Hello Tobias, thank you very much for your reply. Below is the output of ipsecctl -s all and the verbose output of iked #-------------------------------- When the first client connects: (1.2.3.4 is the servers public IP, 5.6.7.8 is the public IP of the DSL modem) FLOWS: flow esp in from 10.75.0.0/16 to 10.21.0.0/16 peer 5.6.7.8 type use flow esp in from 10.75.0.0/16 to 172.22.1.0/24 peer 5.6.7.8 type use flow esp in from 10.75.0.0/16 to 192.168.0.0/16 peer 5.6.7.8 type use flow esp out from 10.21.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require flow esp out from 172.22.1.0/24 to 10.75.0.0/16 peer 5.6.7.8 type require flow esp out from 192.168.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require flow esp out from ::/0 to ::/0 type deny
SAD: esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x5c684cc6 enc aes-256-gcm esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x6e88e50f enc aes-256-gcm Now, when the second client connects: FLOWS: flow esp in from 10.75.0.0/16 to 10.21.0.0/16 peer 5.6.7.8 type use flow esp in from 10.75.0.0/16 to 172.22.1.0/24 peer 5.6.7.8 type use flow esp in from 10.75.0.0/16 to 192.168.0.0/16 peer 5.6.7.8 type use flow esp out from 10.21.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require flow esp out from 172.22.1.0/24 to 10.75.0.0/16 peer 5.6.7.8 type require flow esp out from 192.168.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7e6472b8 enc aes-256-gcm esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x8dd119e5 enc aes-256-gcm esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0xb4a852b3 enc aes-256-gcm esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0xb558afcc enc aes-256-gcm esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0xc6147a48 enc aes-256-gcm esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0xefc8b43d enc aes-256-gcm Additionally I found out that the connection only works when the public key of the client certificates lies under /etc/iked/pubkeys/fqdn/<CN> (Where <CN> is the common name in the client certificate) #-------------------------------- The complete log (iked -dvv) of both events #-------------------------------- Jul 15 11:06:43 server iked[77044]: set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/fqdn/client1.example.com Jul 15 11:06:43 server iked[77044]: set_policy: found pubkey for /etc/iked/pubkeys/fqdn/client1.example.com Jul 15 11:06:43 server iked[77044]: set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/client2.example.com Jul 15 11:06:43 server iked[77044]: set_policy_auth_method: using rfc7427 for peer /etc/iked/pubkeys/fqdn/client2.example.com Jul 15 11:06:43 server iked[77044]: /etc/iked.conf: loaded 2 configuration rules Jul 15 11:06:43 server iked[77044]: ca_privkey_serialize: type RSA_KEY length 1192 Jul 15 11:06:43 server iked[77044]: ca_pubkey_serialize: type RSA_KEY length 270 Jul 15 11:06:43 server iked[36135]: ca_privkey_to_method: type RSA_KEY method RSA_SIG Jul 15 11:06:43 server iked[12701]: config_getpolicy: received policy Jul 15 11:06:43 server iked[36135]: ca_getkey: received private key type RSA_KEY length 1192 Jul 15 11:06:43 server iked[36135]: ca_getkey: received public key type RSA_KEY length 270 Jul 15 11:06:43 server iked[36135]: ca_dispatch_parent: config reset Jul 15 11:06:43 server iked[12701]: config_getpolicy: received policy Jul 15 11:06:43 server iked[12701]: config_getpfkey: received pfkey fd 3 Jul 15 11:06:43 server iked[12701]: config_getcompile: compilation done Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 4 Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 5 Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 6 Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 7 Jul 15 11:06:43 server iked[12701]: config_getmobike: mobike Jul 15 11:06:43 server iked[36135]: ca_reload: loaded ca file ca.crt Jul 15 11:06:43 server iked[36135]: ca_reload: loaded crl file ca.crl Jul 15 11:06:43 server iked[36135]: ca_reload: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA 2019/[email protected] Jul 15 11:06:43 server iked[36135]: ca_reload: loaded 1 ca certificate Jul 15 11:06:43 server iked[36135]: ca_reload: loaded cert file 1.2.3.4.crt Jul 15 11:06:43 server iked[36135]: ca_validate_cert: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=1.2.3.4/[email protected] ok Jul 15 11:06:43 server iked[36135]: ca_reload: local cert type X509_CERT Jul 15 11:06:43 server iked[36135]: config_getocsp: ocsp_url none Jul 15 11:06:43 server iked[12701]: ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 Jul 15 11:06:43 server iked[12701]: ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 Jul 15 11:06:45 server iked[12701]: ikev2_recv: IKE_SA_INIT request from initiator 5.6.7.8:500 to 1.2.3.4:500 policy 'clientA' id 0, 544 bytes Jul 15 11:06:45 server iked[12701]: ikev2_recv: ispi 0x34e559c5289dff7c rspi 0x0000000000000000 Jul 15 11:06:45 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8 Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 544 response 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: peer source 0x34e559c5289dff7c 0x0000000000000000 5.6.7.8:500 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: