Wednesday, March 31, 2021

Iked windows client using certificates?

Hello everyone

Just wanted to check my sanity after so many days. I have ikev2 setup working for windows machine for a long time using the following. So, to repeat this works, it connects fine.

ikev2 passive esp \
from 0.0.0.0/0 to 10.0.5.0/24 \
peer any local 50.247.187.177 \
srcid 50.247.187.177 \
config address 10.0.5.0/24

now I have a second windows client with a different certificate that I also want to connect at the same time but client B will disconnect client A. I need to add a dstid to this config to make specific entries for each machine I believe using ASN1_DN such as this? Or is there better way for clients with no fixed IP or FQDN?


ikev2 passive esp \
from 0.0.0.0/0 to 10.0.5.0/24 \
peer any local 50.247.187.177 \
srcid 50.247.187.177 \
dstid /C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameA.local/emailAddress=myemail@email.com<mailto:/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameA.local/emailAddress=myemail@email.com> \
config address 10.0.5.0/24

ikev2 passive esp \
from 0.0.0.0/0 to 10.0.5.0/24 \
peer any local 50.247.187.177 \
srcid 50.247.187.177 \
dstid /C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameB.local/emailAddress=myemail@email.com<mailto:/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameB.local/emailAddress=myemail@email.com> \
config address 10.0.5.0/24




The problem is that no dstid format I can find will work. Once I add dstid it fails to connect each time. Can someone help me here? Shouldn't this be possible or am I reading the man page wrong. I'm certain the spelling is correct and matches to the cert. The breakdown appears to be around here

Not working : Iked -dvv with ASN1_DN DSTID specified in iked.conf
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 393
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG


Working : iked -dvv with no DSTID specified in iked.conf
ca_setauth: switching SIG to RSA_SIG(*)
ca_setauth: auth length 393
ikev2_msg_auth: initiator auth data length 1156
ikev2_msg_authverify: method RSA_SIG keylen 1028 type X509_CERT
ikev2_msg_authverify: authentication successful


J

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)