Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry. http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca .cnf
The openssl.cnf version broke and we somehow didn't install ikeca.cnf by default. Reyk > On 05.11.2015, at 08:28, Toyam Cox <aviator45...@gmail.com> wrote: > > Ho misc@, > > I have been (loosely) following the guide at > http://puffysecurity.com/wiki/openikedoffshore.html and have run into > a roadblock. > > I have packets going between my two hosts on different networks, the > configuration files on both are good, and both have the ca installed. > > However on my remote host, I get (ips and hostnames redacted): > Nov 5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT > request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes > Nov 5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response > from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471 > bytes > Nov 5 01:38:14 hostname iked[12679]: ca_getreq: no valid local > certificate found > > This is coupled with, as I create the ca key... > # ikectl ca vpn1 create > CA passphrase: > Retype CA passphrase: > [stuff-happens-and-inputs] > Getting Private key > Using configuration from /etc/ssl/openssl.cnf > variable lookup failed for ca::default_ca > 24387713617796:error:0E06D06C:configuration file > routines:NCONF_get_string:no > value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:3 23:group=ca > name=default_ca > > I've checked the mail logs for misc@ and found a person in August with > this problem, http://marc.info/?l=openbsd-misc&m=133675466519976&w=2 > > Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me. > Variable lookup still failed. > > Thank you for any help.
