---------- Forwarded message ---------
From: Riccardo Giuntoli <[email protected]>
Date: Thu, Feb 4, 2021 at 1:44 PM
Subject: Re: ikev2 active roadwarrior with openbsd
To: Stuart Henderson <[email protected]>
root@ganesha:/etc# cat iked.conf
set dpd_check_interval 15
ikev2 'uma' active esp \
from xxx to 172.16.17.0/24 \
local xxx peer yyy\
ikesa auth hmac-sha2-384 enc aes-256 group ecp384 \
childsa auth hmac-sha2-256 enc aes-256 \
srcid "ganesha@yyy" \
ikelifetime 86400 lifetime 3600
root@ganesha:/etc/iked# find .
.
./ca
./ca/ca.crt
./certs
./crls
./export
./private
./private/local.key
./private/[email protected]
./pubkeys
./pubkeys/fqdn
./pubkeys/ipv4
./pubkeys/ipv4/yyy
./pubkeys/ipv6
./pubkeys/ufqdn
./pubkeys/ufqdn/ganesha@yyy
root@ganesha:/etc/iked# iked -dvv
create_ike: using signature for peer yyy
ikev2 "uma" active tunnel esp inet from xxx to 172.16.17.0/24 local xxx
peer yyy ikesa enc aes-256 prf
hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-384
group ecp384 childsa enc aes-256 auth hmac-sha2-256 esn,noesn srcid
ganesha@xxx ikelifetime 86400 lifetime 3600 bytes 536870912 signature
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1190
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom
Lobby/OU=VPNC/CN=fr.telecomlobby.com
ca_reload: loaded 1 ca certificate
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 15
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
ikev2_init_ike_sa: initiating "uma"
ikev2_policy2id: srcid UFQDN/ganesha@xxx length 24
ikev2_add_proposals: length 68
ikev2_next_payload: length 72 nextpayload KE
ikev2_next_payload: length 104 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x0ab818df87f9e190 0x0000000000000000
xxx:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x0ab818df87f9e190
0x0000000000000000 yyy:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x0ab818df87f9e190 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
310 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 72
ikev2_pld_sa: more 0 reserved 0 length 68 proposal #1 protoid IKE spisize 0
xforms 7 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104
ikev2_pld_ke: dh group ECP_384 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0x0ab818df87f9e190: send IKE_SA_INIT req 0 peer yyy:500 local xxx:500,
310 bytes
spi=0x0ab818df87f9e190: sa_state: INIT -> SA_INIT
spi=0x0ab818df87f9e190: recv IKE_SA_INIT res 0 peer yyy:500 local xxx:500,
221 bytes, policy 'uma'
ikev2_recv: ispi 0x0ab818df87f9e190 rspi 0x01800ab0bf59cc34
ikev2_recv: updated SA to peer yyy:500 local xxx:500
ikev2_policy2id: srcid UFQDN/ganesha@xxx length 24
ikev2_pld_parse: header ispi 0x0ab818df87f9e190 rspi 0x01800ab0bf59cc34
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
221 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_384
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104
ikev2_pld_ke: dh group ECP_384 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
ikev2_pld_certreq: type X509_CERT length 0
ikev2_pld_certreq: invalid length 0
ikev2_policy2id: srcid UFQDN/ganesha@xxx length 24
sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
proposals_negotiate: score 5
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
spi=0x0ab818df87f9e190: ikev2_sa_keys: DHSECRET with 48 bytes
ikev2_sa_keys: SKEYSEED with 48 bytes
spi=0x0ab818df87f9e190: ikev2_sa_keys: S with 72 bytes
ikev2_prfplus: T1 with 48 bytes
ikev2_prfplus: T2 with 48 bytes
ikev2_prfplus: T3 with 48 bytes
ikev2_prfplus: T4 with 48 bytes
ikev2_prfplus: T5 with 48 bytes
ikev2_prfplus: T6 with 48 bytes
ikev2_prfplus: T7 with 48 bytes
ikev2_prfplus: Tn with 336 bytes
ikev2_sa_keys: SK_d with 48 bytes
ikev2_sa_keys: SK_ai with 48 bytes
ikev2_sa_keys: SK_ar with 48 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 48 bytes
ikev2_sa_keys: SK_pr with 48 bytes
ikev2_msg_auth: initiator auth data length 382
ca_setauth: switching SIG to RSA_SIG(*)
ca_setauth: auth length 382
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
config_free_proposals: free 0x2715127cf80
ca_getreq: found CA /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom
Lobby/OU=VPNC/CN=fr.telecomlobby.com
spi=0x0ab818df87f9e190: ca_getreq: no valid local certificate found for
UFQDN/ganesha@xxx
spi=0x0ab818df87f9e190: ca_getreq: using local public key of type RSA_KEY
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 22 rspi 0x01800ab0bf59cc34 ispi 0x0ab818df87f9e190
initiator 1 sa valid type 11 data length 270
