Hi,
the iked.conf(5) manpage says: "If srcid is omitted, the default is to
use the hostname of the local machine, see hostname(1) to set or print
the hostname." This was true but I broke it with a commit about two
years ago :(
The following diff tells ikev2_policy2id() in ca_setreq() that it's
dealing with a srcid that needs to be obtained from the local hostname
if empty (setting the srcid parameter to 1). This code is called
after receiving a CERTREQ from the peer: The peer gives us a list of
SHA1 hashes of accepted CAs and we look up a matching host certificate
that is signed by one of these CAs and includes a subjectAltName field
that matches our srcid.
This should unbreak some configurations with OpenBSD as the initiator.
OK?
Reyk
Index: ca.c
===================================================================
RCS file: /cvs/src/sbin/iked/ca.c,v
retrieving revision 1.18
diff -u -p -r1.18 ca.c
--- ca.c 18 Sep 2012 12:07:59 -0000 1.18
+++ ca.c 9 Oct 2012 10:19:03 -0000
@@ -248,7 +248,7 @@ ca_setreq(struct iked *env, struct iked_
/* Convert to a static Id */
bzero(&id, sizeof(id));
- if (ikev2_policy2id(localid, &id, 0) != 0)
+ if (ikev2_policy2id(localid, &id, 1) != 0)
return (-1);
bzero(&idb, sizeof(idb));
