Re: issue with IKEv2 setup
On Wed, Jun 03, 2020 at 02:07:52PM -0400, Sonic wrote: > On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider wrote: > > It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public > > key > > should be. > > The peers public key is there, the peer, as far as I can tell is > server1.domain, yet the example shows server2.domain. > Ah true, there seems to be a typo in the faq. Try setting dstid to 'server1.domain'.
Re: issue with IKEv2 setup
On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider wrote: > It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public key > should be. The peers public key is there, the peer, as far as I can tell is server1.domain, yet the example shows server2.domain.
Re: issue with IKEv2 setup
On Wed, Jun 03, 2020 at 01:09:02PM -0400, Sonic wrote: > Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into > the following problem with the server2 example: > === > ikev2 'server2_rsa' active esp \ > from 10.0.2.0/24 to 10.0.1.0/24 \ > peer 192.0.2.1 \ > dstid server2.domain > === > > === > # iked -dv > set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/server2.domain > === > > Is the above an error to be concerned with? Doesn't the system know > that its pubkey exists as /etc/iked/local.pub ? It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public key should be. > > Should /etc/iked/local.pub be copied to /etc/iked/pubkeys/fqdn/server2.domain > ? > > (of course I'm using the actual fqdn of the systems in question and > literally serverX.domaIn) > > No such error on the server1 example, although it seems that srcid is > not checked for the pubkey as dstid is. > > Chris > >From https://www.openbsd.org/faq/faq17.html: Building Site-to-site VPNs This can be achieved by exchanging the default-provided RSA public keys: /etc/iked/local.pub on the first system ("server1") should be copied to /etc/iked/pubkeys/fqdn/server1.domain on the second system ("server2"). Then, /etc/iked/local.pub on the second system should be copied to /etc/iked/pubkeys/fqdn/server2.domain on the first. Replace "serverX.domain" with your own FQDN.