host-to-host encryption with iked

Robert B. Carleton Mon, 02 Oct 2023 16:33:27 -0700

I'm trying to setup host-to-host encryption using iked with the
following configuration:


On 10.2.2.10:

ikev2 passive esp from 10.2.2.10 to 10.2.1.11 srcid 10.2.2.10

On 10.2.1.11:

ikev2 active esp from 10.2.1.11 to 10.2.2.10 srcid 10.2.1.11

I exchanged the /etc/iked/local.pub files into /etc/iked/pubkeys/ipv4/
on each host using the respective IPs as the file names.

When I start iked, it responds agreeably:

On 10.2.2.10:

# iked -dv 
ikev2 "policy1" passive tunnel esp inet from 10.2.2.10 to 10.2.1.11 local 
10.2.2.10 peer 10.2.1.11 ikesa enc aes-128-gcm enc aes-256-gcm prf 
hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group 
curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 
group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc 
aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf 
hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth 
hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group 
modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa 
enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc 
aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 
auth hmac-sha1 group none esn noesn srcid 10.2.2.10 lifetime 10800 bytes 
4294967296 signature
spi=0xe0fd27448726d995: recv IKE_SA_INIT req 0 peer 10.2.1.11:500 local 
10.2.2.10:500, 518 bytes, policy 'policy1'
spi=0xe0fd27448726d995: send IKE_SA_INIT res 0 peer 10.2.1.11:500 local 
10.2.2.10:500, 235 bytes
spi=0xe0fd27448726d995: recv IKE_AUTH req 1 peer 10.2.1.11:500 local 
10.2.2.10:500, 463 bytes, policy 'policy1'
spi=0xe0fd27448726d995: send IKE_AUTH res 1 peer 10.2.1.11:500 local 
10.2.2.10:500, 342 bytes
spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208, 
0xd94b3836 (enc aes-128-gcm esn)
spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows: 
ESP-10.2.2.10/32=10.2.1.11/32(0)
spi=0xe0fd27448726d995: established peer 10.2.1.11:500[IPV4/10.2.1.11] local 
10.2.2.10:500[IPV4/10.2.2.10] policy 'policy1' as responder (enc aes-128-gcm 
group curve25519 prf hmac-sha2-256)

On 10.2.1.11:

# iked -dv 
ikev2 "policy1" active tunnel esp inet from 10.2.1.11 to 10.2.2.10 local 
10.2.1.11 peer 10.2.2.10 ikesa enc aes-128-gcm enc aes-256-gcm prf 
hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group 
curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 
group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc 
aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf 
hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth 
hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group 
modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa 
enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc 
aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 
auth hmac-sha1 group none esn noesn srcid 10.2.1.11 lifetime 10800 bytes 
4294967296 signature
ikev2_init_ike_sa: initiating "policy1"
spi=0xe0fd27448726d995: send IKE_SA_INIT req 0 peer 10.2.2.10:500 local 
10.2.1.11:500, 518 bytes
spi=0xe0fd27448726d995: recv IKE_SA_INIT res 0 peer 10.2.2.10:500 local 
10.2.1.11:500, 235 bytes, policy 'policy1'
spi=0xe0fd27448726d995: send IKE_AUTH req 1 peer 10.2.2.10:500 local 
10.2.1.11:500, 463 bytes
spi=0xe0fd27448726d995: recv IKE_AUTH res 1 peer 10.2.2.10:500 local 
10.2.1.11:500, 342 bytes, policy 'policy1'
spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208, 
0xd94b3836 (enc aes-128-gcm esn)
spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows: 
ESP-10.2.1.11/32=10.2.2.10/32(0)
spi=0xe0fd27448726d995: established peer 10.2.2.10:500[IPV4/10.2.2.10] local 
10.2.1.11:500[IPV4/10.2.1.11] policy 'policy1' as initiator (enc aes-128-gcm 
group curve25519 prf hmac-sha2-256)

Here's the output from ipsecctl -sa:

On 10.2.2.10:

FLOWS:
flow esp in from 10.2.1.11 to 10.2.2.10 peer 10.2.1.11 srcid IPV4/10.2.2.10 
dstid IPV4/10.2.1.11 type require
flow esp out from 10.2.2.10 to 10.2.1.11 peer 10.2.1.11 srcid IPV4/10.2.2.10 
dstid IPV4/10.2.1.11 type require

SAD:
esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm

On 10.2.1.11:

FLOWS:
flow esp in from 10.2.2.10 to 10.2.1.11 peer 10.2.2.10 srcid IPV4/10.2.1.11 
dstid IPV4/10.2.2.10 type require
flow esp out from 10.2.1.11 to 10.2.2.10 peer 10.2.2.10 srcid IPV4/10.2.1.11 
dstid IPV4/10.2.2.10 type require

SAD:
esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm

Once I try pinging between the hosts, I can still see ICMP traffic on
the subject interface (vio1), and no traffic on enc0. I've been digging
around, trying to figure out what I missed, but I haven't found the
magic rabbit hole. I'm running a fully patched version of OpenBSD 7.3.

Additionally, the hosts have a stock /etc/pf.conf, so there aren't any
firewall rules to speak of between the hosts. The kernel states for
net.inet.esp.enable, and net.inet.ah.enable are set to 1.

Any suggestions?

TIA,

                        --Bruce

host-to-host encryption with iked

Reply via email to