Hi Ted,
On 6/2/18 12:26 PM, Theodore Wynnychenko wrote:
> Hello
>
> Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and
> RFC7427 authentication" diff was committed to current), I had set up and had
> been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have ikev2
> VPN's happen, almost as if by, magic.
>
> Authentication was accomplished using certificates signed by a local authority
> and then distributed to the iOS devices.
>
> Since 3/27/17, this has not been working. I sent a couple of emails about this
> last year (the initial one:
> https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2).
>
> Over the last year, I have tried many things. Even though I don't know anything
> about programming (or C), I tried making little changes to the iked source, all
> without success. (Is that any surprise? No. I was amazed at times that my
> changes even resulted in a program that would actually start up and run.)
>
> I have tried creating several different CA's and certificates, using various
> different algorithms (ECDSA and RSA, with varying key lengths), all without
> success. For example, I just tried creating a CA and certificates with
> ECDSA384/SHA2-384; I distribute those to the iOS device (which supports them),
> but, iked will not accept them and create a tunnel.
>
> In iked.conf, if I don't explicitly state something like "ecdsa384" as the
> authentication method (and, this requires having a local copy of the public key
> on the openbsd machine), iked falls back to rfc7427 for authentication, but it
> appears that iOS does not support this (yet?).
>
> I have been downgrading iked to a version before the 3/27/17 (every time I
> update -current), and this still allows my old certificates to work. But, that
> doesn't seem sustainable.
>
> I have no idea how to proceed?
>
> Has anyone been able to get -current (or at least, a snapshot after 3/27/17)
> version of iked to work with any iOS devices using certificates successfully?
>
> If so, I would really appreciate some advice on how it can be done.
>
> Thanks
> Ted
Last night I tried to set up my iPad for the first time and ran into a
similar issue. Today I remembered writing a patch for a similar issue
after RFC7427 was added:
https://marc.info/?l=openbsd-tech&m=149499973130985
After applying this, and adding the `rsa' ikeauth parameter to the
policy, the iPad successfully connected.
Can you try applying that patch and see if it resolves your issue? If
it also works for you, I'll reply on that thread and see if anyone wants
to opine on the patch.
-TimS
--
Tim Stewart
tim@stoo.org
No comments:
Post a Comment