On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton"
<[email protected]> wrote:
>I'm trying to setup host-to-host encryption using iked with the
>following configuration:
>
>On 10.2.2.10:
>
>ikev2 passive esp from 10.2.2.10 to 10.2.1.11 srcid 10.2.2.10
>
>On 10.2.1.11:
>
>ikev2 active esp from 10.2.1.11 to 10.2.2.10 srcid 10.2.1.11
>
>I exchanged the /etc/iked/local.pub files into /etc/iked/pubkeys/ipv4/
>on each host using the respective IPs as the file names.
>
>When I start iked, it responds agreeably:
>
>On 10.2.2.10:
>
># iked -dv
>ikev2 "policy1" passive tunnel esp inet from 10.2.2.10 to 10.2.1.11 local
>10.2.2.10 peer 10.2.1.11 ikesa enc aes-128-gcm enc aes-256-gcm prf
>hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
>curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
>modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
>aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
>hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
>hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group
>ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group
>modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa
>enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth
>hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 10.2.2.10 lifetime
>10800 bytes 4294967296 signature
>spi=0xe0fd27448726d995: recv IKE_SA_INIT req 0 peer 10.2.1.11:500 local
>10.2.2.10:500, 518 bytes, policy 'policy1'
>spi=0xe0fd27448726d995: send IKE_SA_INIT res 0 peer 10.2.1.11:500 local
>10.2.2.10:500, 235 bytes
>spi=0xe0fd27448726d995: recv IKE_AUTH req 1 peer 10.2.1.11:500 local
>10.2.2.10:500, 463 bytes, policy 'policy1'
>spi=0xe0fd27448726d995: send IKE_AUTH res 1 peer 10.2.1.11:500 local
>10.2.2.10:500, 342 bytes
>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208,
>0xd94b3836 (enc aes-128-gcm esn)
>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows:
>ESP-10.2.2.10/32=10.2.1.11/32(0)
>spi=0xe0fd27448726d995: established peer 10.2.1.11:500[IPV4/10.2.1.11] local
>10.2.2.10:500[IPV4/10.2.2.10] policy 'policy1' as responder (enc aes-128-gcm
>group curve25519 prf hmac-sha2-256)
>
>On 10.2.1.11:
>
># iked -dv
>ikev2 "policy1" active tunnel esp inet from 10.2.1.11 to 10.2.2.10 local
>10.2.1.11 peer 10.2.2.10 ikesa enc aes-128-gcm enc aes-256-gcm prf
>hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
>curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
>modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
>aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
>hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
>hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group
>ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group
>modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa
>enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth
>hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 10.2.1.11 lifetime
>10800 bytes 4294967296 signature
>ikev2_init_ike_sa: initiating "policy1"
>spi=0xe0fd27448726d995: send IKE_SA_INIT req 0 peer 10.2.2.10:500 local
>10.2.1.11:500, 518 bytes
>spi=0xe0fd27448726d995: recv IKE_SA_INIT res 0 peer 10.2.2.10:500 local
>10.2.1.11:500, 235 bytes, policy 'policy1'
>spi=0xe0fd27448726d995: send IKE_AUTH req 1 peer 10.2.2.10:500 local
>10.2.1.11:500, 463 bytes
>spi=0xe0fd27448726d995: recv IKE_AUTH res 1 peer 10.2.2.10:500 local
>10.2.1.11:500, 342 bytes, policy 'policy1'
>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208,
>0xd94b3836 (enc aes-128-gcm esn)
>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows:
>ESP-10.2.1.11/32=10.2.2.10/32(0)
>spi=0xe0fd27448726d995: established peer 10.2.2.10:500[IPV4/10.2.2.10] local
>10.2.1.11:500[IPV4/10.2.1.11] policy 'policy1' as initiator (enc aes-128-gcm
>group curve25519 prf hmac-sha2-256)
>
>Here's the output from ipsecctl -sa:
>
>On 10.2.2.10:
>
>FLOWS:
>flow esp in from 10.2.1.11 to 10.2.2.10 peer 10.2.1.11 srcid IPV4/10.2.2.10
>dstid IPV4/10.2.1.11 type require
>flow esp out from 10.2.2.10 to 10.2.1.11 peer 10.2.1.11 srcid IPV4/10.2.2.10
>dstid IPV4/10.2.1.11 type require
>
>SAD:
>esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
>esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm
>
>On 10.2.1.11:
>
>FLOWS:
>flow esp in from 10.2.2.10 to 10.2.1.11 peer 10.2.2.10 srcid IPV4/10.2.1.11
>dstid IPV4/10.2.2.10 type require
>flow esp out from 10.2.1.11 to 10.2.2.10 peer 10.2.2.10 srcid IPV4/10.2.1.11
>dstid IPV4/10.2.2.10 type require
>
>SAD:
>esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
>esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm
>
>Once I try pinging between the hosts, I can still see ICMP traffic on
>the subject interface (vio1), and no traffic on enc0. I've been digging
>around, trying to figure out what I missed, but I haven't found the
>magic rabbit hole. I'm running a fully patched version of OpenBSD 7.3.
>
>Additionally, the hosts have a stock /etc/pf.conf, so there aren't any
>firewall rules to speak of between the hosts. The kernel states for
>net.inet.esp.enable, and net.inet.ah.enable are set to 1.
>
>Any suggestions?
Can you show me the output of route get $peer-id on
the host you ping from? does it match the flow?
I don't see anything obviously wrong in the ipsecctl and iked outputs.
ipsecctl -sa -v might also help to see the per sa counters.
>
>TIA,
>
> --Bruce
>
