Re: host-to-host encryption with iked

Robert B. Carleton Tue, 03 Oct 2023 19:58:18 -0700

Tobias Heider <[email protected]> writes:

> On October 3, 2023 2:30:54 PM GMT+02:00, "Robert B. Carleton" 
> <[email protected]> wrote:
>>Tobias Heider <[email protected]> writes:
>>
>>> On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton" 
>>> <[email protected]> wrote:
>>>>I'm trying to setup host-to-host encryption using iked with the
>>>>following configuration:
>>>>
>>>>On 10.2.2.10:
>>>>
>>>>ikev2 passive esp from 10.2.2.10 to 10.2.1.11 srcid 10.2.2.10
>>>>
>>>>On 10.2.1.11:
>>>>
>>>>ikev2 active esp from 10.2.1.11 to 10.2.2.10 srcid 10.2.1.11
>>>>
>>>>I exchanged the /etc/iked/local.pub files into /etc/iked/pubkeys/ipv4/
>>>>on each host using the respective IPs as the file names.
>>>>
>>>>When I start iked, it responds agreeably:
>>>>
>>>>On 10.2.2.10:
>>>>
>>>># iked -dv 
>>>>ikev2 "policy1" passive tunnel esp inet from 10.2.2.10 to 10.2.1.11 local 
>>>>10.2.2.10 peer 10.2.1.11 ikesa enc aes-128-gcm enc aes-256-gcm prf 
>>>>hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group 
>>>>curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group 
>>>>modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc 
>>>>aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf 
>>>>hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth 
>>>>hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 
>>>>group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 
>>>>group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn 
>>>>childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth 
>>>>hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 
>>>>10.2.2.10 lifetime 10800 bytes 4294967296 signature
>>>>spi=0xe0fd27448726d995: recv IKE_SA_INIT req 0 peer 10.2.1.11:500 local 
>>>>10.2.2.10:500, 518 bytes, policy 'policy1'
>>>>spi=0xe0fd27448726d995: send IKE_SA_INIT res 0 peer 10.2.1.11:500 local 
>>>>10.2.2.10:500, 235 bytes
>>>>spi=0xe0fd27448726d995: recv IKE_AUTH req 1 peer 10.2.1.11:500 local 
>>>>10.2.2.10:500, 463 bytes, policy 'policy1'
>>>>spi=0xe0fd27448726d995: send IKE_AUTH res 1 peer 10.2.1.11:500 local 
>>>>10.2.2.10:500, 342 bytes
>>>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208, 
>>>>0xd94b3836 (enc aes-128-gcm esn)
>>>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows: 
>>>>ESP-10.2.2.10/32=10.2.1.11/32(0)
>>>>spi=0xe0fd27448726d995: established peer 10.2.1.11:500[IPV4/10.2.1.11] 
>>>>local 10.2.2.10:500[IPV4/10.2.2.10] policy 'policy1' as responder (enc 
>>>>aes-128-gcm group curve25519 prf hmac-sha2-256)
>>>>
>>>>On 10.2.1.11:
>>>>
>>>># iked -dv 
>>>>ikev2 "policy1" active tunnel esp inet from 10.2.1.11 to 10.2.2.10 local 
>>>>10.2.1.11 peer 10.2.2.10 ikesa enc aes-128-gcm enc aes-256-gcm prf 
>>>>hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group 
>>>>curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group 
>>>>modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc 
>>>>aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf 
>>>>hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth 
>>>>hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 
>>>>group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 
>>>>group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn 
>>>>childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth 
>>>>hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 
>>>>10.2.1.11 lifetime 10800 bytes 4294967296 signature
