Iked windows client using certificates?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Iked windows client using certificates?

Justin Mayes-2
Hello everyone

Just wanted to check my sanity after so many days. I have ikev2 setup working for windows machine for a long time using the following. So, to repeat this works, it connects fine.

ikev2 passive esp \
        from 0.0.0.0/0 to 10.0.5.0/24 \
        peer any local 50.247.187.177 \
        srcid 50.247.187.177 \
        config address 10.0.5.0/24

now I have a second windows client with a different certificate that I also want to connect at the same time but client B will disconnect client A. I need to add a dstid to this config to make specific entries for each machine I believe using ASN1_DN such as this? Or is there better way for clients with no fixed IP or FQDN?


ikev2 passive esp \
        from 0.0.0.0/0 to 10.0.5.0/24 \
        peer any local 50.247.187.177 \
        srcid 50.247.187.177 \
        dstid /C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameA.local/emailAddress=[hidden email]<mailto:/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameA.local/emailAddress=[hidden email]> \
        config address 10.0.5.0/24

ikev2 passive esp \
        from 0.0.0.0/0 to 10.0.5.0/24 \
        peer any local 50.247.187.177 \
        srcid 50.247.187.177 \
        dstid /C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameB.local/emailAddress=[hidden email]<mailto:/C=US/ST=Illinois/L=HomeTown/O=OpenBSD/OU=iked/CN=myhostnameB.local/emailAddress=[hidden email]> \
        config address 10.0.5.0/24




The problem is that no dstid format I can find will work. Once I add dstid it fails to connect each time. Can someone help me here? Shouldn't this be possible or am I reading the man page wrong. I'm certain the spelling is correct and matches to the cert. The breakdown appears to be around here

Not working : Iked -dvv with ASN1_DN DSTID specified in iked.conf
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 393
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG


Working : iked -dvv with no DSTID specified in iked.conf
ca_setauth: switching SIG to RSA_SIG(*)
ca_setauth: auth length 393
ikev2_msg_auth: initiator auth data length 1156
ikev2_msg_authverify: method RSA_SIG keylen 1028 type X509_CERT
ikev2_msg_authverify: authentication successful


J
Reply | Threaded
Open this post in threaded view
|

Re: Iked windows client using certificates?

Stuart Henderson
On 2021-04-01, Justin Mayes <[hidden email]> wrote:
> Hello everyone
>
> Just wanted to check my sanity after so many days. I have ikev2 setup working for windows machine for a long time using the following. So, to repeat this works, it connects fine.
>
> ikev2 passive esp \
>         from 0.0.0.0/0 to 10.0.5.0/24 \

10.0.5.0/24 should be "to 0.0.0.0" in <=6.8, or "to dynamic" in -current/6.9

>         peer any local 50.247.187.177 \
>         srcid 50.247.187.177 \
>         config address 10.0.5.0/24
>
> now I have a second windows client with a different certificate that I also want to connect at the same time but client B will disconnect client A. I need to add a dstid to this config to make specific entries for each machine I believe using ASN1_DN such as this? Or is there better way for clients with no fixed IP or FQDN?

It has been said that you should be able to match by dstid with iked,
but I have been unable to make that work.