Hi,
Thanks for replying. answer below.
On 2023-04-07 16:45, Thomas Bohl wrote:
> Hello,
>
>> ikev2 "vpn" passive esp \
>> from dynamic to 185.21.22.23/32 \
>> local egress peer any \
>> ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
>> modp2048 \
>> childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
>> srcid 185.21.22.23 \
>> dstid p7.local \
>> config address 172.24.24.0/24 \
>> config name-server 172.24.24.1 \
>>
>
>
>> Any ideas / working config for a dynamic client hosting an iked on a
>> VPS?
>
> When using certificates I always use ASN1_DN for srcid and dstid. It
> should look something like this:
>
> srcid "/C=DE/ST=Lower
> Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=reyk@openbsd.org
> " \
> dstid "/C=DE/ST=Lower
> Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=reyk@openbsd.org"
> \
>
> (I have never used "ikectl ca", so I'm not sure what the files a
> called. But with something like this you should be able get the
> srcid/dstid-lines:
> openssl x509 -subject -noout -in 185.21.22.23.crt
> openssl x509 -subject -noout -in p7.local.crt)
----
Hi,
I could successfully get the name from the certificate, as suggested:
myhost# openssl x509 -subject -noout -in
/etc/iked/certs/185.21.22.23.crt
subject= /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=reyk@openbsd.org
myhost#
myhost#
----
----
... and updated /etc/iked.conf accordingly:
ikev2 "vpn" passive esp \
from dynamic to 185.21.22.23/32 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=reyk@openbsd.org
" \
dstid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=reyk@openbsd.org"
\
config address 172.24.24.0/24 \
config name-server 172.24.24.1 \
----
----
myhost# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0 to 185.21.22.23/32
local 185.21.22.23 peer any ikesa enc aes-256 prf hmac-sha2-256 auth
hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 esn noesn srcid /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=reyk@openbsd.org
dstid /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=reyk@openbsd.org
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config name-server 172.24.24.1
spi=0x5e92324a01d56a7b: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0x5e92324a01d56a7b: send IKE_SA_INIT res 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 473 bytes
spi=0x5e92324a01d56a7b: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 496 bytes, policy 'vpn'
spi=0x5e92324a01d56a7b: ikev2_ike_auth_recv: no compatible policy found
spi=0x5e92324a01d56a7b: ikev2_send_auth_failed: authentication failed
for
spi=0x5e92324a01d56a7b: send IKE_AUTH res 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 80 bytes, NAT-T
spi=0x5e92324a01d56a7b: sa_free: authentication failed
spi=0xa5460ef7687cbbc8: recv IKE_SA_INIT req 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 604 bytes, policy 'vpn'
spi=0xa5460ef7687cbbc8: send IKE_SA_INIT res 0 peer 189.11.12.13:8389
local 185.21.22.23:500, 473 bytes
spi=0xa5460ef7687cbbc8: recv IKE_AUTH req 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 496 bytes, policy 'vpn'
spi=0xa5460ef7687cbbc8: ikev2_ike_auth_recv: no compatible policy found
spi=0xa5460ef7687cbbc8: ikev2_send_auth_failed: authentication failed
for
spi=0xa5460ef7687cbbc8: send IKE_AUTH res 1 peer 189.11.12.13:8390 local
185.21.22.23:4500, 80 bytes, NAT-T
spi=0xa5460ef7687cbbc8: sa_free: authentication failed
^Cikev2 exiting, pid 73990
control exiting, pid 75201
ca exiting, pid 38355
parent terminating
myhost#
----
If anyone has a working setup for iphone via 4G (dynamic) connecting to
a VPS (fixed IP) is much appreciated.
No comments:
Post a Comment