This is a howto type document about how to use raw RSA keys and/or Better-than-nothing security with OpenBSD's IKEv2 daemon, iked.
This document is a part of the BTNS project which has been sponsored by the .SE foundation.
First, checkout the OpenBSD iked source. It's in
/usr/src/sbin/iked. To find out how to checkout the code, check
the helpful OpenBSD web pages.
Choose and apply a patch:
Patch: Support for raw RSA keys, 2012-08-31.
Patch: Support for "btns" keyword and fingerprint search.
The second patch includes the first. Use only one of them. If you only want support for RSA keys use only the first patch.
When you first start your OpenBSD computer, it generates an RSA key
pair for IPsec use. The public key is in /etc/iked/local.pub and the
corresponding private key is in /etc/iked/private/local.key. You can
use this key pair directly or generate your own pair in PEM format
like this:
# openssl genrsa -out /etc/isakmpd/private/local.key 2048
# openssl rsa -out /etc/isakmpd/local.pub -in /etc/isakmpd/private/local.key -pubout
The keys should be saved in PEM format (see openssl(1)) and named and stored after this easy formula:
For IPv4 identities: /etc/iked/pubkeys/ipv4/A.B.C.D
For IPv6 identities: /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
For FQDN identities: /etc/iked/pubkeys/fqdn/foo.bar.org
For UFQDN identities: /etc/iked/pubkeys/ufqdn/user@foo.bar.org
The identies used is what you say in /etc/iked.conf for srcid.
That is, if you use a configuration like this:
set certreq rawrsa
ikev2 active esp from 10.0.0.4 to 10.0.0.6 srcid ipsec1.hack.org
you need to copy the local.pub from 10.0.0.4 to 10.0.0.6 and store
it as /etc/iked/pubkeys/fqdn/ipsec1.hack.org.
The
set certreq rawrsa
tells iked to ask for a raw RSA key from all peers. This is a global option at the moment, but it's likely that it will become per peer as development continues.
On the other node, /etc/iked.conf looks like this:
set certreq rawrsa
ikev2 active esp from 10.0.0.6 to 10.0.0.4 srcid ipsec3.hack.org
If you applied the BTNS patch (see above) you can use the optional "btns" keyword in a policy, like this:
set certreq rawrsa
ikev2 active esp from 10.0.0.6 to 10.0.0.4 srcid ipsec3.hack.org btns
The "btns" keyword means it's OK to use anonymous keys (Better-than-nothing security, BTNS) with this peer.
There are two ways to use BTNS. If you already have the peer's public
key you can place it in /etc/iked/pubkeys/fp/. The name of the key
file should be its SHA-1 fingerprint as defined by my
rsafp program, for example:
pubkeys/fp/26d95edf5aa56cc2c711dc647f12c14c9a3185ab.
If you are willing to accept any public key sent from the peer,
create the special empty key file pubkeys/fp/btns-wildcard. Note,
though, that this currently means all policies tagged "btns" will
allow any key to be used. Input on this is welcome.
Please note: The BTNS implementation is currently very experimental and should be used with caution.
Last updated: <2012-11-07 10:53:50 MET>