqdn drwxr-xr-x 2 root wheel 512 May 7 18:51 ipv4 drwxr-xr-x 2 root wheel 512 May 7 18:51 ipv6 drwxr-xr-x 2 root wheel 512 May 7 18:51 ufqdn /etc/iked/pubkeys/fqdn: total 12 drwxr-xr-x 2 root wheel 512 Jul 9 15:20 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. -rw-r--r-- 1 root wheel 215 Jul 9 15:20 openbsd.my.domain /etc/iked/pubkeys/ipv4: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. /etc/iked/pubkeys/ipv6: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. /etc/iked/pubkeys/ufqdn: total 8 drwxr-xr-x 2 root wheel 512 May 7 18:51 . drwxr-xr-x 6 root wheel 512 May 7 18:51 .. (EOM) -----Ursprüngliche Nachricht----- Von: Tobias Heider <[email protected]> Gesendet: Mittwoch, 22. Juli 2020 16:38 An: Scheibel, Michael <[email protected]> Cc: [email protected] Betreff: Re: OpenIKED: Authentication question On Wed, Jul 22, 2020 at 11:56:15AM +0000, Scheibel, Michael wrote: > Hi, folks, > > I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using > OpenIKED but I have not copied any key material (public keys) from one host > to the other. Still, authentication succeeds. > > This is how it looks like in the logs of the initiator: > ca_validate_pubkey: valid public key in file > pubkeys/fqdn/openbsd2.my.domain > ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi > 0xac6ce70df4e79168 initiator 1 sa valid type 11 data length 0 > ikev2_dispatch_cert: peer certificate is valid > sa_stateflags: 0x003d -> 0x003f > cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 > certvalid,authvalid,sa) > sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa > spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID > > The public key “openbsd2.my.domain” and its corresponding private key have > been generated on the initiator host itself. Therefore the initiator should > not be able to authenticate the responder using the key “openbsd2.my.domain”. > > Is anyone able to explain this behavior? I am probably just missing something > here and would highly appreciate any hints. > > Cheers, > Michael Hi Michael, in order to understand what's going on it would help if you could send your iked.confs as well as a list of files in /etc/iked on both hosts. The log output suggests the peer was authenticated via certificate/CA, not raw public key. Regards, Tobias > > ______________________________________________________________________ > ________________________________________________ > Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * > Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register > Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: > DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 > Geschäftsführung/Management Board: Dirk Kretzschmar > > > TÜV NORD GROUP > Expertise for your Success > > > Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> > Besuchen Sie unseren Internetauftritt: > www.tuev-nord.de<http://www.tuev-nord.de> > ______________________________________________________________________________________________________________________ Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 Geschäftsführung/Management Board: Dirk Kretzschmar TÜV NORD GROUP Expertise for your Success Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