>>>>ikev2_init_ike_sa: initiating "policy1"
>>>>spi=0xe0fd27448726d995: send IKE_SA_INIT req 0 peer 10.2.2.10:500 local 
>>>>10.2.1.11:500, 518 bytes
>>>>spi=0xe0fd27448726d995: recv IKE_SA_INIT res 0 peer 10.2.2.10:500 local 
>>>>10.2.1.11:500, 235 bytes, policy 'policy1'
>>>>spi=0xe0fd27448726d995: send IKE_AUTH req 1 peer 10.2.2.10:500 local 
>>>>10.2.1.11:500, 463 bytes
>>>>spi=0xe0fd27448726d995: recv IKE_AUTH res 1 peer 10.2.2.10:500 local 
>>>>10.2.1.11:500, 342 bytes, policy 'policy1'
>>>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208, 
>>>>0xd94b3836 (enc aes-128-gcm esn)
>>>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows: 
>>>>ESP-10.2.1.11/32=10.2.2.10/32(0)
>>>>spi=0xe0fd27448726d995: established peer 10.2.2.10:500[IPV4/10.2.2.10] 
>>>>local 10.2.1.11:500[IPV4/10.2.1.11] policy 'policy1' as initiator (enc 
>>>>aes-128-gcm group curve25519 prf hmac-sha2-256)
>>>>
>>>>Here's the output from ipsecctl -sa:
>>>>
>>>>On 10.2.2.10:
>>>>
>>>>FLOWS:
>>>>flow esp in from 10.2.1.11 to 10.2.2.10 peer 10.2.1.11 srcid IPV4/10.2.2.10 
>>>>dstid IPV4/10.2.1.11 type require
>>>>flow esp out from 10.2.2.10 to 10.2.1.11 peer 10.2.1.11 srcid 
>>>>IPV4/10.2.2.10 dstid IPV4/10.2.1.11 type require
>>>>
>>>>SAD:
>>>>esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
>>>>esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm
>>>>
>>>>On 10.2.1.11:
>>>>
>>>>FLOWS:
>>>>flow esp in from 10.2.2.10 to 10.2.1.11 peer 10.2.2.10 srcid IPV4/10.2.1.11 
>>>>dstid IPV4/10.2.2.10 type require
>>>>flow esp out from 10.2.1.11 to 10.2.2.10 peer 10.2.2.10 srcid 
>>>>IPV4/10.2.1.11 dstid IPV4/10.2.2.10 type require
>>>>
>>>>SAD:
>>>>esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
>>>>esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm
>>>>
>>>>Once I try pinging between the hosts, I can still see ICMP traffic on
>>>>the subject interface (vio1), and no traffic on enc0. I've been digging
>>>>around, trying to figure out what I missed, but I haven't found the
>>>>magic rabbit hole. I'm running a fully patched version of OpenBSD 7.3.
>>>>
>>>>Additionally, the hosts have a stock /etc/pf.conf, so there aren't any
>>>>firewall rules to speak of between the hosts. The kernel states for
>>>>net.inet.esp.enable, and net.inet.ah.enable are set to 1.
>>>>
>>>>Any suggestions?
>>>
>>> Can you show me the output of route get $peer-id on
>>> the host you ping from? does it match the flow?
>>>
>>> I don't see anything obviously wrong in the ipsecctl and iked outputs.
>>> ipsecctl -sa -v might also help to see the per sa counters.
>>>
>>>>
>>>>TIA,
>>>>
>>>>                        --Bruce
>>>>
>>
>>I think this is what you meant. On: 10.2.2.10
>>
>># route -n get 10.2.1.11
>>   route to: 10.2.1.11
>>destination: 0.0.0.0
>>       mask: 0.0.0.0
>>    gateway: 10.1.2.1
>>  interface: vio0
>> if address: 10.1.2.10
>>   priority: 8 (static)
>>      flags: <UP,GATEWAY,DONE,STATIC>
>>     use       mtu    expire
>>      49         0         0
>>
>>There are multiple interfaces. Maybe that's causing a problem.
>
> so here's your problem. Your flow encrypts everything with source
> address 10.2.2.10 and destination 10.2.1.11, but your ping probably uses 
> 10.1.2.10 as source address so it doesn't match.


That was it. I didn't pay attention to my source address. I'm glad it
was something simple, rather than complicated. Thanks for the help. It's
much appreciated.

Best,

                        --Bruce

Re: host-to-host encryption with iked

Reply via email to