On Wed, Jul 22, 2020 at 11:56:15AM +0000, Scheibel, Michael wrote: > Hi, folks, > > I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using > OpenIKED but I have not copied any key material (public keys) from one host > to the other. Still, authentication succeeds. > > This is how it looks like in the logs of the initiator: > ca_validate_pubkey: valid public key in file pubkeys/fqdn/openbsd2.my.domain > ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi 0xac6ce70df4e79168 > initiator 1 sa valid type 11 data length 0 > ikev2_dispatch_cert: peer certificate is valid > sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa > (required 0x0032 certvalid,authvalid,sa) > sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa > spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID > > The public key “openbsd2.my.domain” and its corresponding private key have > been generated on the initiator host itself. Therefore the initiator should > not be able to authenticate the responder using the key “openbsd2.my.domain”. > > Is anyone able to explain this behavior? I am probably just missing something > here and would highly appreciate any hints. > > Cheers, > Michael
Hi Michael, in order to understand what's going on it would help if you could send your iked.confs as well as a list of files in /etc/iked on both hosts. The log output suggests the peer was authenticated via certificate/CA, not raw public key. Regards, Tobias > > ______________________________________________________________________________________________________________________ > Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * > Langemarckstr. 20 * 45141 Essen, Germany > Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * > USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 > Geschäftsführung/Management Board: Dirk Kretzschmar > > > TÜV NORD GROUP > Expertise for your Success > > > Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> > Besuchen Sie unseren Internetauftritt: > www.tuev-nord.de<http://www.tuev-nord.de> >