peer destination 0x34e559c5289dff7c 0x0000000000000000 1.2.3.4:500 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24 Jul 15 11:06:45 server iked[12701]: sa_state: INIT -> SA_INIT Jul 15 11:06:45 server iked[12701]: ikev2_sa_negotiate: score 4 Jul 15 11:06:45 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000 Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: DHSECRET with 256 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SKEYSEED with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: S with 96 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T1 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T2 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T3 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T4 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T5 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T6 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T7 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: Tn with 224 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_d with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_ai with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_ar with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_ei with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_er with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_pi with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_pr with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_add_proposals: length 44 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 48 nextpayload KE Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 264 nextpayload NONCE Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 36 nextpayload NOTIFY Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: local source 0x34e559c5289dff7c 0x72d3506f27e53f52 1.2.3.4:500 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 28 nextpayload NOTIFY Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: local destination 0x34e559c5289dff7c 0x72d3506f27e53f52 5.6.7.8:500 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 28 nextpayload CERTREQ Jul 15 11:06:45 server iked[12701]: ikev2_add_certreq: type X509_CERT length 21 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 25 nextpayload CERTREQ Jul 15 11:06:45 server iked[12701]: ikev2_add_certreq: type RSA_KEY length 1 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 5 nextpayload NONE Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 462 response 1 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25 Jul 15 11:06:45 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 20 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5 Jul 15 11:06:45 server iked[12701]: ikev2_pld_certreq: type RSA_KEY length 0 Jul 15 11:06:45 server iked[12701]: ikev2_msg_send: IKE_SA_INIT response from 1.2.3.4:500 to 5.6.7.8:500 msgid 0, 462 bytes Jul 15 11:06:45 server iked[12701]: config_free_proposals: free 0x159dea7c3200 Jul 15 11:06:45 server iked[12701]: ikev2_recv: IKE_AUTH request from initiator 5.6.7.8:4500 to 1.2.3.4:4500 policy 'clientA' id 1, 2624 bytes Jul 15 11:06:45 server iked[12701]: ikev2_recv: ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 Jul 15 11:06:45 server iked[12701]: ikev2_recv: updated SA to peer 5.6.7.8:4500 local 1.2.3.4:4500 Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2624 response 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2596 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: IV length 16 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 2560 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 2560/2560 padding 2 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 169 Jul 15 11:06:45 server iked[12701]: ikev2_pld_id: id ASN1_DN//C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/[email protected] length 165 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1051 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1046 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 865 Jul 15 11:06:45 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 860 Jul 15 11:06:45 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8 Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264 Jul 15 11:06:45 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256 Jul 15 11:06:45 server iked[12701]: sa_state: SA_INIT -> AUTH_REQUEST Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 36 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: type REQUEST length 28 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36 Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0x8d09c5c0 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 64 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 2 length 56 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 64 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 2 length 56 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Jul 15 11:06:45 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000 Jul 15 11:06:45 server iked[12701]: policy_lookup: peerid '/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/[email protected]' Jul 15 11:06:45 server iked[12701]: ikev2_msg_auth: responder auth data length 542 Jul 15 