On 3/2/23 10:44, Stuart Henderson wrote:
> On 2023/03/01 22:15, A Tammy wrote:
>>>
>>> -# Configuration for clients connecting with EAP authentication.
>>> +# Configuration for clients connecting with EAP authentication
>>> +# and sending all traffic over the IKEv2 tunnel.
>>> # Remember to set up a PKI, see ikectl(8) for more information.
>> Is a PKI still needed in this example config? The comment seems to imply
>> that I need one even with PSK auth.
>> Like PKI is an alternative, so maybe something like - Setting up a PKI
>> is an alternative to using a PSK, see ikectl(8) for more information.
>
> That block is for EAP and yes that needs some form of PKI (either a
> local CA, or at least a server certificate signed by another CA - but
> for the latter you have some awkward handling to assemble the files
> with the intermediate cert in the right place; iked has non-standard
> requirements).
>
> Could add a couple more lines to make that more clear though,
> and give some hints for people who don't know what PKI is - see below.
>
> On 2023/03/02 05:35, Crystal Kolipe wrote:
>> On Wed, Mar 01, 2023 at 04:53:00PM +0000, Stuart Henderson wrote:
>>> How about this? Show a strong psk in the example
>>
>> ...
>>
>>> -# psk "you-should-not-use-psk-authentication!"
>>> +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA"
>>
>> I strongly disagree with this change.
>>
>> Not only are you removing a note that psk authentication is a poor choice,
>> but you're also providing a _specific_ and otherwise strong key in the
>> example
>> which new or unfamiliar users could _easily_ use believing that it was a good
>> choice.
>
> Could do something like this .. I do think it's important that if
> there's any example at all that it does give an indication that people
> might like to use a psk with a decent amount of entropy.
>
> (And that is exactly one of the reasons why my first thought was to
> delete the file..)
>
> Index: iked.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/iked.conf,v
> retrieving revision 1.2
> diff -u -p -r1.2 iked.conf
> --- iked.conf 1 Mar 2023 22:45:25 -0000 1.2
> +++ iked.conf 2 Mar 2023 15:20:47 -0000
> @@ -8,7 +8,10 @@
>
> # Configuration for clients connecting with EAP authentication
> # and sending all traffic over the IKEv2 tunnel.
> -# Remember to set up a PKI, see ikectl(8) for more information.
> +#
> +# EAP requires a server certificate; see ikectl(8) for more details
> +# on generating this with an iked-specific local CA.
> +#
> #ikev2 "eapclient" passive esp \
> # from any to dynamic \
> # local any peer any \
> @@ -17,10 +20,16 @@
> # config name-server 10.1.0.2 \
> # tag "$name-$id"
>
> -# Configuration for a client authenticating with a pre-shared key.
> +# Configuration for a client authenticating with a pre-shared key,
> +# mostly useful for LAN-to-LAN tunnels between static IP endpoints.
> +#
> +# For iked->iked tunnels you can use a simple config using RSA keys
> +# instead - omit psk and copy /etc/iked/local.pub on each side to
> +# /etc/iked/pubkeys/ipv4/<address> on the other.
> +#
> #ikev2 esp \
> # from 10.3.0.0/24 to 10.1.0.0/24 \
> # from 10.5.0.0/24 to 10.1.0.0/24 \
> # from 10.5.0.0/24 to 172.16.1.0/24 \
> # local 192.168.1.1 peer 192.168.2.1 \
> -# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA"
> +# psk "tyBNv13zuo3rg1WVXlaI1g1tTYNzwk962mMUYIvaLh2x8vvvyA-replace-me"
>
Thanks a lot Stuart, OK aisha
