On 6 November 2014 10:19, Peter J. Philipp <[email protected]> wrote: > Hi, > > Since my upgrade on saturday to 5.6 my iked stopped working with psk. > I've disabled it by now but the config was something of the order of: > > ikev2 active esp from 192.168.179.1 to 192.168.179.10 psk "icutwithanulu!" > ikev2 active esp from 192.168.179.10 to 192.168.179.1 psk "icutwithanulu!" > > And this had worked before 5.6. It even worked when I upgraded the > first firewall and the other firewall was still 5.5. But two firewalls > with 5.6 it stopped working. > > I'm looking for pointers on how to make rsa keys work. I followed the > manpage of ikectl but the IPSEC doesn't establish itself and I get: > > Nov 6 10:17:36 venus iked[15811]: ca_getreq: no valid local certificate > found > > Any hints would be appreciated. > > -peter >
hi, psk is now fixed in current. there are two other ways to authenticate hosts: rsa pubkeys (a recent addition - works the same way as in isakmpd) and x.509 certificates. both these options do not require any special config options (it's "rsa" actually, but that's the default) and will be hooked up on startup. the procedure to setup x.509 certificates is described in ikectl(8) and i would strongly suggest using this tool. regarding rsa keys: i have just committed a man page update taken from isakmpd(8) but essentially it's just an hostA# scp /etc/iked/local.pub root@hostB:/etc/iked/pubkeys/ipv4/host.A.IP.Addr hostB# scp /etc/iked/local.pub root@hostA:/etc/iked/pubkeys/ipv4/host.B.IP.Addr and off you go. the important part is to keep your srcids and dstids sane, for instance if you're installing pubkeys under /ipv4/ you should use IPv4 IDs in the iked.conf. hope this helps and please try with -current iked again.
