IKEv2 OpenBSD client using X.509 Certificate Authentication

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

IKEv2 OpenBSD client using X.509 Certificate Authentication

Tristan Pilat"
Hi guys,

I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no section about setting up this with an OpenBSD client. Is there anybody here who's done that before?

In trying the achieve this, I first had to give a CSR to the other part so I used ikectl(8) to generate a ca and a certificate. To do so I followed the steps at the bottom of the ikectl(8) man page and I did this:

# ikectl ca example create
# ikectl ca example certificate 198.51.100.1 create
# ikectl ca example certificate 198.51.100.2 create

I then gave them the CSR file corresponding to the 198.51.100.2 certificate.

In return, they gave me a X.509 certificate like the following:

$ cat example.pem
subject=/C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX
issuer=/C=FR/O=XXXXX/OU=0002 120061023/CN=XXXXXXXXXX
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=FR/O=XXX/OU=0002 120061023/CN=XXXXX
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/CN=XXX-ROOT/OU=0002 120061023/O=XXXXX/C=FR
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

I don't really know how to use that certificate with iked(8).

My configuration file look pretty much like this:

local_ip="198.51.100.1"
local_network="192.0.2.0/24 "

remote_ip="198.51.100.2"
remote_network="203.0.113.0/24"

ikev2 'example' active esp \
    from $local_network to $remote_network \
    local $local_ip peer $remote_ip \
    ikesa auth hmac-sha1 enc aes-256 prf hmac-sha2-256 group modp1536 \
    childsa auth hmac-sha1 enc aes-256 group modp1536 \
    ikelifetime 86400 lifetime 28800 \
    dstid 198.51.100.2

What file do the directives srcid and dstid match to? I don't get how iked(8) make use of the certificates in that case.

I made sure to have the following 2 files:

# cat /etc/iked/private/198.51.100.2.key  
-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----

# cat /etc/iked/certs/198.51.100.2.crt
subject=/C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX
issuer=/C=FR/O=XXXXX/OU=0002 120061023/CN=XXXXXXXXXX
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=FR/O=XXX/OU=0002 120061023/CN=XXXXX
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/CN=XXX-ROOT/OU=0002 120061023/O=XXXXX/C=FR
issuer=/CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

But I get an error :

config_setkeys: failed to open private key: No such file or directory
parent: parent_configure: failed to send keys

I'm pretty sure I'm completely wrong here and I would be really grateful if anybody could explain to me what are the steps to take here.

Thank you!
--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: IKEv2 OpenBSD client using X.509 Certificate Authentication

Stuart Henderson
On 2019-10-07, Tristan Pilat <[hidden email]> wrote:
> I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no section about setting up this with an OpenBSD client. Is there anybody here who's done that before?

Hoping someone will tell me that I'm wrong, but iked's client-side
support is not very flexible and I don't think it supports this -
it definitely doesn't support username/password auth as a client.

strongswan is in packages if that helps..

Reply | Threaded
Open this post in threaded view
|

Re: IKEv2 OpenBSD client using X.509 Certificate Authentication

Tristan Pilat"
On 10/16/19 at 08:31P, Stuart Henderson wrote:
> On 2019-10-07, Tristan Pilat <[hidden email]> wrote:
> > I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with
> > iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no
> > section about setting up this with an OpenBSD client. Is there anybody here
> > who's done that before?
>
> Hoping someone will tell me that I'm wrong, but iked's client-side support is
> not very flexible and I don't think it supports this - it definitely doesn't
> support username/password auth as a client.

Does X.509 Certificate Authentication necessarily include the use of an
username/password auth mechanism?
 
> strongswan is in packages if that helps..

I'll use strongswan as a last resort but I'd really like to sort
this out and use iked instead.

I've actually gotten somewhere since I wrote this call for help.

So here's what I did. I put the last two blocks of my example.pem file in a
/etc/iked/ca/example.crt file and copied example.pem to
/etc/iked/certs/example.crt

And after some research I ended up with this configuration file :

# cat /etc/iked.conf

local_ip="198.51.100.1"
local_network="192.0.2.0/24 "

remote_ip="198.51.100.2"
remote_network="203.0.113.0/24"

ikev2 'example' active esp \
    from $local_network to $remote_network \
    local $local_ip peer $remote_ip \
    ikesa auth hmac-sha1 enc aes-256 prf hmac-sha1 group modp1536 \
    childsa auth hmac-sha1 enc aes-256 group modp1536 \
    srcid "/C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX" \
    dstid "/C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=YYYYYYY" \
    ikelifetime 86400 lifetime 28800

