Matt, Matthew Ernisse <m...@going-flying.com> writes:
> I have not tried ECDSA, however I've had iOS and macOS devices > running with iked since it came into OpenBSD using certificate auth > with RSA 2048 certs and a RSA 4096 CA. > > I just recently wrote a blog post on it, it includes a general overview > of how I did it and a fragment of my .mobileconfig and iked.conf. > > https://www.going-flying.com/blog/protecting-my-macos-and-ios-devices-with-an-openbsd-vpn.html > > My VPN endpoint is currently running: > OpenBSD 6.4 (GENERIC) #7: Thu Feb 28 18:10:07 CET 2019 > r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC My configuration is rather similar, at least in spirit. The main differences I see are that I specify a dstid in iked.conf and I don't specify exact crypto transforms. My .mobileconfig file is basically identical to yours. I'll do another round of testing and be more explicit about the crypto transforms, and will reply here with the results. Thanks for the link! -TimS >> On Apr 4, 2019, at 20:08, Tim Stewart <t...@stoo.org> wrote: >> >> Hi Ted, >> >> On 6/2/18 12:26 PM, Theodore Wynnychenko wrote: >>> Hello >>> Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and >>> RFC7427 authentication" diff was committed to current), I had set up and had >>> been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have >>> ikev2 >>> VPN's happen, almost as if by, magic. >>> Authentication was accomplished using certificates signed by a local >>> authority >>> and then distributed to the iOS devices. >>> Since 3/27/17, this has not been working. I sent a couple of emails about >>> this >>> last year (the initial one: >>> https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2). >>> Over the last year, I have tried many things. Even though I don't know >>> anything >>> about programming (or C), I tried making little changes to the iked source, >>> all >>> without success. (Is that any surprise? No. I was amazed at times that my >>> changes even resulted in a program that would actually start up and run.) >>> I have tried creating several different CA's and certificates, using various >>> different algorithms (ECDSA and RSA, with varying key lengths), all without >>> success. For example, I just tried creating a CA and certificates with >>> ECDSA384/SHA2-384; I distribute those to the iOS device (which supports >>> them), >>> but, iked will not accept them and create a tunnel. >>> In iked.conf, if I don't explicitly state something like "ecdsa384" as the >>> authentication method (and, this requires having a local copy of the public >>> key >>> on the openbsd machine), iked falls back to rfc7427 for authentication, but >>> it >>> appears that iOS does not support this (yet?). >>> I have been downgrading iked to a version before the 3/27/17 (every time I >>> update -current), and this still allows my old certificates to work. But, >>> that >>> doesn't seem sustainable. >>> I have no idea how to proceed? >>> Has anyone been able to get -current (or at least, a snapshot after 3/27/17) >>> version of iked to work with any iOS devices using certificates >>> successfully? >>> If so, I would really appreciate some advice on how it can be done. >>> Thanks >>> Ted >> >> Last night I tried to set up my iPad for the first time and ran into a >> similar issue. Today I remembered writing a patch for a similar issue after >> RFC7427 was added: >> >> https://marc.info/?l=openbsd-tech&m=149499973130985 >> >> After applying this, and adding the `rsa' ikeauth parameter to the policy, >> the iPad successfully connected. >> >> Can you try applying that patch and see if it resolves your issue? If it >> also works for you, I'll reply on that thread and see if anyone wants to >> opine on the patch. >> >> -TimS >> >> -- >> Tim Stewart >> t...@stoo.org >>
