Hello Christian, Christian Uebber wrote on Tue, Jul 08, 2025 at 03:14:41PM +0200:
> I never intended to use and never used plain pub key auth, but > that's what iked generated keys for unasked. I placed proper > cert chains and associated private keys into the /etc/iked > structure. But iked silently continued to use a combination of > srcid matched cert and its own plain pubkey originated > local.key. For me it would have helped in the doc, that it > plainly states: > iked will only ever use the private key stored > in /etc/private/local.key - independent of the auth mechanism > used. The user has to make sure that the all public keys or > certificates used on the src side match the private key stored > in local.key. Unfortunately, judging whether what you are saying here is accurate, and whether something like that should be added to the manual, is way above my pay grade. We really need input from somebody here who knows more about iked(8), like sthen@, tobhe@, or patrick@. If something like this would make sense, ideally, somebody should send a patch; i can help with the formatting if any such help is needed. I can also try to draft a patch if someone tells me that i should try, but then i will definitely need an OK for the final patch. Yours, Ingo