But I'm still stuck here with an "ikev2_pld_notify: AUTHENTICATION_FAILED, closing SA"

Here's the full iked output:

# iked -dvvT                                                
local_ip = "198.51.100.1"
local_network = "192.0.2.0/24"
remote_ip = "198.51.100.2"
remote_network = "203.0.113.0/24"
                                                                                                         
set_policy_auth_method: using rfc7427 for peer
ikev2 "XXX" active esp inet from 192.0.2.0/24 to 203.0.113.0/24 local 198.51.100.1 peer 198.51.100.2 ikesa enc aes-256 prf hmac-sha1 auth hmac-sha1 group modp1536 childsa enc aes-256 auth hmac-sha1 group modp1536 srcid /C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX dstid /C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=YYYYYYY ikelifetime 86400 lifetime 28800 bytes 536870912 rfc7427
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file example.crt
ca_reload: /C=FR/O=XXX/OU=0002 120061023/CN=XXXXX
ca_reload: /CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR
ca_reload: loaded 2 ca certificates
ca_reload: loaded cert file example.crt
ca_validate_cert: /C=FR/O=XXX/OU=0002 120061023/CN=AC XXX 2018 ok
ca_validate_cert: /C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX ok
ca_validate_cert: /CN=XXX-ROOT/OU=0002 120061023/O=XXXX/C=FR ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 40
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 40
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getmobike: mobike
ikev2_init_ike_sa: initiating "XXX"
ca_x509_name_parse: setting 'C' to 'FR'
ca_x509_name_parse: setting 'O' to 'XXX'
ca_x509_name_parse: setting 'OU' to '0002 479766842'
ca_x509_name_parse: setting 'OU' to 'XXXXX'
ca_x509_name_parse: setting 'CN' to 'XXXXXXX'
ikev2_policy2id: srcid ASN1_DN//C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX length 109
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 200 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x30eecb84950d6a8a rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 326 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 200
ikev2_pld_ke: dh group MODP_1536 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT request from 198.51.100.1:500 to 198.51.100.2:500 msgid 0, 326 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT response from responder 198.51.100.2:500 to 198.51.100.1:500 policy 'XXX' id 0, 519 bytes
ikev2_recv: ispi 0x30eecb84950d6a8a rspi 0x302e973608d00937
ikev2_recv: updated SA to peer 198.51.100.2:500 local 198.51.100.1:500
ikev2_pld_parse: header ispi 0x30eecb84950d6a8a rspi 0x302e973608d00937 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 519 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 200
ikev2_pld_ke: dh group MODP_1536 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 68
ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 23
ikev2_pld_payloads: payload VENDOR nextpayload CERTREQ critical 0x00 length 59
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 65
ikev2_pld_certreq: type X509_CERT length 60
ca_x509_name_parse: setting 'C' to 'FR'
ca_x509_name_parse: setting 'O' to 'XXX'
ca_x509_name_parse: setting 'OU' to '0002 479766842'
ca_x509_name_parse: setting 'OU' to 'XXXXX'
ca_x509_name_parse: setting 'CN' to 'XXXXXXX'
ikev2_policy2id: srcid ASN1_DN//C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX length 109
sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 20
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
ikev2_sa_keys: DHSECRET with 192 bytes
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 112 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: T9 with 20 bytes
ikev2_prfplus: Tn with 180 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_msg_auth: initiator auth data length 410
ca_setauth: using SIG (RFC7427)
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 410
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
config_free_proposals: free 0x1b31b30fb80
ca_getreq: found CA /C=FR/O=XXX/OU=0002 120061023/CN=XXXXX
ca_getreq: found local certificate /C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX
ca_setauth: auth length 272
ikev2_getimsgdata: imsg 20 rspi 0x302e973608d00937 ispi 0x30eecb84950d6a8a initiator 1 sa valid type 4 data length 1401
ikev2_dispatch_cert: cert type X509_CERT length 1401, ok
sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
ikev2_getimsgdata: imsg 25 rspi 0x302e973608d00937 ispi 0x30eecb84950d6a8a initiator 1 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
ikev2_next_payload: length 113 nextpayload CERT
ikev2_next_payload: length 1406 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 41
ikev2_next_payload: length 45 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
pfkey_sa_getspi: spi 0x2be3b39f
pfkey_sa_init: new spi 0x2be3b39f
ikev2_add_proposals: length 48
ikev2_next_payload: length 52 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1944
ikev2_msg_encrypt: padded length 1952
ikev2_msg_encrypt: length 1945, padding 7, output length 1980
ikev2_next_payload: length 1984 nextpayload IDi
ikev2_msg_integr: message length 2012
ikev2_msg_integr: integrity checksum length 12
ikev2_pld_parse: header ispi 0x30eecb84950d6a8a rspi 0x302e973608d00937 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2012 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1984
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1952
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1952/1952 padding 7
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 113
ikev2_pld_id: id ASN1_DN//C=FR/O=XXX/OU=0002 479766842/OU=XXXXX/CN=XXXXXXX length 109
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1406
ikev2_pld_cert: type X509_CERT length 1401
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 45
ikev2_pld_certreq: type X509_CERT length 40
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 52
ikev2_pld_sa: more 0 reserved 0 length 48 proposal #1 protoid ESP spisize 4 xforms 4 spi 0x2be3b39f
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 203.0.113.0 end 203.0.113.255
ikev2_msg_send: IKE_AUTH request from 198.51.100.1:500 to 198.51.100.2:500 msgid 1, 2012 bytes
ikev2_recv: IKE_AUTH response from responder 198.51.100.2:500 to 198.51.100.1:500 policy 'example' id 1, 76 bytes
ikev2_recv: ispi 0x30eecb84950d6a8a rspi 0x302e973608d00937
ikev2_recv: updated SA to peer 198.51.100.2:500 local 198.51.100.1:500
ikev2_pld_parse: header ispi 0x30eecb84950d6a8a rspi 0x302e973608d00937 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 76 response 1
ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length 48
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED
ikev2_pld_notify: AUTHENTICATION_FAILED, closing SA
sa_state: SA_INIT -> CLOSED from 198.51.100.2:500 to 198.51.100.1:500 policy 'example'
sa_stateok: VALID flags 0x0000, require 0x0032 certvalid,authvalid,sa
ikev2_recv: closing SA
sa_free: ispi 0x30eecb84950d6a8a rspi 0x302e973608d00937
config_free_proposals: free 0x1b34255b780

