Hello,
 
I would like to understand why OpenBSD 7.7's iked always uses 
/etc/iked/private.local key, no matter what better matching keys and certs are 
available under /etc/iked/private and /etc/iked/certs and no matter what is 
specified as local ID in /etc/iked.conf's srcid.
 
Expected behavior would be that the local identity is derived from srcid. The 
currently implemented behavior is also totally undocumented. It took me days to 
debug why my childsa's were failing.
 
In the current form I don't understand why we even maintain srcid as selector 
in /etc/iked.conf when the only valid srcid is what gets hardcoded via 
/etc/iked/private/local.key and its matching cert.

Am I missing something here? Somewhat lost after two days of debugging.
 
Best regards,

Christian
 
 

Reply via email to