ikectl error

[mlesniewskister]

Hi,

I have been trying to play around with IPSEC to setup a vpn.
According to the site that I was following [0] (and also the man page) the first step is to create the ca using ikectl(8).

Code:

ikectl ca vpn create

However I get the below error when doing this, have tested on two machines, both run -current, one from today and the other from a few days ago.
Also checking the source-changes, the last time that bss_file.c was changed was on the 11th Nov 2014, although I am not sure if that means much.
Not really sure how to further troubleshoot this?

Code:

doas ikectl ca vpn create
CA passphrase:
Retype CA passphrase:
Generating RSA private key, 2048 bit long modulus
........+++
..................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [NA]:
Locality Name (eg, city) [NA]:
Organization Name (eg, company) [OpenBSD]:
Organizational Unit Name (eg, section) [iked]:
Common Name (eg, fully qualified host name) []:example.com
Email Address [e@mail.com]:
Signature ok
subject=/C=FR/ST=NA/L=NA/O=OpenBSD/OU=iked/CN=example.com/emailAddress=e@mail.com
Getting Private key
Using configuration from /etc/ssl/ikeca.cnf
index.txt: No such file or directory
unable to open 'index.txt'
30523591434116:error:02001002:system library:fopen:No such file or directory:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:255:fopen('index.txt', 'r')
30523591434116:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/bio/bss_file.c:257:

Edit:
In the /etc/ssl/vpn directory, there is an index.txt file that is created, although it has 0 size.

[0]: http://www.mouedine.net/

[jggimi]

You are using wesley's custom ikeca.cnf, as you are following his "how to." Please contact him for support of his solution. You could PM him here or Email him -- his address is noted at the bottom of his document.

I have run iked(8) and set up a self-signed CA, but that was some time ago and I am not using it now. At the time, I used src/usr.sbin/ikectl/ikeca.cnf which I copied and provisioned for my own requirements.

[mlesniewskister]

Sorry, I should've also mentioned that the version of the file that they have posted has OpenBSD tags from 2010 so I actually used the latest version of ikeca.cnf from my /usr/src which is "cvs up"d to current also and then adjusted it to my needs.
So it is actually the newest file with last modifcation of:

Code:

# $OpenBSD: ikeca.cnf,v 1.6 2014/11/22 18:15:41 deraadt Exp $

[jggimi]

I just attempted to recreate a CA.

• Without an /etc/ssl/ikeca.cnf, ikectl(8) uses /etc/ssl/openssl.cnf, which is inappropriate and ikectl will fail.
• I copied the ikeca.cnf file unchanged from the source tree to /etc/ssl. With that alone, I was able to duplicate your exact error message.
• I created an empty index.txt in /etc/ssl. The ikectl ca create command completed without error.

I didn't go any farther, because I don't have an IPSec infrastructure to test with at this time. If you are unable to resolve (or circumvent) the problem by creating an empty index.txt file, I recommend posting to the misc@ mailing list.

From my perspective, the ikectl(8) man page appears incomplete as there are additional provisioning steps required that are not mentioned.

I am not clear on what the reparation should be. Should the ikeca.cnf file in the source tree be mentioned in the man page? Should the file be included in the OS? If so, should it be revised to be less reyk@ specific and more general, or should it be more clearly shown to contain sample information to be replaced? Should an empty index.txt file be included in the distribution? These are questions really for reyk@ and the other iked(8) developers.

[mlesniewskister]

Thanks very much, I didn't even think to touch index.txt. You are right, it now proceeds successfully.

Well with what you have mentioned that in your opinion the documentation being incorrect and I know that OpenBSD prides itself on having correct docs, I will try to run through the rest of the setup so that I can see if there are other areas/steps that are in need of changes and will send reyk@ a message with my findings and the information you have given to see what he says.