Re: iked ikev2 x509 authentication problem - no valid local certificate found

Sun, 04 Oct 2015 00:50:52 -0700 

Sorry about the delay in replying.

I’ve finally managed to get things to work.  The patch, or rather upgrading to 
the latest iked in head helped.  Removing the 
‘ServerCertificateIssuerCommonName’ option from the Apple profile was the key 
bit that was causing problems.  According to the official docs [1], adding 
ServerCertificateIssuerCommonName should cause the VPN client to send a 
certificate request to the server based on the CA, but was actually stopping 
the ‘cert’ part of the server side validation from completing.

As a side point it seems that IOS 9.0.2 works as expected, but El Capitan 
10.11.1 (beta2) has a segmentation fault after connecting that causes the 
connection, after successful validation, to drop.  

So, for the record, using certs on IOS 9.0.2 work correctly without having to 
do any password validation. However, the latest El Capitan 10.11.1 beta fails 
due to an Apple side issue.

Thanks for all of you help.

Rob


[1] 
https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html



> On 1 Oct 2015, at 20:37, m...@alumni.chalmers.se wrote:
> 
> http://marc.info/?l=openbsd-tech&m=144362542514318&w=2
> <http://marc.info/?l=openbsd-tech&m=144362542514318&w=2>
> 
>> On 1 okt. 2015, at 21:25, Rob <lists-openbsd....@somerandom.net> wrote:
>> 
>> Hi,
>> 
>> I’m a little stuck getting two different clients connected to my OpenBSD
>> 5.7 (i386) VPN ikev2 server.  I suspect the clients are at fault as I can
>> get past the error when connecting one OpenBSDs iked to another iked.
>> 
>> FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
>> laptop, so I’m a little stuck with the VPN client I can use.
>> 
>> I have the following configuration:
>> 
>> ikev2 "road_warrior" passive esp \
>>   from 192.168.20.0/24 to 192.168.40.0/24 \
>>   local 192.168.20.4 peer any \
>>   ikesa enc aes-128 prf hmac-sha2-256 \
>>   auth hmac-sha2-256 group modp2048 \
>>   childsa enc aes-128 auth hmac-sha2-256 \
>>   srcid "local.example.net \
>>   dstid "peer.example.net" \
>>   config address 192.168.40.10/29 \
>>   config netmask 255.255.255.0 \
>>   config name-server 192.168.20.53 \
>>   config protected-subnet 192.168.40.0/24
>> 
>> (IPs and names have been changed to protect the innocent)
>> 
>> I have keys installed as follows:
>> 
>> /etc/iked/ca/example.net.crt
>> /etc/iked/certs/local.example.net.crt
>> /etc/iked/private/local.key
>> /etc/iked/pubkeys/fqdn/peer.example.net
>> /etc/iked/local.pub
>> 
>> 
>> I believe the client isn’t sending the certificate request, but I
>> could be completely wrong, the error appears to be:
>> 
>> ikev2_sa_negotiate: score 4
>> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x77286c80
>> ca_getreq: no valid local certificate found
>> 
>> The client is sending peer.example.net.crt to the server, which gets
>> validated correctly:
>> 
>> ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
>> ikev2_dispatch_cert: peer certificate is valid
>> sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
>> 
>> I’ve been at this for a number of days and am completely stuck, so if
>> anyone has any ideas/advice/clue-sticks I’d be very grateful.  If you
>> need any further log information please let me know.
>> 
>> 
>> thanks
>> 
>> Rob

Reply via email to