OpenIKED: Authentication question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenIKED: Authentication question

Scheibel, Michael
Hi, folks,

I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using OpenIKED but I have not copied any key material (public keys) from one host to the other. Still, authentication succeeds.

This is how it looks like in the logs of the initiator:
ca_validate_pubkey: valid public key in file pubkeys/fqdn/openbsd2.my.domain
ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi 0xac6ce70df4e79168 initiator 1 sa valid type 11 data length 0
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID

The public key “openbsd2.my.domain” and its corresponding private key have been generated on the initiator host itself. Therefore the initiator should not be able to authenticate the responder using the key “openbsd2.my.domain”.

Is anyone able to explain this behavior? I am probably just missing something here and would highly appreciate any hints.

Cheers,
Michael

______________________________________________________________________________________________________________________
Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP
Expertise for your Success


Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>

Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED: Authentication question

Tobias Heider-2
On Wed, Jul 22, 2020 at 11:56:15AM +0000, Scheibel, Michael wrote:

> Hi, folks,
>
> I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using OpenIKED but I have not copied any key material (public keys) from one host to the other. Still, authentication succeeds.
>
> This is how it looks like in the logs of the initiator:
> ca_validate_pubkey: valid public key in file pubkeys/fqdn/openbsd2.my.domain
> ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi 0xac6ce70df4e79168 initiator 1 sa valid type 11 data length 0
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID
>
> The public key “openbsd2.my.domain” and its corresponding private key have been generated on the initiator host itself. Therefore the initiator should not be able to authenticate the responder using the key “openbsd2.my.domain”.
>
> Is anyone able to explain this behavior? I am probably just missing something here and would highly appreciate any hints.
>
> Cheers,
> Michael

Hi Michael,

in order to understand what's going on it would help if you could send your iked.confs as well as
a list of files in /etc/iked on both hosts.
The log output suggests the peer was authenticated via certificate/CA, not raw public key.

Regards,
Tobias

>
> ______________________________________________________________________________________________________________________
> Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany
> Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
> Geschäftsführung/Management Board: Dirk Kretzschmar
>
>
> TÜV NORD GROUP
> Expertise for your Success
>
>
> Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED: Authentication question

Scheibel, Michael
Hi, Tobias,

Thanks for your response!

I am pasting the contents of the iked.confs as well as the list of files in /etc/iked on both hosts below.

Kind regards,
Michael

--------------------------------------------------
/etc/iked.conf on initiator:

local_IP="192.168.5.10"
local_NW="192.168.5.10/32"
peer_IP="192.168.5.11"
peer_NW="192.168.5.11/32"
local_FQDN="openbsd.my.domain"
peer_FQDN="openbsd2.my.domain"
allowed_enc="enc aes-128 enc aes-256"
allowed_enc_esp="enc aes-128 enc aes-256 enc aes-128-ctr enc aes-256-ctr"
allowed_enc_auth_esp="enc aes-128-gcm enc aes-256-gcm"
allowed_prf="prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512"
allowed_group="group modp2048 group modp3072 group modp4096 group ecp256 group ecp384 group ecp521 group brainpool256 group brainpool384 group brainpool512"
allowed_auth="auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512"
ikev2 "initiator-ESP-tunnel" active tunnel esp \
from $local_NW to $peer_NW \
local $local_IP peer $peer_IP \
ikesa $allowed_auth $allowed_enc $allowed_prf $allowed_group \
childsa $allowed_auth $allowed_enc_esp $allowed_group \
childsa $allowed_enc_auth_esp $allowed_group \
srcid $local_FQDN dstid $peer_FQDN \
ikelifetime 0 \
lifetime 0 bytes 0 \
ecdsa384

