Hello misc!
Just posting in case someone else has come across this problem and save them
some time.
I've been trying to get ikev2 to work between two 6.1 machines to replace our
isakmpd + ipsec setup and was getting nowhere.
the iked man page says:
iked supports mutual authentication using RSA or ECDSA public keys and
X.509 certificates. See the PUBLIC KEY AUTHENTICATION section below and
PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for more information
about creating and maintaining the public key infrastructure.
but as I found out it does not work with the RSA keys generated on first boot (even if you delete them and reboot to re-create them)
To be clear the keys I refer to are /etc/iked/local.pub and /etc/iked/private/local.key
And the relevant part from /etc/rc
# grep iked /etc/rc
# Generate keys for isakmpd, iked and sshd if they don't exist yet.
local _iked_key=/etc/iked/private/local.key
local _iked_pub=/etc/iked/local.pub
echo -n "openssl: generating isakmpd/iked RSA keys... "
if [[ ! -f $_iked_key ]]; then
cp $_isakmpd_key $_iked_key
chmod 600 $_iked_key
cp $_isakmpd_pub $_iked_pub
start_daemon iscsid isakmpd iked sasyncd ldapd npppd
The error I was getting was:
ikev2_recv: IKE_SA_INIT request from initiator aa.aa.aa.aa:500 to bb.bb.bb.bb:500 policy 'policy6' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from bb.bb.bb.bb:500 to aa.aa.aa.aa:500
msgid 0, 451 bytes
ikev2_recv: IKE_AUTH request from initiator aa.aa.aa.aa:500 to bb.bb.bb.bb:500
policy 'policy6' id 1, 784 bytes
ikev2_dispatch_cert: peer certificate is invalid
ikev2_msg_send: IKE_AUTH response from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 msgid
1, 80 bytes
I then deleted the keys and generated new ECDSA
openssl ecparam -name secp256k1 -out local.key -genkey -> place that under /etc/iked/private/local.pub
openssl ec -in local.key -pubout > local.pub and place it under /etc/iked/local.pub
and the public key
openssl ec -in local.key -pubout > local.pub and place that under /etc/iked/local.pub
copy the public keys on hostA and hostB under /etc/iked/pubkeys/ipv4/aa.aa.aa.aa and /etc/iked/pubkeys/ipv4/bb.bb.bb.bb accordingly
started iked -dv (manually to help me debug) on both nodes and can see from the
output that it worked:
# iked -dv
ikev2 "hostA" active esp inet from aa.aa.aa.aa to bb.bb.bb.bb local aa.aa.aa.aa peer
bb.bb.bb.bb ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth
hmac-sha2-256,hmac-sha1 srcid aa.aa.aa.aa dstid bb.bb.bb.bb lifetime 10800 bytes 536870912 ecdsa256
tag "ipsec_tag"
ikev2_recv: IKE_SA_INIT request from initiator bb.bb.bb.bb:500 to
aa.aa.aa.aa:500 policy 'hostA' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from aa.aa.aa.aa:500 to bb.bb.bb.bb:500
msgid 0, 451 bytes
ikev2_recv: IKE_AUTH request from initiator bb.bb.bb.bb:500 to aa.aa.aa.aa:500
policy 'hostA' id 1, 384 bytes
ikev2_msg_send: IKE_AUTH response from aa.aa.aa.aa:500 to bb.bb.bb.bb:500 msgid
1, 336 bytes
sa_state: VALID -> ESTABLISHED from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy
'hostA'
and the ipsecctl -sa output (trimmed)
# ipsecctl -sa
FLOWS:
flow esp in from aa.aa.aa.aa to bb.bb.bb.bb peer aa.aa.aa.aa srcid
IPV4/bb.bb.bb.bb dstid IPV4/aa.aa.aa.aa type use
flow esp out from bb.bb.bb.bb to aa.aa.aa.aa peer aa.aa.aa.aa srcid
IPV4/bb.bb.bb.bb dstid IPV4/aa.aa.aa.aa type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from bb.bb.bb.bb to aa.aa.aa.aa spi 0x5f6fd9cc auth hmac-sha2-256
enc aes-256
esp tunnel from aa.aa.aa.aa to bb.bb.bb.bb spi 0xa8a4dd4c auth hmac-sha2-256
enc aes-256
I hope this will help someone and of course let me know if I missed something
obvious.
Cheers
Doros Eracledes
