Re: iked authentication logging ?

On Jul 30, 2024, at 20:34, Stuart Henderson <stu@spacehopper.org> wrote:

On 2024/07/30 20:19, J Doe wrote:

On 2024-07-30 19:39, Stuart Henderson wrote:

On 2024-07-30, J Doe <general@nativemethods.com> wrote:

As a result with continuing to experiment with my configuration, I ran

into a new issue.  I followed the instructions in the OpenBSD FAQ[0] for

an X.509 configuration - in particular the following (with hostnames for

my server and Mac):

     server1# ikectl ca vpn certificate client1.domain create

     server1# cp /etc/ssl/vpn/client1.domain.crt /etc/iked/certs/

     server1# ikectl ca vpn certificate client1.domain export

BTW this is a shortcut that ikectl implements to make things easy,

although it does mean that the client's "private" key actually ends

up on the server.

The traditional way of doing this is exactly like an X509 cert for a

web server, i.e. the client generates a private key and cert signing

request, the key is never transferred off the machine, only the CSR

which is taken to the CA. The CA then uses that to produce a cert

which is signed by the CA and sent back.

See the X.509 AUTHENTICATION section in isakmpd(8) for some gory

details which are mostly hidden if you use "ikectl ca".

     server1# tar -C /tmp -xzf client1.domain.tgz *pfx

     server1# cp /tmp/export/client1.domain.pfx \

         /var/www/htdocs/client1.domain.pfx

...so on my OpenBSD server I have the client's X.509 certificate and the

CA certificate at: /etc/iked/certs.

I then removed the _client_ certificate from this location on the server

and attempted connecting from the Mac and it authenticated.

My new question is - shouldn't the server reject a X.509 authentication

attempt if the _client_ certificate is not on the server ?

No, that's not how it is expected to work, you don't need the client cert

on the server, just a way to validate that it's correct (by checking the

CA's signature and, IIUC, checking the subjectAltName against srcid).

Hi Stuart,

Thanks for your reply.

Ok, I will make a note to read through the X.509 AUTHENTICATION section

in: man 8 isakmpd.

In regards to your last paragraph, where you state:

   "... just a way to validate that it's correct (by checking the CA's

   signature ..."

... does that mean if I remove my: ca.crt file from: /etc/iked/ca on the

_server_ that the client should _not_ be able to authenticate, or is

validating the CA's signature not dependent on that ?

As far as I know that's correct, I don't think there's anywhere else
that it should be picking up the CA cert from.

Hi,

Interesting.  I moved the: ca.crt file from: /etc/iked/ca on the server to the home directory and re-started iked and the client is still able to authenticate.

Is it possible that iked can authenticate the client based on the server certificate ?  In my iked.conf configuration it is specified via:

   srcid server.home.arpa 

… and the server certificate: server.home.arpa.crt is stored in: /etc/iked/certs on the server.

Is it possible that the: ca.crt is bundled in there and that is what it is using in the absence of: /etc/iked/ca/ca.crt ?

Thanks again,

- J