On Wed, Jun 03, 2020 at 01:09:02PM -0400, Sonic wrote: > Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into > the following problem with the server2 example: > =========================== > ikev2 'server2_rsa' active esp \ > from 10.0.2.0/24 to 10.0.1.0/24 \ > peer 192.0.2.1 \ > dstid server2.domain > =========================== > > =========================== > # iked -dv > set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/server2.domain > =========================== > > Is the above an error to be concerned with? Doesn't the system know > that its pubkey exists as /etc/iked/local.pub ?
It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public key should be. > > Should /etc/iked/local.pub be copied to /etc/iked/pubkeys/fqdn/server2.domain > ? > > (of course I'm using the actual fqdn of the systems in question and > literally serverX.domaIn) > > No such error on the server1 example, although it seems that srcid is > not checked for the pubkey as dstid is. > > Chris > >From https://www.openbsd.org/faq/faq17.html: Building Site-to-site VPNs This can be achieved by exchanging the default-provided RSA public keys: /etc/iked/local.pub on the first system ("server1") should be copied to /etc/iked/pubkeys/fqdn/server1.domain on the second system ("server2"). Then, /etc/iked/local.pub on the second system should be copied to /etc/iked/pubkeys/fqdn/server2.domain on the first. Replace "serverX.domain" with your own FQDN.
