Re: WHere to put certificates for IKEDv2?

2018-06-24 Thread C. L. Martinez
On Sun, Jun 24, 2018 at 12:42:15PM +0200, C. L. Martinez wrote:
> On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote:
> > On 2018-06-23, C. L. Martinez  wrote:
> > > Hi all,
> > >
> > >  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> > > certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> > > connections (using strongswan mainly). My question is where do I need to 
> > > put OpenBSD certs under /etc/iked?
> > >
> > >  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> > > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" 
> > > returns me the following error:
> > 
> > The CA cert needs to go in /etc/iked/ca, do you have that?
> > 
> > 
> 
> Yes, it is there: -rw-r--r--  1 root  wheel  1326 Jun 24 10:12 
> /etc/iked/ca/ca.crt 
> 
> 

But when I start iked using "-dvv" and client tries to connect, I see the 
following error:

sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x )
config_free_proposals: free 0x177c81779900
config_free_proposals: free 0x177c81773080
config_free_proposals: free 0x177c81773400
config_free_proposals: free 0x177c81773580
ca_getreq: found CA /C=ES/ST=Barcelona/
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 20 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b 
initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
ikev2_getimsgdata: imsg 25 rspi 0xf4b5f385469a92a5 ispi 0xd7906e9f68bda52b 
initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x )


But CA cert is loaded:

ikev2 "ipseccli" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 0.0.0.0/0 
peer 0.0.0.0/0 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 signature
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user testusr
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1191
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: /C=ES/ST=Barcelona/
ca_reload: loaded 1 ca certificate
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20

 But I am thinking that maybe exist some problems:

 - First, I am using strongswan for Android as a client, do I need to use some 
specific crypto algorithms on iked side?
 - Second, maybe is it best option to use EAP user auth instead of certificates?
 - I am using ECDSA certs, any problem with that?

Thanks

-- 
Greetings,
C. L. Martinez



Re: WHere to put certificates for IKEDv2?

2018-06-24 Thread C. L. Martinez
On Sun, Jun 24, 2018 at 08:43:32AM +, Stuart Henderson wrote:
> On 2018-06-23, C. L. Martinez  wrote:
> > Hi all,
> >
> >  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> > certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> > connections (using strongswan mainly). My question is where do I need to 
> > put OpenBSD certs under /etc/iked?
> >
> >  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> > myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns 
> > me the following error:
> 
> The CA cert needs to go in /etc/iked/ca, do you have that?
> 
> 

Yes, it is there: -rw-r--r--  1 root  wheel  1326 Jun 24 10:12 
/etc/iked/ca/ca.crt 


-- 
Greetings,
C. L. Martinez



Re: WHere to put certificates for IKEDv2?

2018-06-24 Thread Stuart Henderson
On 2018-06-23, C. L. Martinez  wrote:
> Hi all,
>
>  I am using Easy-RSA to manage my home's CA (using elliptic curve 
> certificates). I have created a certificate for my OpenBSD gw for IKEv2 
> connections (using strongswan mainly). My question is where do I need to put 
> OpenBSD certs under /etc/iked?
>
>  I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
> myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns 
> me the following error:

The CA cert needs to go in /etc/iked/ca, do you have that?


> ikev2_msg_auth: initiator auth data length 960
> ikev2_msg_authverify: method SIG keylen 962 type X509_CERT
> _dsa_verify_init: signature scheme 4 selected
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b 
> cert,certvalid,auth,authvalid,sa)
> ikev2_sa_negotiate: score 0
> ikev2_sa_negotiate: score 10
> ikev2_sa_negotiate: score 0
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b 
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0030, require 0x003b 
> cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0xb9bb7e8a80
> config_free_proposals: free 0xb9bb7e8700
> config_free_proposals: free 0xb965e22400
> config_free_proposals: free 0xba238e1e80
> ca_getreq: found CA /C=ES/ST=Barcelona..
> ca_getreq: no valid local certificate found
> ca_setauth: auth length 256
> ca_validate_pubkey: unsupported public key type ASN1_DN
> ca_validate_cert: /C=ES/... ok
>
>  Do i need to install user certificates also in OpenBSD gw?
>
> thanks



WHere to put certificates for IKEDv2?

2018-06-23 Thread C. L. Martinez
Hi all,

 I am using Easy-RSA to manage my home's CA (using elliptic curve 
certificates). I have created a certificate for my OpenBSD gw for IKEv2 
connections (using strongswan mainly). My question is where do I need to put 
OpenBSD certs under /etc/iked?

 I have installed myhost.crt in /etc/iked/pubkeys/fqdn/myhost.crt and 
myhost.key in /etc/iked/private/myhost.key, but running "iked -dvv" returns me 
the following error:

ikev2_msg_auth: initiator auth data length 960
ikev2_msg_authverify: method SIG keylen 962 type X509_CERT
_dsa_verify_init: signature scheme 4 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 10
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b 
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0xb9bb7e8a80
config_free_proposals: free 0xb9bb7e8700
config_free_proposals: free 0xb965e22400
config_free_proposals: free 0xba238e1e80
ca_getreq: found CA /C=ES/ST=Barcelona..
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=ES/... ok

 Do i need to install user certificates also in OpenBSD gw?

thanks
-- 
Greetings,
C. L. Martinez