11:06:45 server iked[12701]: ca_setauth: auth length 542 Jul 15 11:06:45 server iked[12701]: ikev2_msg_auth: initiator auth data length 608 Jul 15 11:06:45 server iked[12701]: ikev2_msg_authverify: method RSA_SIG keylen 1046 type X509_CERT Jul 15 11:06:45 server iked[12701]: ikev2_msg_authverify: authentication successful Jul 15 11:06:45 server iked[12701]: sa_state: AUTH_REQUEST -> AUTH_SUCCESS Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:45 server iked[12701]: ikev2_sa_negotiate: score 3 Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:45 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID Jul 15 11:06:45 server iked[12701]: config_free_proposals: free 0x159d92bc5400 Jul 15 11:06:45 server iked[36135]: ca_getreq: found CA /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA 2019/[email protected] Jul 15 11:06:45 server iked[36135]: ca_x509_subjectaltname: IPV4/1.2.3.4 Jul 15 11:06:45 server iked[36135]: ca_getreq: found local certificate /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=1.2.3.4/[email protected] Jul 15 11:06:45 server iked[36135]: ca_setauth: auth length 256 Jul 15 11:06:45 server iked[12701]: ikev2_getimsgdata: imsg 20 rspi 0x72d3506f27e53f52 ispi 0x34e559c5289dff7c initiator 0 sa valid type 4 data length 1004 Jul 15 11:06:45 server iked[12701]: ikev2_dispatch_cert: cert type X509_CERT length 1004, ok Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:45 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID Jul 15 11:06:45 server iked[12701]: ikev2_getimsgdata: imsg 25 rspi 0x72d3506f27e53f52 ispi 0x34e559c5289dff7c initiator 0 sa valid type 1 data length 256 Jul 15 11:06:45 server iked[12701]: ikev2_dispatch_cert: AUTH type 1 len 256 Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:45 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID Jul 15 11:06:45 server iked[36135]: ca_validate_pubkey: unsupported public key type ASN1_DN Jul 15 11:06:45 server iked[36135]: ca_validate_cert: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/[email protected] ok Jul 15 11:06:45 server iked[12701]: ikev2_dispatch_cert: peer certificate is valid Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:45 server iked[12701]: sa_state: AUTH_SUCCESS -> VALID Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:45 server iked[12701]: ikev2_sa_tag: clientA-CN=client1.example.com (34) Jul 15 11:06:45 server iked[12701]: ikev2_childsa_negotiate: proposal 1 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_negotiate: key material length 72 Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T1 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T2 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T3 with 32 bytes Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: Tn with 96 bytes Jul 15 11:06:45 server iked[12701]: pfkey_sa_getspi: spi 0x7efacb39 Jul 15 11:06:45 server iked[12701]: pfkey_sa_init: new spi 0x7efacb39 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 12 nextpayload CERT Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 1009 nextpayload AUTH Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 264 nextpayload CP Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 60 nextpayload NOTIFY Jul 15 11:06:45 server iked[12701]: ikev2_add_mobike: done Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 8 nextpayload SA Jul 15 11:06:45 server iked[12701]: ikev2_add_proposals: length 32 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 36 nextpayload TSi Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 56 nextpayload TSr Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 56 nextpayload NONE Jul 15 11:06:45 server iked[12701]: ikev2_msg_encrypt: decrypted length 1501 Jul 15 11:06:45 server iked[12701]: ikev2_msg_encrypt: padded length 1504 Jul 15 11:06:45 server iked[12701]: ikev2_msg_encrypt: length 1502, padding 2, output length 1536 Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 1540 nextpayload IDr Jul 15 11:06:45 server iked[12701]: ikev2_msg_integr: message length 1568 Jul 15 11:06:45 server iked[12701]: ikev2_msg_integr: integrity checksum length 16 Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1568 response 1 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1540 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: IV length 16 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 1504 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16 Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 2 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12 Jul 15 11:06:45 server iked[12701]: ikev2_pld_id: id IPV4/1.2.3.4 length 8 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1009 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1004 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 264 Jul 15 11:06:45 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 60 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: type REPLY length 52 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4 Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4 Jul 15 11:06:45 server last message repeated 2 times Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 8 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8 Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36 Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0x7efacb39 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 56 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 3 length 48 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 56 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 3 length 48 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.21.0.0 end 10.21.