Using iked with raw RSA keys and/or BTNS

Introduction

This is a howto type document about how to use raw RSA keys and/or Better-than-nothing security with OpenBSD's IKEv2 daemon, iked.

This document is a part of the BTNS project which has been sponsored by the .SE foundation.

Source code

First, checkout the OpenBSD iked source. It's in /usr/src/sbin/iked. To find out how to checkout the code, check the helpful OpenBSD web pages.

Choose and apply a patch:

Patch: Support for raw RSA keys, 2012-08-31.

Patch: Support for "btns" keyword and fingerprint search.

The second patch includes the first. Use only one of them. If you only want support for RSA keys use only the first patch.

Public keys

When you first start your OpenBSD computer, it generates an RSA key pair for IPsec use. The public key is in /etc/iked/local.pub and the corresponding private key is in /etc/iked/private/local.key. You can use this key pair directly or generate your own pair in PEM format like this:

# openssl genrsa -out /etc/isakmpd/private/local.key 2048
# openssl rsa -out /etc/isakmpd/local.pub -in /etc/isakmpd/private/local.key -pubout

The keys should be saved in PEM format (see openssl(1)) and named and stored after this easy formula:

For IPv4 identities: /etc/iked/pubkeys/ipv4/A.B.C.D
For IPv6 identities: /etc/iked/pubkeys/ipv6/abcd:abcd::ab:bc
For FQDN identities: /etc/iked/pubkeys/fqdn/foo.bar.org
For UFQDN identities: /etc/iked/pubkeys/ufqdn/user@foo.bar.org

The identies used is what you say in /etc/iked.conf for srcid. That is, if you use a configuration like this:

set certreq rawrsa
ikev2 active esp from 10.0.0.4 to 10.0.0.6 srcid ipsec1.hack.org

you need to copy the local.pub from 10.0.0.4 to 10.0.0.6 and store it as /etc/iked/pubkeys/fqdn/ipsec1.hack.org.

The

set certreq rawrsa

tells iked to ask for a raw RSA key from all peers. This is a global option at the moment, but it's likely that it will become per peer as development continues.

On the other node, /etc/iked.conf looks like this:

set certreq rawrsa
ikev2 active esp from 10.0.0.6 to 10.0.0.4 srcid ipsec3.hack.org

Better-than-nothing security

If you applied the BTNS patch (see above) you can use the optional "btns" keyword in a policy, like this:

set certreq rawrsa
ikev2 active esp from 10.0.0.6 to 10.0.0.4 srcid ipsec3.hack.org btns

The "btns" keyword means it's OK to use anonymous keys (Better-than-nothing security, BTNS) with this peer.

There are two ways to use BTNS. If you already have the peer's public key you can place it in /etc/iked/pubkeys/fp/. The name of the key file should be its SHA-1 fingerprint as defined by my rsafp program, for example: pubkeys/fp/26d95edf5aa56cc2c711dc647f12c14c9a3185ab.

If you are willing to accept any public key sent from the peer, create the special empty key file pubkeys/fp/btns-wildcard. Note, though, that this currently means all policies tagged "btns" will allow any key to be used. Input on this is welcome.

Please note: The BTNS implementation is currently very experimental and should be used with caution.


Last updated: <2012-11-07 10:53:50 MET>