What happens when you remove quick from both policies? On Mon, Nov 5, 2018 at 7:00 AM 雷致强 <[email protected]> wrote: > > OpenIKED is so great when I use one policy for all users. However, I’m having > trouble when I try to apply different policies to different users. > With iked.conf followed, iked seems to applies “blackjack” policy to incoming > connections only, which keeps the users of “redheart” out. > > ikev2 "blackjack" quick passive ipcomp esp \ > from 0.0.0.0/0 to 10.0.0.2 \ > local egress \ > ikesa enc aes-256 prf hmac-sha2-256 group curve25519 \ > childsa enc chacha20-poly1305 group curve25519 \ > dstid "blackjack.local" \ > psk "testpsk1" \ > > ikev2 "redheart" quick passive ipcomp esp \ > from 0.0.0.0/0 to 172.16.0.0/24 \ > local egress \ > dstid "redheart.local" \ > psk "testpsk2" \ > config protected-subnet 0.0.0.0/0 \ > config address 172.16.0.0/24 \ > config netmask 255.255.255.0 \ > config name-server 8.8.8.8 > > This is what happens when redheart.local connects to the responder. (I > replaced the IPs to redheart.local and asgard.local) > > # iked -dv > set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local > ikev2 "blackjack" quick passive esp inet from 0.0.0.0/0 to 10.0.0.2 local > asgard.local peer any ikesa enc aes-256 prf hmac-sha2-256 auth > hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group > curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk > 0x7465737470736b31 > set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local > ikev2 "redheart" quick passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 local > asgard.local peer any ikesa enc aes-256,aes-192,aes-128,3des prf > hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group > modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth > hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 > psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address > 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8 > ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to > asgard.local:500 policy 'blackjack' id 0, 604 bytes > ikev2_sa_responder: no proposal chosen > ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to > redheart.local:60970 msgid 0, 36 bytes > sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' > ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to > asgard.local:500 policy 'blackjack' id 0, 604 bytes > ikev2_sa_responder: no proposal chosen > ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to > redheart.local:60970 msgid 0, 36 bytes > sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' > > If I remove the “quick” option of “blackjack” policy, all incoming connection > goes to “redheart” policy, which blocks “blackjack” users. > > Regarding to all the examples I saw, I guess dstid is not a condition to > match the policies? Only “peer” matters? >
-- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
