Re: iked.conf.5: Provide GRE tunnel in transport mode example

Sat, 22 Feb 2020 03:51:35 -0800 

On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote:
> On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote:
> > This is not what dstid does. When setting 'dstid D.example.com' the policy 
> > still
> > only applies if the peer sends 'D.example.com' as it's identity in the ID 
> > payload.
> > Not setting dstid explicitly means iked will fall back to the value of 
> > "peer",
> > which in your case would be the same: "D.example.com".
> > 
> > Setting dstid is only necessary if you are using the IP address in the
> > "peer" option but still want to use a FQDN as ID, which is really only the
> > case with certificate authentication where the ID must match the
> > subjectAltName.
> I can double check yet again, but I'm pretty sure that setting dstid
> was what made iked find the public key.  So far, I have not used literal
> IPs in my configuration - that I know for sure.
Here is an example, you can verify what I observed by merely parsing
the configuration with and without the `dstitd' line.

        # find /etc/iked/pubkeys/ ! -type d -ls
        104425    4 -rw-r--r--    1 root     wheel         800 Feb 10 19:36 
/etc/iked/pubkeys/fqdn/D.example.com

        # cat /etc/iked.conf
        ikesa transport \
                proto gre
                from A.example.com to D.example.com \
                peer D.example.com \
                dstid D.example.com
        # iked -dnv
        ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to 
5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc 
aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth 
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc 
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn dstid 
D.example.com lifetime 10800 bytes 536870912 rsa
        configuration OK

        # cat /etc/iked.conf
        ikesa transport \
                proto gre
                from A.example.com to D.example.com \
                peer D.example.com
        # iked -dnv
        set_policy: could not find pubkey for /etc/iked/pubkeys/ipv6/2001::db8:2
        ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to 
5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc 
aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth 
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc 
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 
bytes 536870912 rfc7427
        configuration OK

So my proposed wording is misleading or rather wrong since I did not
set `dstid' due to whatever the peer sends but rather because iked is
not able to find the corresponding public key in the first place.

Reply via email to