Re: WHere to put certificates for IKEDv2?
On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote: > On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote: > > On 2018-06-23, C. L. Martinez wrote: > > > Hi all, > > > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > > connections (using strongswan mainly). My question is where do I need to > > > put OpenBSD certs under /etc/iked? > > > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" > > > returns me the following error: > > > > The CA cert needs to go in /etc/iked/ca, do you have that? > > > > > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 > /etc/iked/ca/ca.crt > > But when I start iked using "-dvv" and client tries to connect, I see the following error: sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x ) config_free_proposals: free 0x177c81779900 config_free_proposals: free 0x177c81773080 config_free_proposals: free 0x177c81773400 config_free_proposals: free 0x177c81773580 ca_getreq: found CA /C=ES/ST=Barcelona/ ca_getreq: no valid local certificate found ca_setauth: auth length 256 ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x ) But CA cert is loaded: ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature /etc/iked.conf: loaded 2 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 config_new_user: inserting new user testusr ca_privkey_to_method: type RSA_KEY method RSA_SIG config_getpolicy: received policy ca_getkey: received private key type RSA_KEY length 1191 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getmobike: mobike ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded ca file ca.crt ca_reload: /C=ES/ST=Barcelona/ ca_reload: loaded 1 ca certificate ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 But I am thinking that maybe exist some problems: - First, I am using strongswan for Android as a client, do I need to use some specific crypto algorithms on iked side? - Second, maybe is it best option to use EAP user auth instead of certificates? - I am using ECDSA certs, any problem with that? Thanks -- Greetings, C. L. Martinez
Re: WHere to put certificates for IKEDv2?
On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote: > On 2018-06-23, C. L. Martinez wrote: > > Hi all, > > > > I am using Easy-RSA to manage my home's CA (using elliptic curve > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > > connections (using strongswan mainly). My question is where do I need to > > put OpenBSD certs under /etc/iked? > > > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns > > me the following error: > > The CA cert needs to go in /etc/iked/ca, do you have that? > > Yes, it is there: -rw-r--r-- 1 root wheel 1326 Jun 24 10:12 /etc/iked/ca/ca.crt -- Greetings, C. L. Martinez
Re: WHere to put certificates for IKEDv2?
On 2018-06-23, C. L. Martinez wrote: > Hi all, > > I am using Easy-RSA to manage my home's CA (using elliptic curve > certificates). I have created a certificate for my OpenBSD gw for IKEv2 > connections (using strongswan mainly). My question is where do I need to put > OpenBSD certs under /etc/iked? > > I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns > me the following error: The CA cert needs to go in /etc/iked/ca, do you have that? > ikev2_msg_auth: initiator auth data length 960 > ikev2_msg_authverify: method SIG keylen 962 type X509_CERT > _dsa_verify_init: signature scheme 4 selected > ikev2_msg_authverify: authentication successful > sa_state: AUTH_REQUEST -> AUTH_SUCCESS > sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b > cert,certvalid,auth,authvalid,sa) > ikev2_sa_negotiate: score 0 > ikev2_sa_negotiate: score 10 > ikev2_sa_negotiate: score 0 > ikev2_sa_negotiate: score 4 > sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b > cert,certvalid,auth,authvalid,sa) > sa_stateok: VALID flags 0x0030, require 0x003b > cert,certvalid,auth,authvalid,sa > sa_state: cannot switch: AUTH_SUCCESS -> VALID > config_free_proposals: free 0xb9bb7e8a80 > config_free_proposals: free 0xb9bb7e8700 > config_free_proposals: free 0xb965e22400 > config_free_proposals: free 0xba238e1e80 > ca_getreq: found CA /C=ES/ST=Barcelona.. > ca_getreq: no valid local certificate found > ca_setauth: auth length 256 > ca_validate_pubkey: unsupported public key type ASN1_DN > ca_validate_cert: /C=ES/... ok > > Do i need to install user certificates also in OpenBSD gw? > > thanks
WHere to put certificates for IKEDv2?
Hi all, I am using Easy-RSA to manage my home's CA (using elliptic curve certificates). I have created a certificate for my OpenBSD gw for IKEv2 connections (using strongswan mainly). My question is where do I need to put OpenBSD certs under /etc/iked? I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me the following error: ikev2_msg_auth: initiator auth data length 960 ikev2_msg_authverify: method SIG keylen 962 type X509_CERT _dsa_verify_init: signature scheme 4 selected ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 10 ikev2_sa_negotiate: score 0 ikev2_sa_negotiate: score 4 sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0xb9bb7e8a80 config_free_proposals: free 0xb9bb7e8700 config_free_proposals: free 0xb965e22400 config_free_proposals: free 0xba238e1e80 ca_getreq: found CA /C=ES/ST=Barcelona.. ca_getreq: no valid local certificate found ca_setauth: auth length 256 ca_validate_pubkey: unsupported public key type ASN1_DN ca_validate_cert: /C=ES/... ok Do i need to install user certificates also in OpenBSD gw? thanks -- Greetings, C. L. Martinez