I just wanted to quickly mention a change I ran into today while upgrading my OpenBSD routers to 6.1.
As a quick background I use OpenIKED to terminate VPN connections from OpenBSD routers, iOS devices, mac OS devices and MikroTik RouterOS devices. The OpenBSD and RouterOS systems are site-to-site links with ipip(4) interfaces running on top of the ikev2 tunnels. Routing is handled by the ospfd(8) and ospf6d(8) daemons provided by OpenBSD.
The tunnel to my RouterOS device stopped working today with a rather strange message:
Apr 11 11:49:12 bdr01 iked[60779]: ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
Searching around in the debug output of iked(8) there was some indication that the daemon could only use RFC 7427 signatures:
Apr 11 10:01:23 bdr01 iked[64964]: set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/hostname
I checked RouterOS and it only has a rsa signature option for ikev2 certificate based authentication.
The fix?
Get the public key for the connection and put it where iked(8) expects it.
openssl rsa -in private key -pubout > public key
This allowed the tunnel to come right up without any changes on the MikroTik end.