On Sat, Feb 22, 2020 at 12:50:27PM +0100, Klemens Nanni wrote: > On Sat, Feb 22, 2020 at 12:24:36PM +0100, Klemens Nanni wrote: > > On Sat, Feb 22, 2020 at 10:19:27AM +0100, Tobias Heider wrote: > > > This is not what dstid does. When setting 'dstid D.example.com' the > > > policy still > > > only applies if the peer sends 'D.example.com' as it's identity in the ID > > > payload. > > > Not setting dstid explicitly means iked will fall back to the value of > > > "peer", > > > which in your case would be the same: "D.example.com". > > > > > > Setting dstid is only necessary if you are using the IP address in the > > > "peer" option but still want to use a FQDN as ID, which is really only the > > > case with certificate authentication where the ID must match the > > > subjectAltName. > > I can double check yet again, but I'm pretty sure that setting dstid > > was what made iked find the public key. So far, I have not used literal > > IPs in my configuration - that I know for sure. > Here is an example, you can verify what I observed by merely parsing > the configuration with and without the `dstitd' line. > > # find /etc/iked/pubkeys/ ! -type d -ls > 104425 4 -rw-r--r-- 1 root wheel 800 Feb 10 19:36 > /etc/iked/pubkeys/fqdn/D.example.com > > # cat /etc/iked.conf > ikesa transport \ > proto gre > from A.example.com to D.example.com \ > peer D.example.com \ > dstid D.example.com > # iked -dnv > ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to > 5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc > aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth > hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc > aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn dstid > D.example.com lifetime 10800 bytes 536870912 rsa > configuration OK > > # cat /etc/iked.conf > ikesa transport \ > proto gre > from A.example.com to D.example.com \ > peer D.example.com > # iked -dnv > set_policy: could not find pubkey for /etc/iked/pubkeys/ipv6/2001::db8:2 > ikev2 "policy1" passive transport esp proto gre inet6 from 1.2.3.4 to > 5.6.7.8 from 2001::db8:1 to 2001::db8:2 local any peer 2001::db8:2 ikesa enc > aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth > hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc > aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 > bytes 536870912 rfc7427 > configuration OK > > So my proposed wording is misleading or rather wrong since I did not > set `dstid' due to whatever the peer sends but rather because iked is > not able to find the corresponding public key in the first place. >
It seems I was mistaken because I usually use IPs in local and peer. What I said is true for IPs. When using FQDNs for local/peer however, iked first does the name resolution and then uses the IP as default dstid value to lookup the key... I still think using the actual value of peer would be the better dstid default, so maybe we should fix it in the code. What do you think?
