Hi, I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between two OpenBSD boxes running a recent amd64 snapshot. The client is behing a NAT. The setup works with a PSK but I cannot make it work with RSA certificates. No matter what I tried, the client seems to fail connecting with: ca_getreq: no valid local certificate found
I turn to the mailing list to see if anybody can point me into the right direction. I loosely followed the following guide: http://puffysecurity.com/wiki/openikedoffshore.html I will try to shorten the command output to make it more readable. There is an OpenSSL error during the creation of the CA concerning a missing element in openssl.cnf. I did not modify openssl.cnf. On the server side I did the following: # ikectl ca ikeca create [...] Signature ok subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc Getting Private key Using configuration from /etc/ssl/openssl.cnf variable lookup failed for ca::default_ca 7504668282756:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca name=default_ca # ikectl ca ikeca certificate 188.226.168.224 create [...] Signature ok subject=/C=NL/CN=188.226.168.224/emailAddress=j...@joachim.cc Getting CA Private Key # ikectl ca ikeca certificate asterix.my.domain create [...] Signature ok subject=/C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc Getting CA Private Key # ikectl ca ikeca install certificate for CA 'ikeca' installed into /etc/iked/ca/ca.crt # ikectl ca ikeca certificate 188.226.168.224 install writing RSA key # ikectl ca ikeca certificate asterix.my.domain export Export passphrase: Retype export passphrase: writing RSA key exported files in /root/asterix.my.domain.tgz On the client side then I did the following: asterix% sudo tar -C /etc/iked -xzpf asterix.my.domain.tgz The server configuration files look like this: iked.conf: local_ip = "188.226.168.224" ikev2 passive ipcomp esp \ from 0.0.0.0/0 to 10.0.0.0/8 \ from 0.0.0.0/0 to 172.16.0.0/12 \ from 0.0.0.0/0 to 192.168.0.0/16 \ local $local_ip peer any \ srcid $local_ip \ tag IKED pf.conf (partial): set skip on { lo, enc } block in log pass in quick inet proto icmp icmp-type { echoreq, unreach } pass in on egress proto { ah, esp } pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t } pass out all modulate state pass out log on egress \ from any to any tagged IKED \ nat-to (egress) The client configuration files look like this: iked.conf: lan = "192.168.1.0/24" remote_gw = "188.226.168.224" ikev2 active esp \ from $lan to 0.0.0.0/0 \ peer $remote_gw \ srcid asterix.my.domain \ tag IKED Here's the output of iked -dvv on the client side: ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_reload: loaded ca file ca.crt ca_reload: /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_reload: loaded 1 ca certificate ca_reload: loaded cert file asterix.my.domain.crt ca_validate_cert: /C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc ok ca_reload: local cert type X509_CERT lan = "192.168.1.0/24" remote_gw = "188.226.168.224" ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 /etc/iked.conf: loaded 1 configuration rules config_getocsp: ocsp_url none config_getpolicy: received policy ikev2 "policy1" active esp inet from 192.168.1.0/24 to 0.0.0.0/0 local any peer 188.226.168.224 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid asterix.my.domain lifetime 10800 bytes 536870912 rsa tag "IKED" config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 7 config_getsocket: received socket fd 8 ikev2_init_ike_sa: initiating "policy1" ikev2_policy2id: srcid FQDN/asterix.my.domain length 21 ikev2_add_proposals: length 132 ikev2_next_payload: length 136 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xbd1fee3cb9ebd386 0x0000000000000000 0.0.0.0:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xbd1fee3cb9ebd386 0x0000000000000000 188.226.168.224:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0xbd1fee3cb9ebd386 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 534 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136 ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0 xforms 14 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to 188.226.168.224:500 msgid 0, 534 bytes sa_state: INIT -> SA_INIT ikev2_recv: IKE_SA_INIT response from responder 188.226.168.224:500 to 192.168.1.11:500 policy 'policy1' id 0, 471 bytes ikev2_recv: ispi 0xbd1fee3cb9ebd386 rspi 0xbefb86b890333bf9 ikev2_recv: updated SA to peer 188.226.168.224:500 local 192.168.1.11:500 ikev2_pld_parse: header ispi 0xbd1fee3cb9ebd386 rspi 0xbefb86b890333bf9 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xbd1fee3cb9ebd386 0xbefb86b890333bf9 188.226.168.224:500 ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xbd1fee3cb9ebd386 0xbefb86b890333bf9 192.168.1.11:500 ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ikev2_policy2id: srcid FQDN/asterix.my.domain length 21 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) ikev2_init_recv: NAT detected, updated SA to peer 188.226.168.224:4500 local 192.168.1.11:4500 ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x00, require 0x05 cert,auth ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_msg_auth: initiator auth data length 598 ca_setauth: switching from RSA_SIG to SIG ca_setauth: auth length 598 sa_stateok: SA_INIT flags 0x00, require 0x05 cert,auth config_free_proposals: free 0x1321b9042c00 ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc ca_x509_subjectaltname: FQDN/nohost.nodomain ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched ca_getreq: no valid local certificate found ca_setauth: auth length 272 ikev2_getimsgdata: imsg 18 rspi 0xbefb86b890333bf9 ispi 0xbd1fee3cb9ebd386 initiator 1 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_getimsgdata: imsg 23 rspi 0xbefb86b890333bf9 ispi 0xbd1fee3cb9ebd386 initiator 1 sa valid type 14 data length 272 ikev2_dispatch_cert: AUTH type 14 len 272 sa_stateflags: 0x00 -> 0x04 auth (required 0x05 cert,auth) sa_stateok: SA_INIT flags 0x04, require 0x05 cert,auth ikev2_init_ike_sa: "policy1" is already active Kind regards, Jona Joachim
