On 2024-07-05 17:14, J Doe wrote:
> Hi list,
>
> I have a basic VPN setup with iked with certificate authentication.
> Periodically, something will attempt to authenticate against it that is
> not me and I see the following in the logs:
>
> Jul 5 10:55:47 server iked[15172]: spi=0x7680ddead2051f3c:
> ikev2_send_auth_failed: authentication failed for
>
> Just wanted to double-check: is the reason it says "authentication
> failed for" without an identity because someone is specifically
> attempting certificate authentication against my server and iked is
> rejecting them ?
>
> Thanks,
>
> - J
Hi list,
It occurs to me that I did not include the configuration I have for iked
(iked.conf), which would probably be helpful ... I also didn't mention
the version of OpenBSD I was running as my server, which is 7.5.
I run a "road-warrior" configuration similar to what is displayed in the
OpenBSD FAQ[0]. Here is my configuration:
ikev2 "VPN" passive ipcomp tunnel esp \
from any to dynamic \
local egress peer any \
srcid server.home.arpa \
dstid client.home.arpa \
rsa \
config address 10.0.5.0/24 \
tag "ROADW"
As mentioned in my previous e-mail, sometimes connections will be made
to my VPN server that display the following:
Jul 5 10:55:47 server iked[15172]: spi=0x7680ddead2051f3c:
ikev2_send_auth_failed: authentication failed for
I am wondering if this is an indication of someone attempting to
authenticate using public key/certificate authentication and being
_rejected_ by iked ?
My hypothesis is that iked does not name an identity because this is
certificate based authentication vs. MSCHAPv2 for EAP authentication
which would provide an identity (ie: a username).
Is that correct ?
Thanks,
- J
Links:
[0] https://www.openbsd.org/faq/faq17.html#clientikev2
No comments:
Post a Comment