ikev2_dispatch_cert: cert type RSA_KEY length 270, ok
sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
ikev2_getimsgdata: imsg 28 rspi 0x01800ab0bf59cc34 ispi 0x0ab818df87f9e190
initiator 1 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009
cert,auth)
sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
ikev2_next_payload: length 28 nextpayload CERT
ikev2_next_payload: length 275 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload AUTH
ikev2_next_payload: length 264 nextpayload SA
pfkey_sa_getspi: spi 0x53ce063e
pfkey_sa_init: new spi 0x53ce063e
ikev2_add_proposals: length 48
ikev2_next_payload: length 52 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_next_payload: length 748 nextpayload IDi
ikev2_msg_encrypt: decrypted length 692
ikev2_msg_encrypt: padded length 704
ikev2_msg_encrypt: length 693, padding 11, output length 744
ikev2_msg_integr: message length 776
ikev2_msg_integr: integrity checksum length 24
ikev2_pld_parse: header ispi 0x0ab818df87f9e190 rspi 0x01800ab0bf59cc34
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 776
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 748
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 704
ikev2_msg_decrypt: integrity checksum length 24
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 704/704 padding 11
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
length 28
ikev2_pld_id: id UFQDN/ganesha@xxx length 24
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical
0x00 length 275
ikev2_pld_cert: type RSA_KEY length 270
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical
0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 52
ikev2_pld_sa: more 0 reserved 0 length 48 proposal #1 protoid ESP spisize 4
xforms 4 spi 0x53ce063e
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_tss: count 1 length 16
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start xxx end xxx
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_tss: count 1 length 16
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 172.16.17.0 end 172.16.17.255
spi=0x0ab818df87f9e190: send IKE_AUTH req 1 peer yyy:500 local xxx:500, 776
bytes
spi=0x0ab818df87f9e190: recv IKE_AUTH res 1 peer yyy:500 local xxx:500, 280
bytes, policy 'uma'
ikev2_recv: ispi 0x0ab818df87f9e190 rspi 0x01800ab0bf59cc34
ikev2_recv: updated SA to peer yyy:500 local xxx:500
ikev2_pld_parse: header ispi 0x0ab818df87f9e190 rspi 0x01800ab0bf59cc34
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 280
response 1
ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length 252
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 208
ikev2_msg_decrypt: integrity checksum length 24
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 208/208 padding 199
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type AUTHENTICATION_FAILED
ikev2_handle_notifies: AUTHENTICATION_FAILED, closing SA
spi=0x0ab818df87f9e190: sa_state: SA_INIT -> CLOSED from yyy:500 to xxx:500
policy 'uma'
ikev2_recv: closing SA
spi=0x0ab818df87f9e190: sa_free: authentication failed notification from
peer
config_free_proposals: free 0x27102f7c880
^Cca exiting, pid 56381
control exiting, pid 72177
ikev2 exiting, pid 49164
parent terminating
root@ganesha:/etc/iked#
On Thu, Feb 4, 2021 at 12:31 PM Stuart Henderson <[email protected]>
wrote:
> On 2021-02-04, Riccardo Giuntoli <[email protected]> wrote:
> > Hello misc, how are you?
> >
> > I've got this scenario:
> >
> > A ikev2 passive server in France that got:
> >
> > A CA
> > A server certificate for tls server
> > And a client certificate for tls client
> >
> > I export the CA in PEM format and put it on /etc/iked/ca
> >
> > Next I export the private key and the certificate and put it on:
> >
> > /etc/iked/private/client.key
> >
> > And the certificate I put it on /etc/iked/pubkeys/ufqdn
> >
> > I also export the PEM of the server and put it on /etc/iked/certs
> >
> > Next on iked.conf I use src-id with the email CN that I've got
> configured.
> >
> > I cannot connect to my server with openiked but with the exactly the same
> > configuration on a strongswan client it works.
> >
> > Any suggestions?
> >
> > Kind regards
> > RG
>
> You'll need to show some config and probably logs before anyone
> can help.
>
>
>
--
Name: Riccardo Giuntoli
Email: [email protected]
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
--
Name: Riccardo Giuntoli
Email: [email protected]
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
