Hi,
we currently generate one pair of 2048 bit RSA keys for isakmpd and iked by
default on new installations. In 2022 this seems a little outdated and iked
has had proper support for EC keys for quite some time now, so I propose we
switch to P-256 ECDSA keys by default.
It looks like isakmpd does not support ECDSA, so we will have to generate
a separate pair of keys for iked. I think we should also consider updating
the isakmpd keys to RSA 4096 but I don't have a test setup to see if this
would cause any interop problems.
ok?
diff --git a/etc/rc b/etc/rc
index 480e55f07c4..5528e888396 100644
--- a/etc/rc
+++ b/etc/rc
@@ -139,7 +139,7 @@ make_keys() {
local _iked_pub=/etc/iked/local.pub
if [[ ! -f $_isakmpd_key ]]; then
- echo -n "openssl: generating isakmpd/iked RSA keys... "
+ echo -n "openssl: generating isakmpd RSA keys... "
if openssl genrsa -out $_isakmpd_key 2048 >/dev/null 2>&1 &&
chmod 600 $_isakmpd_key &&
openssl rsa -out $_isakmpd_pub -in $_isakmpd_key \
@@ -151,10 +151,15 @@ make_keys() {
fi
if [[ ! -f $_iked_key ]]; then
- # Just copy the generated isakmpd key
- cp $_isakmpd_key $_iked_key
- chmod 600 $_iked_key
- cp $_isakmpd_pub $_iked_pub
+ echo -n "openssl: generating iked ECDSA keys... "
+ if openssl ecparam -genkey -name prime256v1 -out $_iked_key
>/dev/null 2>&1 &&
+ chmod 600 $_iked_key &&
+ openssl ec -out $_iked_pub -in $_iked_key \
+ -pubout >/dev/null 2>&1; then
+ echo done.
+ else
+ echo failed.
+ fi
fi
ssh-keygen -A
