Hello Last year (before about 3/27/2017 when "Add support for RFC4754 (ECDSA) and RFC7427 authentication" diff was committed to current), I had set up and had been able to connect iOS devices (iphone/ipad) to OpenBSD's iked, and have ikev2 VPN's happen, almost as if by, magic.
Authentication was accomplished using certificates signed by a local authority and then distributed to the iOS devices. Since 3/27/17, this has not been working. I sent a couple of emails about this last year (the initial one: https://marc.info/?l=openbsd-bugs&m=149706080419488&w=2). Over the last year, I have tried many things. Even though I don't know anything about programming (or C), I tried making little changes to the iked source, all without success. (Is that any surprise? No. I was amazed at times that my changes even resulted in a program that would actually start up and run.) I have tried creating several different CA's and certificates, using various different algorithms (ECDSA and RSA, with varying key lengths), all without success. For example, I just tried creating a CA and certificates with ECDSA384/SHA2-384; I distribute those to the iOS device (which supports them), but, iked will not accept them and create a tunnel. In iked.conf, if I don't explicitly state something like "ecdsa384" as the authentication method (and, this requires having a local copy of the public key on the openbsd machine), iked falls back to rfc7427 for authentication, but it appears that iOS does not support this (yet?). I have been downgrading iked to a version before the 3/27/17 (every time I update -current), and this still allows my old certificates to work. But, that doesn't seem sustainable. I have no idea how to proceed? Has anyone been able to get -current (or at least, a snapshot after 3/27/17) version of iked to work with any iOS devices using certificates successfully? If so, I would really appreciate some advice on how it can be done. Thanks Ted