On the other peer, the guy notices the following lines in his device logs :

Oct 11 16:13:02 xxxxx.example.net local4.notice  Local:198.51.100.2:500 Remote:198.51.100.1:1011 Username:Unknown IKEv2 Received a IKE_INIT_SA request
Oct 11 16:13:02 xxxxx.example.net local4.warning  Local:198.51.100.2:500 Remote:198.51.100.1:1011 Username:198.51.100.1 IKEv2 Negotiation aborted due to ERROR: Peer authentication method configured is mismatching with the method proposed by peer
Oct 11 16:16:02 xxxxx.example.net local4.notice  Local:198.51.100.2:500 Remote:198.51.100.1:1011 Username:Unknown IKEv2 Received a IKE_INIT_SA request
Oct 11 16:16:32 xxxxx.example.net local4.warning  Local:198.51.100.2:500 Remote:198.51.100.1:1011 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

Do you guys have any idea?

Thanks,
--
Tristan

Reply | Threaded
Open this post in threaded view
|

Re: IKEv2 OpenBSD client using X.509 Certificate Authentication

Stuart Henderson
On 2019/10/16 15:49, Tristan Pilat" wrote:

> On 10/16/19 at 08:31P, Stuart Henderson wrote:
> > On 2019-10-07, Tristan Pilat <[hidden email]> wrote:
> > > I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with
> > > iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no
> > > section about setting up this with an OpenBSD client. Is there anybody here
> > > who's done that before?
> >
> > Hoping someone will tell me that I'm wrong, but iked's client-side support is
> > not very flexible and I don't think it supports this - it definitely doesn't
> > support username/password auth as a client.
>
> Does X.509 Certificate Authentication necessarily include the use of an
> username/password auth mechanism?

No that is a different and very common mechanism that is definitely not
supported as a client (but is supported as a server). I mentioned it because
I think that the same thing may well apply for X.509 cert authentication.
(And if iked *does* support X.509 cert auth, it is at the very least
lacking documentation).

My feeling is that iked usually works pretty well as the server-side of
client/server, it has some capabilities for doing lan-to-lan, but there's
not much in the way of client-side support.

> ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 20
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth

> Oct 11 16:13:02 xxxxx.example.net local4.warning  Local:198.51.100.2:500 Remote:198.51.100.1:1011 Username:198.51.100.1 IKEv2 Negotiation aborted due to ERROR: Peer authentication method configured is mismatching with the method proposed by peer

That message is clear but I can't suggest how to change what iked is
doing for this or say whether it *can* be changed.