Hello,
I was experimenting with setting up a VPN server on AWS using Algo (
https://github.com/trailofbits/algo) that I'd like to connect to using an
OpenBSD laptop.
They don't explicitly provide an OpenBSD client configuration but from what
I can tell it should be doable with OpenBSD's built in tools. It appears
to be IKEv2 so from what I can tell I just need the correct /etc/iked.conf
and copy the right keys/certificates into the right places in /etc/iked.
This is the StrongSwan config file provided for the client (VPN server's IP
address replaced with $REMOTEGW and username replaced with $USER).
conn ikev2-$REMOTEGW
fragmentation=yes
rekey=no
dpdaction=clear
keyexchange=ikev2
compress=no
dpddelay=35s
ike=aes128gcm16-prfsha512-ecp256!
esp=aes128gcm16-ecp256!
right=$REMOTEGW
rightid=$REMOTEGW
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftauth=pubkey
leftcert=$USER.crt
leftfirewall=yes
left=%defaultroute
auto=add
I tried copying the certifcate produced by algo named $REMOTEGW.crt to
/etc/iked/pubkeys/ipv4/$REMOTEGW but when I restart iked with rcctl restart
iked I get "iked[37566]: set_policy: could not find pubkey for
/etc/iked/pubkeys/ipv4/$REMOTEGW" in /var/log/messages. The certificate is
in the PEM format, which appears to be what is required, so I'm unsure what
problem iked is having.
Any insight or help would be appreciated. I'd be happy to provide more
information if necessary.
Thanks,
Alec