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 172.22.1.0 end 172.22.1.255 Jul 15 11:06:45 server iked[12701]: ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:4500 msgid 1, 1568 bytes, NAT-T Jul 15 11:06:45 server iked[12701]: pfkey_sa_add: update spi 0x7efacb39 Jul 15 11:06:45 server iked[12701]: pfkey_sa: udpencap port 4500 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0x7efacb39 Jul 15 11:06:45 server iked[12701]: pfkey_sa_add: add spi 0x8d09c5c0 Jul 15 11:06:45 server iked[12701]: pfkey_sa: udpencap port 4500 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0x8d09c5c0 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159d73b64400 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159da9a0d800 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e392c1800 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e392c1c00 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159da9a0c000 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159d683de400 Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: remember SA peer 5.6.7.8:4500 Jul 15 11:06:45 server iked[12701]: sa_state: VALID -> ESTABLISHED from 5.6.7.8:4500 to 1.2.3.4:4500 policy 'clientA' Jul 15 11:06:49 server iked[12701]: ikev2_recv: IKE_SA_INIT request from initiator 5.6.7.8:60 to 1.2.3.4:500 policy 'clientA' id 0, 544 bytes Jul 15 11:06:49 server iked[12701]: ikev2_recv: ispi 0x8a6401ca230f832f rspi 0x0000000000000000 Jul 15 11:06:49 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8 Jul 15 11:06:49 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 544 response 0 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 Jul 15 11:06:49 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC Jul 15 11:06:49 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 Jul 15 11:06:49 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: peer source 0x8a6401ca230f832f 0x0000000000000000 5.6.7.8:60 Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28 Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: peer destination 0x8a6401ca230f832f 0x0000000000000000 1.2.3.4:500 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24 Jul 15 11:06:49 server iked[12701]: sa_state: INIT -> SA_INIT Jul 15 11:06:49 server iked[12701]: ikev2_sa_negotiate: score 4 Jul 15 11:06:49 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000 Jul 15 11:06:49 server iked[12701]: sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: DHSECRET with 256 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SKEYSEED with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: S with 96 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T1 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T2 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T3 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T4 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T5 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T6 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T7 with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: Tn with 224 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_d with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_ai with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_ar with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_ei with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_er with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_pi with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_pr with 32 bytes Jul 15 11:06:49 server iked[12701]: ikev2_add_proposals: length 44 Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 48 nextpayload KE Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 264 nextpayload NONCE Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 36 nextpayload NOTIFY Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: local source 0x8a6401ca230f832f 0xfb7ec7c3268b8596 1.2.3.4:500 Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 28 nextpayload NOTIFY Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: local destination 0x8a6401ca230f832f 0xfb7ec7c3268b8596 5.6.7.8:60 Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 28 nextpayload CERTREQ Jul 15 11:06:49 server iked[12701]: ikev2_add_certreq: type X509_CERT length 21 Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 25 nextpayload CERTREQ Jul 15 11:06:49 server iked[12701]: ikev2_add_certreq: type RSA_KEY length 1 Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 5 nextpayload NONE Jul 15 11:06:49 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 462 response 1 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 Jul 15 11:06:49 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC Jul 15 11:06:49 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 Jul 