Hi Ted,
On 6/2/18 12:26 PM, Theodore Wynnychenko wrote:
Hello
Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and
RFC7427 authentication" diff was committed to current), I had set up and had
been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have ikev2
VPN's happen, almost as if by, magic.
Authentication was accomplished using certificates signed by a local authority
and then distributed to the iOS devices.
Since 3/27/17, this has not been working. I sent a couple of emails about this
last year (the initial one:
https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2).
Over the last year, I have tried many things. Even though I don't know anything
about programming (or C), I tried making little changes to the iked source, all
without success. (Is that any surprise? No. I was amazed at times that my
changes even resulted in a program that would actually start up and run.)
I have tried creating several different CA's and certificates, using various
different algorithms (ECDSA and RSA, with varying key lengths), all without
success. For example, I just tried creating a CA and certificates with
ECDSA384/SHA2-384; I distribute those to the iOS device (which supports them),
but, iked will not accept them and create a tunnel.
In iked.conf, if I don't explicitly state something like "ecdsa384" as the
authentication method (and, this requires having a local copy of the public key
on the openbsd machine), iked falls back to rfc7427 for authentication, but it
appears that iOS does not support this (yet?).
I have been downgrading iked to a version before the 3/27/17 (every time I
update -current), and this still allows my old certificates to work. But, that
doesn't seem sustainable.
I have no idea how to proceed?
Has anyone been able to get -current (or at least, a snapshot after 3/27/17)
version of iked to work with any iOS devices using certificates successfully?
If so, I would really appreciate some advice on how it can be done.
Thanks
Ted
Last night I tried to set up my iPad for the first time and ran into a
similar issue. Today I remembered writing a patch for a similar issue
after RFC7427 was added:
https://marc.info/?l=openbsd-tech&m=149499973130985
After applying this, and adding the `rsa' ikeauth parameter to the
policy, the iPad successfully connected.
Can you try applying that patch and see if it resolves your issue? If
it also works for you, I'll reply on that thread and see if anyone wants
to opine on the patch.
-TimS
--
Tim Stewart
t...@stoo.org