--------------------------------------------------
/etc/iked.conf on responder:

local_IP="192.168.5.11"
local_NW="192.168.5.11/32"
peer_IP="192.168.5.10"
peer_NW="192.168.5.10/32"
local_FQDN="openbsd2.my.domain"
peer_FQDN="openbsd.my.domain"
allowed_enc="enc aes-128 enc aes-256"
allowed_enc_esp="enc aes-128 enc aes-256 enc aes-128-ctr enc aes-256-ctr"
allowed_enc_auth_esp="enc aes-128-gcm enc aes-256-gcm"
allowed_prf="prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512"
allowed_group="group modp2048 group modp3072 group modp4096 group ecp256 group ecp384 group ecp521 group brainpool256 group brainpool384 group brainpool512"
allowed_auth="auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512"
ikev2 "responder-ESP-tunnel" passive tunnel esp \
from $local_NW to $peer_NW \
local $local_IP peer $peer_IP \
ikesa $allowed_auth $allowed_enc $allowed_prf $allowed_group \
childsa $allowed_auth $allowed_enc_esp $allowed_group \
childsa $allowed_enc_auth_esp $allowed_group \
srcid $local_FQDN dstid $peer_FQDN \
ikelifetime 0 \
lifetime 0 bytes 0 \
ecdsa384

--------------------------------------------------
List of files in /etc/iked on initiator:

total 32
drwxr-xr-x   7 root  wheel   512 Jul  8 13:54 .
drwxr-xr-x  22 root  wheel  1536 Jul 10 15:33 ..
drwxr-xr-x   2 root  wheel   512 May  7 18:51 ca
drwxr-xr-x   2 root  wheel   512 Jul  9 15:09 certs
drwxr-xr-x   2 root  wheel   512 May  7 18:51 crls
-rw-r--r--   1 root  wheel   451 Jul  8 13:54 local.pub
drwx------   2 root  wheel   512 Jul  8 13:54 private
drwxr-xr-x   6 root  wheel   512 May  7 18:51 pubkeys

/etc/iked/ca:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 13:54 ..

/etc/iked/certs:
total 8
drwxr-xr-x  2 root  wheel  512 Jul  9 15:09 .
drwxr-xr-x  7 root  wheel  512 Jul  8 13:54 ..

/etc/iked/crls:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 13:54 ..

/etc/iked/private:
total 12
drwx------  2 root  wheel   512 Jul  8 13:54 .
drwxr-xr-x  7 root  wheel   512 Jul  8 13:54 ..
-rw-------  1 root  wheel  1675 Jul  8 13:54 local.key

/etc/iked/pubkeys:
total 24
drwxr-xr-x  6 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 13:54 ..
drwxr-xr-x  2 root  wheel  512 Jul 10 11:09 fqdn
drwxr-xr-x  2 root  wheel  512 May  7 18:51 ipv4
drwxr-xr-x  2 root  wheel  512 May  7 18:51 ipv6
drwxr-xr-x  2 root  wheel  512 May  7 18:51 ufqdn

/etc/iked/pubkeys/fqdn:
total 16
drwxr-xr-x  2 root  wheel  512 Jul 10 11:09 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..
-rw-r--r--  1 root  wheel  215 Jul 10 11:07 openbsd2.my.domain
-rw-r--r--  1 root  wheel  215 Jul  9 15:11 openbsd2.my.domain.old

/etc/iked/pubkeys/ipv4:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..

/etc/iked/pubkeys/ipv6:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..

/etc/iked/pubkeys/ufqdn:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..

--------------------------------------------------
List of files in /etc/iked on responder:

total 32
drwxr-xr-x   7 root  wheel   512 Jul  8 15:43 .
drwxr-xr-x  22 root  wheel  1536 Jul 22 17:08 ..
drwxr-xr-x   2 root  wheel   512 May  7 18:51 ca
drwxr-xr-x   2 root  wheel   512 May  7 18:51 certs
drwxr-xr-x   2 root  wheel   512 May  7 18:51 crls
-rw-r--r--   1 root  wheel   451 Jul  8 15:43 local.pub
drwx------   2 root  wheel   512 Jul  8 15:43 private
drwxr-xr-x   6 root  wheel   512 May  7 18:51 pubkeys

/etc/iked/ca:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 15:43 ..

