ikev2 on 6.1 not working with RSA keys (generated by the machine)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

ikev2 on 6.1 not working with RSA keys (generated by the machine)

Doros Eracledes-2
Hello misc!

Just posting in case someone else has come across this problem and save them some time.

I've been trying to get ikev2 to work between two 6.1 machines to replace our isakmpd + ipsec setup and was getting nowhere.

the iked man page says:

    iked supports mutual authentication using RSA or ECDSA public keys and
     X.509 certificates.  See the PUBLIC KEY AUTHENTICATION section below and
     PKI AND CERTIFICATE AUTHORITY COMMANDS in ikectl(8) for more information
     about creating and maintaining the public key infrastructure.

but as I found out it does not work with the RSA keys generated on first boot (even if you delete them and reboot to re-create them)

To be clear the keys I refer to are  /etc/iked/local.pub and /etc/iked/private/local.key

And the relevant part from /etc/rc

# grep iked /etc/rc        
# Generate keys for isakmpd, iked and sshd if they don't exist yet.
        local _iked_key=/etc/iked/private/local.key
        local _iked_pub=/etc/iked/local.pub
                echo -n "openssl: generating isakmpd/iked RSA keys... "
        if [[ ! -f $_iked_key ]]; then
                cp $_isakmpd_key $_iked_key
                chmod 600 $_iked_key
                cp $_isakmpd_pub $_iked_pub
start_daemon iscsid isakmpd iked sasyncd ldapd npppd

The error I was getting was:
ikev2_recv: IKE_SA_INIT request from initiator aa.aa.aa.aa:500 to bb.bb.bb.bb:500 policy 'policy6' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 msgid 0, 451 bytes
ikev2_recv: IKE_AUTH request from initiator aa.aa.aa.aa:500 to bb.bb.bb.bb:500 policy 'policy6' id 1, 784 bytes
ikev2_dispatch_cert: peer certificate is invalid
ikev2_msg_send: IKE_AUTH response from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 msgid 1, 80 bytes

I then deleted the keys and generated new ECDSA

openssl ecparam -name secp256k1 -out local.key -genkey  -> place that under /etc/iked/private/local.pub

openssl ec -in local.key -pubout > local.pub and place it under /etc/iked/local.pub
and the public key
openssl ec -in local.key -pubout > local.pub and place that under /etc/iked/local.pub

copy the public keys on hostA and hostB under /etc/iked/pubkeys/ipv4/aa.aa.aa.aa and /etc/iked/pubkeys/ipv4/bb.bb.bb.bb accordingly

started iked -dv (manually to help me debug) on both nodes and can see from the output that it worked:

# iked -dv
ikev2 "hostA" active esp inet from aa.aa.aa.aa to bb.bb.bb.bb local aa.aa.aa.aa peer bb.bb.bb.bb ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid aa.aa.aa.aa dstid bb.bb.bb.bb lifetime 10800 bytes 536870912 ecdsa256 tag "ipsec_tag"

ikev2_recv: IKE_SA_INIT request from initiator bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy 'hostA' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from aa.aa.aa.aa:500 to bb.bb.bb.bb:500 msgid 0, 451 bytes

ikev2_recv: IKE_AUTH request from initiator bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy 'hostA' id 1, 384 bytes
ikev2_msg_send: IKE_AUTH response from aa.aa.aa.aa:500 to bb.bb.bb.bb:500 msgid 1, 336 bytes
sa_state: VALID -> ESTABLISHED from bb.bb.bb.bb:500 to aa.aa.aa.aa:500 policy 'hostA'


and the ipsecctl -sa output (trimmed)

# ipsecctl -sa
FLOWS:
flow esp in from aa.aa.aa.aa to bb.bb.bb.bb peer aa.aa.aa.aa srcid IPV4/bb.bb.bb.bb dstid IPV4/aa.aa.aa.aa type use
flow esp out from bb.bb.bb.bb to aa.aa.aa.aa peer aa.aa.aa.aa srcid IPV4/bb.bb.bb.bb dstid IPV4/aa.aa.aa.aa type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from bb.bb.bb.bb to aa.aa.aa.aa spi 0x5f6fd9cc auth hmac-sha2-256 enc aes-256
esp tunnel from aa.aa.aa.aa to bb.bb.bb.bb spi 0xa8a4dd4c auth hmac-sha2-256 enc aes-256


I hope this will help someone and of course let me know if I missed something obvious.

Cheers
Doros Eracledes