Iked windows client using certificates?

Thu, 01 Apr 2021 05:33:13 -0700 

Hello everyone

Just wanted to check my sanity after so many days. I have ikev2 setup working 
for windows machine for a long time using the following. So, to repeat this 
works, it connects fine.

ikev2 passive esp \
        from 0.0.0.0/0 to 10.0.5.0/24 \
        peer any local 50.247.187.177 \
        srcid 50.247.187.177 \
        config address 10.0.5.0/24

now I have a second windows client with a different certificate that I also 
want to connect at the same time but client B will disconnect client A. I need 
to add a dstid to this config to make specific entries for each machine I 
believe using ASN1_DN such as this? Or is there better way for clients with no 
fixed IP or FQDN?


ikev2 passive esp \
        from 0.0.0.0/0 to 10.0.5.0/24 \
        peer any local 50.247.187.177 \
        srcid 50.247.187.177 \
        dstid 
/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameA.local/emailAddress=myem...@email.com<mailto:/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameA.local/emailAddress=myem...@email.com>
 \
        config address 10.0.5.0/24

ikev2 passive esp \
        from 0.0.0.0/0 to 10.0.5.0/24 \
        peer any local 50.247.187.177 \
        srcid 50.247.187.177 \
        dstid 
/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameB.local/emailAddress=myem...@email.com<mailto:/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameB.local/emailAddress=myem...@email.com>
 \
        config address 10.0.5.0/24




The problem is that no dstid format I can find will work. Once I add dstid it 
fails to connect each time. Can someone help me here? Shouldn't this be 
possible or am I reading the man page wrong. I'm certain the spelling is 
correct and matches to the cert. The breakdown appears to be around here

Not working : Iked -dvv with ASN1_DN DSTID specified in iked.conf
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 393
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG


Working : iked -dvv with no DSTID specified in iked.conf
ca_setauth: switching SIG to RSA_SIG(*)
ca_setauth: auth length 393
ikev2_msg_auth: initiator auth data length 1156
ikev2_msg_authverify: method RSA_SIG keylen 1028 type X509_CERT
ikev2_msg_authverify: authentication successful


J

Reply via email to