Friday, April 07, 2023

Re: Cannot connect to iked, authenticate fails

Hello,

> ikev2 "vpn" passive esp \
>         from dynamic to 185.21.22.23/32 \
>         local egress peer any \
>         ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
> modp2048 \
>         childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
>         srcid 185.21.22.23 \
>         dstid p7.local \
>         config address 172.24.24.0/24 \
>         config name-server 172.24.24.1 \
>


> Any ideas / working config for a dynamic client hosting an iked on a VPS?

When using certificates I always use ASN1_DN for srcid and dstid. It
should look something like this:

srcid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=reyk@openbsd.org
" \
dstid "/C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=reyk@openbsd.org"
\

(I have never used "ikectl ca", so I'm not sure what the files a called.
But with something like this you should be able get the srcid/dstid-lines:
openssl x509 -subject -noout -in 185.21.22.23.crt
openssl x509 -subject -noout -in p7.local.crt)

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)