On Mon, Feb 19, 2018 at 04:04:38PM -0700, Alec Newman wrote: > Hello, > > I was experimenting with setting up a VPN server on AWS using Algo ( > https://github.com/trailofbits/algo) that I'd like to connect to using an > OpenBSD laptop. > > They don't explicitly provide an OpenBSD client configuration but from what > I can tell it should be doable with OpenBSD's built in tools. It appears > to be IKEv2 so from what I can tell I just need the correct /etc/iked.conf > and copy the right keys/certificates into the right places in /etc/iked. > > This is the StrongSwan config file provided for the client (VPN server's IP > address replaced with $REMOTEGW and username replaced with $USER). > > conn ikev2-$REMOTEGW > fragmentation=yes > rekey=no
Does this mean it does reauthentication instead of rekeying? Could become an issue at some point, especially if strongswan does make- before-break and you have long running connections. > dpdaction=clear > keyexchange=ikev2 > compress=no > dpddelay=35s > > ike=aes128gcm16-prfsha512-ecp256! > esp=aes128gcm16-ecp256! > > right=$REMOTEGW > rightid=$REMOTEGW > rightsubnet=0.0.0.0/0 > rightauth=pubkey > > leftsourceip=%config > leftauth=pubkey > leftcert=$USER.crt > leftfirewall=yes > left=%defaultroute > > auto=add > > I tried copying the certifcate produced by algo named $REMOTEGW.crt to > /etc/iked/pubkeys/ipv4/$REMOTEGW but when I restart iked with rcctl restart > iked I get "iked[37566]: set_policy: could not find pubkey for > /etc/iked/pubkeys/ipv4/$REMOTEGW" in /var/log/messages. The certificate is > in the PEM format, which appears to be what is required, so I'm unsure what > problem iked is having. In a current iked(8) setup you have to store your own certificate (with the private key in a different directory) and its full chain. Also you have to store the remote gateway's full chain (but not necessarily the remote gateway's certificate). In addition, you have to make sure the certs use the X509v3 something something DNS extension. openssl x509 -in fubar.crt -text should show this if you look for X509v3. > Any insight or help would be appreciated. I'd be happy to provide more > information if necessary. > > Thanks, > Alec