15 11:06:49 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25 Jul 15 11:06:49 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 20 Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5 Jul 15 11:06:49 server iked[12701]: ikev2_pld_certreq: type RSA_KEY length 0 Jul 15 11:06:49 server iked[12701]: ikev2_msg_send: IKE_SA_INIT response from 1.2.3.4:500 to 5.6.7.8:60 msgid 0, 462 bytes Jul 15 11:06:49 server iked[12701]: config_free_proposals: free 0x159dea7c3280 Jul 15 11:06:50 server iked[12701]: ikev2_recv: IKE_AUTH request from initiator 5.6.7.8:1083 to 1.2.3.4:4500 policy 'clientA' id 1, 2464 bytes Jul 15 11:06:50 server iked[12701]: ikev2_recv: ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 Jul 15 11:06:50 server iked[12701]: ikev2_recv: updated SA to peer 5.6.7.8:1083 local 1.2.3.4:4500 Jul 15 11:06:50 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2464 response 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2436 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: IV length 16 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 2400 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 2400/2400 padding 2 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 169 Jul 15 11:06:50 server iked[12701]: ikev2_pld_id: id ASN1_DN//C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/[email protected] length 165 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1051 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1046 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 705 Jul 15 11:06:50 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 700 Jul 15 11:06:50 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8 Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264 Jul 15 11:06:50 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256 Jul 15 11:06:50 server iked[12701]: sa_state: SA_INIT -> AUTH_REQUEST Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8 Jul 15 11:06:50 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 36 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: type REQUEST length 28 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36 Jul 15 11:06:50 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0x844224ca Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 Jul 15 11:06:50 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 64 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 2 length 56 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 64 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 2 length 56 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Jul 15 11:06:50 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000 Jul 15 11:06:50 server iked[12701]: policy_lookup: peerid '/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/[email protected]' Jul 15 11:06:50 server iked[12701]: ikev2_msg_auth: responder auth data length 542 Jul 15 11:06:50 server iked[12701]: ca_setauth: auth length 542 Jul 15 11:06:50 server iked[12701]: ikev2_msg_auth: initiator auth data length 608 Jul 15 11:06:50 server iked[12701]: ikev2_msg_authverify: method RSA_SIG keylen 1046 type X509_CERT Jul 15 11:06:50 server iked[12701]: ikev2_msg_authverify: authentication successful Jul 15 11:06:50 server iked[12701]: sa_state: AUTH_REQUEST -> AUTH_SUCCESS Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:50 server iked[12701]: ikev2_sa_negotiate: score 3 Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:50 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID Jul 15 11:06:50 server iked[12701]: config_free_proposals: free 0x159dea7c3880 Jul 15 11:06:50 server iked[36135]: ca_getreq: found CA /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA 2019/[email protected] Jul 15 11:06:50 server iked[36135]: ca_x509_subjectaltname: IPV4/1.2.3.4 Jul 15 11:06:50 server iked[36135]: ca_getreq: found local certificate /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=1.2.3.4/[email protected] Jul 15 11:06:50 server iked[36135]: ca_setauth: auth length 256 Jul 15 11:06:50 server iked[12701]: ikev2_getimsgdata: imsg 20 rspi 0xfb7ec7c3268b8596 ispi 0x8a6401ca230f832f initiator 0 sa valid type 4 data length 1004 Jul 15 11:06:50 server iked[12701]: ikev2_dispatch_cert: cert type X509_CERT length 1004, ok Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:50 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID Jul 15 11:06:50 server iked[12701]: ikev2_getimsgdata: imsg 25 rspi 0xfb7ec7c3268b8596 ispi 0x8a6401ca230f832f initiator 0 sa valid type 1 data length 256 Jul 15 11:06:50 server iked[36135]: ca_validate_pubkey: unsupported public key type ASN1_DN Jul 15 11:06:50 server iked[12701]: ikev2_dispatch_cert: AUTH type 1 len 256 Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:50 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID Jul 15 11:06:50 server iked[36135]: ca_validate_cert: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/[email protected] ok Jul 15 11:06:50 server iked[12701]: ikev2_dispatch_cert: peer certificate is valid Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:50 server iked[12701]: sa_state: AUTH_SUCCESS -> VALID Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa Jul 15 11:06:50 