/etc/iked/certs:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 15:43 ..

/etc/iked/crls:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 15:43 ..

/etc/iked/private:
total 12
drwx------  2 root  wheel   512 Jul  8 15:43 .
drwxr-xr-x  7 root  wheel   512 Jul  8 15:43 ..
-rw-------  1 root  wheel  1675 Jul  8 15:43 local.key

/etc/iked/pubkeys:
total 24
drwxr-xr-x  6 root  wheel  512 May  7 18:51 .
drwxr-xr-x  7 root  wheel  512 Jul  8 15:43 ..
drwxr-xr-x  2 root  wheel  512 Jul  9 15:20 fqdn
drwxr-xr-x  2 root  wheel  512 May  7 18:51 ipv4
drwxr-xr-x  2 root  wheel  512 May  7 18:51 ipv6
drwxr-xr-x  2 root  wheel  512 May  7 18:51 ufqdn

/etc/iked/pubkeys/fqdn:
total 12
drwxr-xr-x  2 root  wheel  512 Jul  9 15:20 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..
-rw-r--r--  1 root  wheel  215 Jul  9 15:20 openbsd.my.domain

/etc/iked/pubkeys/ipv4:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..

/etc/iked/pubkeys/ipv6:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..

/etc/iked/pubkeys/ufqdn:
total 8
drwxr-xr-x  2 root  wheel  512 May  7 18:51 .
drwxr-xr-x  6 root  wheel  512 May  7 18:51 ..

(EOM)

-----Ursprüngliche Nachricht-----
Von: Tobias Heider <[hidden email]>
Gesendet: Mittwoch, 22. Juli 2020 16:38
An: Scheibel, Michael <[hidden email]>
Cc: [hidden email]
Betreff: Re: OpenIKED: Authentication question

On Wed, Jul 22, 2020 at 11:56:15AM +0000, Scheibel, Michael wrote:

> Hi, folks,
>
> I have successfully set up an ESP tunnel between two OpenBSD 6.7 hosts using OpenIKED but I have not copied any key material (public keys) from one host to the other. Still, authentication succeeds.
>
> This is how it looks like in the logs of the initiator:
> ca_validate_pubkey: valid public key in file
> pubkeys/fqdn/openbsd2.my.domain
> ikev2_getimsgdata: imsg 25 rspi 0x193c5f369533048e ispi
> 0xac6ce70df4e79168 initiator 1 sa valid type 11 data length 0
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f
> cert,certvalid,certreq,auth,authvalid,sa (required 0x0032
> certvalid,authvalid,sa)
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> spi=0xac6ce70df4e79168: sa_state: AUTH_SUCCESS -> VALID
>
> The public key “openbsd2.my.domain” and its corresponding private key have been generated on the initiator host itself. Therefore the initiator should not be able to authenticate the responder using the key “openbsd2.my.domain”.
>
> Is anyone able to explain this behavior? I am probably just missing something here and would highly appreciate any hints.
>
> Cheers,
> Michael

Hi Michael,

in order to understand what's going on it would help if you could send your iked.confs as well as a list of files in /etc/iked on both hosts.
The log output suggests the peer was authenticated via certificate/CA, not raw public key.

Regards,
Tobias

>
> ______________________________________________________________________
> ________________________________________________
> Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH *
> Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register
> Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.:
> DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
> Geschäftsführung/Management Board: Dirk Kretzschmar
>
>
> TÜV NORD GROUP
> Expertise for your Success
>
>
> Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
> Besuchen Sie unseren Internetauftritt:
> www.tuev-nord.de<http://www.tuev-nord.de>
>

______________________________________________________________________________________________________________________
Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany
Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251
Geschäftsführung/Management Board: Dirk Kretzschmar


TÜV NORD GROUP
Expertise for your Success


Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com>
Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de>