Hello, I would like to ask some help. It is not clear to me from the below man pages and I couldn't find answer on the net either: where shall I place the local certificate file (including the public key) and the private key if I would like to authenticate both sides with an X.509 certificate?(So, no PSK, no private-public key pair, only certificates.)
In what format (pem or crt) and under what name do I need to store the local cert file(s) under /etc/iked/certs/? Do I need to store the private key that was used to generate the certificate as /etc/iked/private/local.key?How shall I store more certificates and private keys in case I have more local endpoints (more tunnels)?How are these cert files matched by openiked with the configured policies if I have more policies (more ikev2 [name])?Could you please send me an example with file names and paths where both sides are using certificates to authenticate. Have I understood correctly, that there is no need to store anything from the remote peer as its pubkey is sent in the 2nd IKEv2 exchange and be verified by openiked against the signed AUTH payload? Regards, Agoston http://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/iked.conf.5 - rsa - Use RSA public key authentication with SHA1 as the hash. http://man.openbsd.org/iked.8 - /etc/iked/certs/ - The directory where IKE certificates are kept, both the local certificate(s)... /etc/iked/private/ - The directory where local private keys used for public key authentication are kept. The file local.key is used to store the local private key.