server iked[12701]: ikev2_sa_tag: clientA-CN=client2.example.com (34) Jul 15 11:06:50 server iked[12701]: ikev2_childsa_negotiate: proposal 1 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_negotiate: key material length 72 Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: T1 with 32 bytes Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: T2 with 32 bytes Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: T3 with 32 bytes Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: Tn with 96 bytes Jul 15 11:06:50 server iked[12701]: pfkey_sa_getspi: spi 0xf999bff1 Jul 15 11:06:50 server iked[12701]: pfkey_sa_init: new spi 0xf999bff1 Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 12 nextpayload CERT Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 1009 nextpayload AUTH Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 264 nextpayload CP Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 60 nextpayload NOTIFY Jul 15 11:06:50 server iked[12701]: ikev2_add_mobike: done Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 8 nextpayload SA Jul 15 11:06:50 server iked[12701]: ikev2_add_proposals: length 32 Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 36 nextpayload TSi Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 56 nextpayload TSr Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 56 nextpayload NONE Jul 15 11:06:50 server iked[12701]: ikev2_msg_encrypt: decrypted length 1501 Jul 15 11:06:50 server iked[12701]: ikev2_msg_encrypt: padded length 1504 Jul 15 11:06:50 server iked[12701]: ikev2_msg_encrypt: length 1502, padding 2, output length 1536 Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 1540 nextpayload IDr Jul 15 11:06:50 server iked[12701]: ikev2_msg_integr: message length 1568 Jul 15 11:06:50 server iked[12701]: ikev2_msg_integr: integrity checksum length 16 Jul 15 11:06:50 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1568 response 1 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1540 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: IV length 16 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 1504 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16 Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 2 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12 Jul 15 11:06:50 server iked[12701]: ikev2_pld_id: id IPV4/1.2.3.4 length 8 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1009 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1004 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 264 Jul 15 11:06:50 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 60 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: type REPLY length 52 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4 Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4 Jul 15 11:06:50 server last message repeated 2 times Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 8 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8 Jul 15 11:06:50 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36 Jul 15 11:06:50 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0xf999bff1 Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16 Jul 15 11:06:50 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 56 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 3 length 48 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 56 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 3 length 48 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.21.0.0 end 10.21.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 172.22.1.0 end 172.22.1.255 Jul 15 11:06:50 server iked[12701]: ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:1083 msgid 1, 1568 bytes, NAT-T Jul 15 11:06:50 server iked[12701]: pfkey_sa_add: update spi 0xf999bff1 Jul 15 11:06:50 server iked[12701]: pfkey_sa: udpencap port 1083 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0xf999bff1 Jul 15 11:06:50 server iked[12701]: pfkey_sa_add: add spi 0x844224ca Jul 15 11:06:50 server iked[12701]: pfkey_sa: udpencap port 1083 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0x844224ca Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159d73b64400 with 0x159e392c1400 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e392c1400 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159da9a0d800 with 0x159e00d70c00 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e00d70c00 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159e392c1800 with 0x159e00d70800 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e00d70800 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159e392c1c00 with 0x159e35526400 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e35526400 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159da9a0c000 with 0x159e00d70000 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e00d70000 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159d683de400 with 0x159e35526c00 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e35526c00 Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: remember SA peer 5.6.7.8:1083 Jul 15 11:06:50 server iked[12701]: sa_state: VALID -> ESTABLISHED from 5.6.7.8:1083 to 1.2.3.4:4500 policy 'clientA'
