Hello
Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and
RFC7427 authentication" diff was committed to current), I had set up and had
been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have ikev2
VPN's happen, almost as if by, magic.
Authentication was accomplished using certificates signed by a local authority
and then distributed to the iOS devices.
Since 3/27/17, this has not been working. I sent a couple of emails about this
last year (the initial one:
https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2).
Over the last year, I have tried many things. Even though I don't know anything
about programming (or C), I tried making little changes to the iked source, all
without success. (Is that any surprise? No. I was amazed at times that my
changes even resulted in a program that would actually start up and run.)
I have tried creating several different CA's and certificates, using various
different algorithms (ECDSA and RSA, with varying key lengths), all without
success. For example, I just tried creating a CA and certificates with
ECDSA384/SHA2-384; I distribute those to the iOS device (which supports them),
but, iked will not accept them and create a tunnel.
In iked.conf, if I don't explicitly state something like "ecdsa384" as the
authentication method (and, this requires having a local copy of the public key
on the openbsd machine), iked falls back to rfc7427 for authentication, but it
appears that iOS does not support this (yet?).
I have been downgrading iked to a version before the 3/27/17 (every time I
update -current), and this still allows my old certificates to work. But, that
doesn't seem sustainable.
I have no idea how to proceed?
Has anyone been able to get -current (or at least, a snapshot after 3/27/17)
version of iked to work with any iOS devices using certificates successfully?
If so, I would really appreciate some advice on how it can be done.
Thanks
Ted
No comments:
Post a Comment