IKEv2 OpenBSD client using X.509 Certificate Authentication

Mon, 07 Oct 2019 02:18:10 -0700 

Hi guys,

I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with 
iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no 
section about setting up this with an OpenBSD client. Is there anybody here 
who's done that before?

In trying the achieve this, I first had to give a CSR to the other part so I 
used ikectl(8) to generate a ca and a certificate. To do so I followed the 
steps at the bottom of the ikectl(8) man page and I did this:

# ikectl ca example create
# ikectl ca example certificate 198.51.100.1 create
# ikectl ca example certificate 198.51.100.2 create

I then gave them the CSR file corresponding to the 198.51.100.2 certificate.

In return, they gave me a X.509 certificate like the following:

$ cat example.pem
subject=/C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX
issuer=/C=FR/O=XXXXX/OU=0002 120061023/CN=XXXXXXXXXX
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=FR/O=XXX/OU=0002 120061023/CN=XXXXX
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/CN=XXX-ROOT/OU=0002 120061023/O=XXXXX/C=FR
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

I don't really know how to use that certificate with iked(8).

My configuration file look pretty much like this:

local_ip="198.51.100.1"
local_network="192.0.2.0/24 "

remote_ip="198.51.100.2"
remote_network="203.0.113.0/24"

ikev2 'example' active esp \
    from $local_network to $remote_network \
    local $local_ip peer $remote_ip \
    ikesa auth hmac-sha1 enc aes-256 prf hmac-sha2-256 group modp1536 \
    childsa auth hmac-sha1 enc aes-256 group modp1536 \
    ikelifetime 86400 lifetime 28800 \
    dstid 198.51.100.2

What file do the directives srcid and dstid match to? I don't get how iked(8) 
make use of the certificates in that case. 

I made sure to have the following 2 files:

# cat /etc/iked/private/198.51.100.2.key  
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----

# cat /etc/iked/certs/198.51.100.2.crt
subject=/C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX
issuer=/C=FR/O=XXXXX/OU=0002 120061023/CN=XXXXXXXXXX
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=FR/O=XXX/OU=0002 120061023/CN=XXXXX
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/CN=XXX-ROOT/OU=0002 120061023/O=XXXXX/C=FR
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

But I get an error :

config_setkeys: failed to open private key: No such file or directory
parent: parent_configure: failed to send keys

I'm pretty sure I'm completely wrong here and I would be really grateful if 
anybody could explain to me what are the steps to take here.

Thank you!
-- 
Tristan

Reply via email to