Hi, I am really at a lost here I can't figure out what I am doing wrong. I will admit up front I never setup IPsec before so I am very frustrated to say just that! 5 days reading so much stuff on google, and example,s but most are with ikev1 anyway and the previous version.
My final goal is to setup tunnel at home behind Verizon Fios and tunnel static IP's on servers and track the nat IP changed from Verizon time to time. When all is done it will be ospf over vether over gif tunnel to get my static IP's and ipsec for the traffic that is not going directly to the Internet but to the office and using a simple ssh connection to keep track of the changing IP's for the Fios part and re-establish the tunnel for the static IP's. I have everything working, but I am butting my head to the wall for the IPSec part. It really shouldn't be that hard! To test IPSec ONLY and trying to learn that part, I have done the most simplest setup possible that I think and understand should work, but obviously do not, on fresh wipe out servers with current, NOTHING ELSE! I am sure after I have done it once or twice, it will be piece of cake, like everything else in OpenBSD after you did it once, but here I can't do it once at all and i am very frustrated! I read the man pages many, many times, but may be it is very obvious and I am to stupid to see it, but I can't pass the initial step! May be I do not understand the man page as intended, but I am really stuck. I would very much appreciate help at this point! Below I have included every single step I do on both servers from the initial fresh install reboot with current and nothing else at all is install or changed other then what you see below! What am I missing? I simulate local network with loopback interface at this point and even setup try to setup ike with simple pre share key for testing. I really don't think I can do it simpler then this naked setup. The best I ever got was a flow on one side and unless I don't understand, I think you should see flow on both side with ipsecctl -s all no? And other times I had to force kill -9 to ike as it was using all the cpu and didn't want to quit. But never did I get it to work as it is suppose to be. below all setup from scratch on each hosts. =============== Host #1 =============== install current and then do the minimum setup needed that I understand anyway that should get me going I think... I even totally disable pf to be sure it is not creating me any problem. # dmesg | grep 'OpenBSD 5.6-current' | tail -1 OpenBSD 5.6-current (GENERIC.MP) #735: Sat Dec 27 13:55:58 MST 2014 # pfctl -d pf disabled # ping 10.0.2.2 PING 10.0.2.2 (10.0.2.2): 56 data bytes 64 bytes from 10.0.2.2: icmp_seq=0 ttl=254 time=0.174 ms --- 10.0.2.2 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.174/0.174/0.174/0.000 ms # ifconfig lo1 create # ifconfig lo1 inet 192.168.1.2 netmask 255.255.255.0 # ifconfig lo1 up # ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2): 56 data bytes 64 bytes from 192.168.1.2: icmp_seq=0 ttl=255 time=0.023 ms 64 bytes from 192.168.1.2: icmp_seq=1 ttl=255 time=0.029 ms --- 192.168.1.2 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.023/0.026/0.029/0.003 ms # sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 # scp -rp [email protected]:/etc/iked/local.pub /etc/iked/pubkeys/ipv4/10.0.2.2 The authenticity of host '10.0.2.2 (10.0.2.2)' can't be established. ECDSA key fingerprint is SHA256:5SDLyz4VnwlV0SdrhjSVISQE0lpFXF8jdCqSzrRoqDU. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.2.2' (ECDSA) to the list of known hosts. [email protected]'s password: local.pub 100% 451 0.4KB/s 00:00 # ls -al /etc/iked/pubkeys/ipv4/ total 12 drwxr-xr-x 2 root wheel 512 Dec 28 17:17 . drwxr-xr-x 6 root wheel 512 Dec 27 15:43 .. -rw-r--r-- 1 root wheel 451 Dec 28 16:31 10.0.2.2 # cat /etc/iked.conf ikev2 esp from 192.168.1.0/24 to 192.168.2.0/24 peer 10.0.2.2 psk "testing" # /etc/rc.d/iked -f start iked(ok) # ipsecctl -s all FLOWS: No flows SAD: No entries # tail /var/log/daemon Dec 28 16:34:30 mc9 savecore: no core dump Dec 28 16:52:12 mc9 iked[7499]: ikev1 exiting, pid 7499 Dec 28 16:52:12 mc9 iked[30800]: ikev2 exiting, pid 30800 Dec 28 16:52:12 mc9 iked[16556]: ca exiting, pid 16556 Dec 28 17:04:28 mc9 iked[26875]: ikev1 exiting, pid 26875 Dec 28 17:04:28 mc9 iked[12470]: ikev2 exiting, pid 12470 Dec 28 17:14:30 mc9 iked[21111]: ikev1 exiting, pid 21111 Dec 28 17:14:30 mc9 iked[22960]: ikev2 exiting, pid 22960 Dec 28 17:21:54 mc9 iked[24272]: ikev1 exiting, pid 24272 Dec 28 17:21:54 mc9 iked[24785]: ikev2 exiting, pid 24785 # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 em0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:25:90:e8:18:02 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.0.1.2 netmask 0xffffff00 broadcast 10.0.1.255 em1: flags=28802<BROADCAST,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:25:90:e8:18:03 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active enc0: flags=20000<NOINET6> priority: 0 groups: enc status: active pflog0: flags=20141<UP,RUNNING,PROMISC,NOINET6> mtu 33144 priority: 0 groups: pflog lo1: flags=28049<UP,LOOPBACK,RUNNING,MULTICAST,NOINET6> mtu 32768 priority: 0 groups: lo inet 192.168.1.2 netmask 0xffffff00 =============== Host #2 =============== # dmesg | grep 'OpenBSD 5.6-current' | tail -1 OpenBSD 5.6-current (GENERIC.MP) #735: Sat Dec 27 13:55:58 MST 2014 # pfctl -d pf disabled # ping 10.0.1.2 PING 10.0.1.2 (10.0.1.2): 56 data bytes 64 bytes from 10.0.1.2: icmp_seq=0 ttl=254 time=0.174 ms 64 bytes from 10.0.1.2: icmp_seq=1 ttl=254 time=0.164 ms --- 10.0.1.2 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.164/0.169/0.174/0.005 ms # ifconfig lo1 create # ifconfig lo1 inet 192.168.2.2 255.255.255.0 # ifconfig lo1 up # ping 192.168.2.2 PING 192.168.2.2 (192.168.2.2): 56 data bytes 64 bytes from 192.168.2.2: icmp_seq=0 ttl=255 time=0.026 ms 64 bytes from 192.168.2.2: icmp_seq=1 ttl=255 time=0.032 ms --- 192.168.2.2 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.026/0.029/0.032/0.003 ms # sysctl net.inet.ip.forwarding=1 net.inet.ip.forwarding: 0 -> 1 # scp -rp [email protected]:/etc/iked/local.pub /etc/iked/pubkeys/ipv4/10.0.1.2 The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established. ECDSA key fingerprint is SHA256:bD69QnLYkhUZ7UAMka5hsPaGgorQVz9iaj0SMQxP8lE. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.1.2' (ECDSA) to the list of known hosts. [email protected]'s password: Connection closed by 10.0.1.2 # ls -al /etc/iked/pubkeys/ipv4/ total 12 drwxr-xr-x 2 root wheel 512 Dec 28 17:20 . drwxr-xr-x 6 root wheel 512 Dec 27 15:43 .. -rw-r--r-- 1 root wheel 451 Dec 28 16:28 10.0.1.2 # cat /etc/iked.conf ikev2 esp from 192.168.2.0/24 to 192.168.1.0/24 peer 10.0.1.2 psk "testing" # /etc/rc.d/iked -f start iked(ok) # ipsecctl -s all FLOWS: No flows SAD: No entries # tail /var/log/daemon Dec 28 16:36:09 mc10 savecore: no core dump Dec 28 16:52:29 mc10 iked[23601]: ikev1 exiting, pid 23601 Dec 28 16:52:29 mc10 iked[5481]: ikev2 exiting, pid 5481 Dec 28 16:52:29 mc10 iked[19678]: ca exiting, pid 19678 Dec 28 17:04:21 mc10 iked[26903]: ikev1 exiting, pid 26903 Dec 28 17:04:21 mc10 iked[11042]: ikev2 exiting, pid 11042 Dec 28 17:14:21 mc10 iked[11971]: ikev2 exiting, pid 11971 Dec 28 17:14:21 mc10 iked[6356]: ikev1 exiting, pid 6356 Dec 28 17:21:58 mc10 iked[21215]: ikev2 exiting, pid 21215 Dec 28 17:21:58 mc10 iked[4161]: ikev1 exiting, pid 4161 # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 em0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:25:90:e8:18:00 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.0.2.2 netmask 0xffffff00 broadcast 10.0.2.255 em1: flags=28802<BROADCAST,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:25:90:e8:18:01 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active enc0: flags=20000<NOINET6> priority: 0 groups: enc status: active pflog0: flags=20141<UP,RUNNING,PROMISC,NOINET6> mtu 33144 priority: 0 groups: pflog lo1: flags=28049<UP,LOOPBACK,RUNNING,MULTICAST,NOINET6> mtu 32768 priority: 0 groups: lo inet 192.168.2.2 netmask 0xffffff00
