Hello, i try to connect a OpenBSD 7.9 to an Cisco ASR1001 with ios 17.9.8.
We have to use ecdsa certificates (384 bit), a connect with an cisco router and the same certificate is possible.
It ends with the message "ca_getreq: unknown cert type requested". running iked produces the following output: iked -dvikev2 "atos" active tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local any peer 192.168.80.78 ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group modp4096 childsa enc aes-256 auth hmac-sha1 group none esn noesn dstid hub01test.net.atelios.de lifetime 10800 bytes 4294967296 signature
ikev2_init_ike_sa: initiating "atos"spi=0xe467ef335e38b082: send IKE_SA_INIT req 0 peer 192.168.80.78:500 local 0.0.0.0:500, 718 bytes spi=0xe467ef335e38b082: recv IKE_SA_INIT res 0 peer 192.168.80.78:500 local 192.168.80.76:500, 827 bytes, policy 'atos'
spi=0xe467ef335e38b082: ca_getreq: unknown cert type requested Or more output: proc_dispatch: all connected create_ike: using signature for peer hub01test.net.atelios.deikev2 "atos" active tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local any peer 192.168.80.78 ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group modp4096 childsa enc aes-256 auth hmac-sha1 group none esn noesn dstid hub01test.net.atelios.de lifetime 10800 bytes 4294967296 signature
/etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type ECDSA length 167 ca_pubkey_serialize: type ECDSA length 120 ca_privkey_to_method: type ECDSA method ECDSA_384 ca_getkey: received private key type ECDSA length 167 ca_getkey: received public key type ECDSA length 120 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: loaded cert file client.crt ca_reload: /DC=de/DC=atelios/CN=Atelios Cisco CA 3 ca_reload: /DC=DE/DC=Atelios/DC=CA-One/CN=Atelios Root CA 2 ca_reload: loaded 2 ca certificatesca_validate_cert: /DC=atelios/DC=de/OU=atelios-net/O=E1/CN=DE99972X038.net.atelios.de (depth = 1) unable to get local issuer certificate
ca_reload: local cert type X509_CERT config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 config_getstatic: no stickyaddress config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 40 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 40 config_getpolicy: received policy config_getpfkey: received pfkey fd 7 config_getcompile: compilation done config_getsocket: received socket fd 8 config_getsocket: received socket fd 9 config_getsocket: received socket fd 10 config_getsocket: received socket fd 11 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 config_getstatic: no stickyaddress ikev2_init_ike_sa: initiating "atos" ikev2_policy2id: srcid FQDN/DE99972X038.my.domain length 25 ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 520 nextpayload NONCE ikev2_next_payload: length 36 nextpayload VENDOR ikev2_next_payload: length 16 nextpayload NOTIFYikev2_nat_detection: local source 0x4ac016245d39491f 0x0000000000000000 0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFYikev2_nat_detection: local destination 0x4ac016245d39491f 0x0000000000000000 192.168.80.78:500
ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONEikev2_pld_parse: header ispi 0x4ac016245d39491f rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 718 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096 ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 520 ikev2_pld_ke: dh group MODP_4096 reserved 0ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IPikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMSspi=0x4ac016245d39491f: send IKE_SA_INIT req 0 peer 192.168.80.78:500 local 0.0.0.0:500, 718 bytes
spi=0x4ac016245d39491f: sa_state: INIT -> SA_INITspi=0x4ac016245d39491f: recv IKE_SA_INIT res 0 peer 192.168.80.78:500 local 192.168.80.76:500, 827 bytes, policy 'atos'
ikev2_recv: ispi 0x4ac016245d39491f rspi 0x171db53d2792d4b7 ikev2_policy2id: srcid FQDN/DE99972X038.my.domain length 25ikev2_pld_parse: header ispi 0x4ac016245d39491f rspi 0x171db53d2792d4b7 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 827 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_4096 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 520 ikev2_pld_ke: dh group MODP_4096 reserved 0ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 23 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 19 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 23 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 21 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IPikev2_nat_detection: peer source 0x4ac016245d39491f 0x171db53d2792d4b7 192.168.80.78:500 ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IPikev2_nat_detection: peer destination 0x4ac016245d39491f 0x171db53d2792d4b7 192.168.80.76:500 ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 45
ikev2_pld_certreq: type HASHURL_X509 length 40 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type HTTP_CERT_LOOKUP_SUPPORTEDikev2_init_recv: updated SA to peer 192.168.80.78:500 local 192.168.80.76:500
ikev2_policy2id: srcid FQDN/DE99972X038.my.domain length 25 sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth) proposals_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth spi=0x4ac016245d39491f: ikev2_sa_keys: DHSECRET with 512 bytes ikev2_sa_keys: SKEYSEED with 64 bytes spi=0x4ac016245d39491f: ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 64 bytes spi=0x4ac016245d39491f: ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 64 bytes ikev2_prfplus: T2 with 64 bytes ikev2_prfplus: T3 with 64 bytes ikev2_prfplus: T4 with 64 bytes ikev2_prfplus: T5 with 64 bytes ikev2_prfplus: T6 with 64 bytes ikev2_prfplus: Tn with 384 bytes ikev2_sa_keys: SK_d with 64 bytes ikev2_sa_keys: SK_ai with 64 bytes ikev2_sa_keys: SK_ar with 64 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 64 bytes ikev2_sa_keys: SK_pr with 64 bytes ikev2_msg_auth: initiator auth data length 814 ca_setauth: switching SIG to RSA_SIG(*) ca_setauth: auth length 814 sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth config_free_proposals: free 0xa16f561bcd0 spi=0x4ac016245d39491f: ca_getreq: unknown cert type requested ca_setauth: auth length 96ikev2_getimsgdata: imsg 41 rspi 0x171db53d2792d4b7 ispi 0x4ac016245d39491f initiator 1 sa valid type 10 data length 96
ikev2_dispatch_cert: AUTH type 10 len 96
OpenPGP_0x17F42E850DA3A495.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
