Re: issue with IKEv2 setup

2020-06-03 Thread Tobias Heider 
On Wed, Jun 03, 2020 at 02:07:52PM -0400, Sonic wrote:
> On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider  wrote:
> > It does.  /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public 
> > key
> > should be.
> 
> The peers public key is there, the peer, as far as I can tell is
> server1.domain, yet the example shows server2.domain.
> 

Ah true, there seems to be a typo in the faq.
Try setting dstid to 'server1.domain'.

Re: issue with IKEv2 setup

2020-06-03 Thread Sonic 
On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider  wrote:
> It does.  /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public key
> should be.

The peers public key is there, the peer, as far as I can tell is
server1.domain, yet the example shows server2.domain.

Re: issue with IKEv2 setup

2020-06-03 Thread Tobias Heider 
On Wed, Jun 03, 2020 at 01:09:02PM -0400, Sonic wrote:
> Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into
> the following problem with the server2 example:
> ===
> ikev2 'server2_rsa' active esp \
> from 10.0.2.0/24 to 10.0.1.0/24 \
> peer 192.0.2.1 \
> dstid server2.domain
> ===
> 
> ===
> # iked -dv
> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/server2.domain
> ===
> 
> Is the above an error to be concerned with? Doesn't the system know
> that its pubkey exists as /etc/iked/local.pub ?

It does.  /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public key
should be.

> 
> Should /etc/iked/local.pub be copied to /etc/iked/pubkeys/fqdn/server2.domain 
> ?
> 
> (of course I'm using the actual fqdn of the systems in question and
> literally serverX.domaIn)
> 
> No such error on the server1 example, although it seems that srcid is
> not checked for the pubkey as dstid is.
> 
> Chris
> 

>From https://www.openbsd.org/faq/faq17.html:

Building Site-to-site VPNs

This can be achieved by exchanging the default-provided RSA public keys:
/etc/iked/local.pub on the first system ("server1") should be copied to
/etc/iked/pubkeys/fqdn/server1.domain on the second system ("server2").
Then, /etc/iked/local.pub on the second system should be copied to
/etc/iked/pubkeys/fqdn/server2.domain on the first.
Replace "serverX.domain" with your own FQDN.