On Tue, Oct 24, 2023 at 10:42:11PM +0200, Tobias Heider wrote: > On Tue, Oct 24, 2023 at 03:35:57PM -0500, [email protected] wrote: > > On Tue, Oct 24, 2023 at 03:06:41PM -0500, [email protected] wrote: > > [..] > > >$ uname -a > > >OpenBSD openbsd-server 7.4 GENERIC#1336 amd64 > > > > > >ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \ > > > from 10.88.0.0/22 to 10.88.12.0/24 \ > > > from 203.0.113.92 to 10.88.12.0/24 \ > > > peer any local openbsd-server.example.com \ > > > ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > > childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > > srcid openbsd-server.example.com dstid linux-client.example.com \ > > > ikelifetime 4h \ > > > psk "123123123" \ > > > tag "$name-$id" > > > > > >Client configuration > > > > > ># uname -a > > >Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar 2 11:02:03 GMT 2023 > > >armv7l GNU/Linux > > > > > >ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \ > > > from 10.88.12.0/24 to 10.88.0.0/22 \ > > > from 10.88.12.0/24 to 203.0.113.92 \ > > > peer 203.0.113.92 \ > > > ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > > childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > > srcid openbsd-server.example.com dstid linux-client.example.com \ > > > ikelifetime 4h \ > > > psk "123123123" \ > > > tag "$name-$id" > > One thing that is clearly wrong are the IDs. The client should probably use: > > srcid linux-client.example.com dstid openbsd-server.example.com \
urgh just saw that you already fixed that. > > > > > > > So some of these were a bit backwards. I fixed the configurations but am > > now seeing the following on the server side: > > > > Oct 24 15:22:10 openbsd-server iked[12052]: spi=0x84023eb6ab6a9d33: > > ikev2_resp_recv: failed to parse message > > > > Updated server configuration > > > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \ > > from 10.88.0.0/22 to 10.88.12.0/24 \ > > from 203.0.113.92 to 10.88.12.0/24 \ > > peer any local 203.0.113.92 \ > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ > > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ > > srcid openbsd-server.example.com dstid linux-client.example.com \ > > lifetime 3600 bytes 1G \ > > psk "123123123" \ > > tag "$name-$id" > > > > Updated client configuration > > > > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \ > > from 10.88.12.0/24 to 10.88.0.0/22 \ > > from 10.88.12.0/24 to 203.0.113.92 \ > > peer openbsd-server.example.com \ > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ > > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ > > srcid linux-client.example.com dstid openbsd-server.example.com \ > > lifetime 3600 bytes 1G \ > > psk "123123123" \ > > tag "$name-$id" Does it work if you remove the second "from ... to" line? It looks like the SA payload is malformed, so the flows are the most likely cause. > > > > > > Full logs are below > > > > Server Logs > > > > # iked -dvv > > policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' > > spi=0xb825bd62181aa707: recv IKE_SA_INIT req 0 peer 192.0.51.245:23804 > > local 203.0.113.92:500, 330 bytes, policy 'LINUX-CLIENT_INET4_LAN' > > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0x0000000000000000 > > ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23 > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x0000000000000000 > > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > > 330 response 0 > > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > > xforms 3 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 > > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 > > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > > ikev2_pld_ke: dh group ECP_521 reserved 0 > > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > > 16 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > > ikev2_nat_detection: peer source 0xb825bd62181aa707 0x0000000000000000 > > 192.0.51.245:23804 > > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > > ikev2_nat_detection: peer destination 0xb825bd62181aa707 0x0000000000000000 > > 203.0.113.92:500 > > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > > ikev2_pld_notify: signature hash SHA2_256 (2) > > ikev2_pld_notify: signature hash SHA2_384 (3) > > ikev2_pld_notify: signature hash SHA2_512 (4) > > proposals_negotiate: score 3 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 0 > > proposals_negotiate: score 3 > > policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' > > spi=0xb825bd62181aa707: sa_state: INIT -> SA_INIT > > proposals_negotiate: score 3 > > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > > spi=0xb825bd62181aa707: ikev2_sa_keys: DHSECRET with 66 bytes > > ikev2_sa_keys: SKEYSEED with 64 bytes > > spi=0xb825bd62181aa707: ikev2_sa_keys: S with 80 bytes > > ikev2_prfplus: T1 with 64 bytes > > ikev2_prfplus: T2 with 64 bytes > > ikev2_prfplus: T3 with 64 bytes > > ikev2_prfplus: T4 with 64 bytes > > ikev2_prfplus: T5 with 64 bytes > > ikev2_prfplus: Tn with 320 bytes > > ikev2_sa_keys: SK_d with 64 bytes > > ikev2_sa_keys: SK_ei with 36 bytes > > ikev2_sa_keys: SK_er with 36 bytes > > ikev2_sa_keys: SK_pi with 64 bytes > > ikev2_sa_keys: SK_pr with 64 bytes > > ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation > > ikev2_add_proposals: length 36 > > ikev2_next_payload: length 40 nextpayload KE > > ikev2_next_payload: length 140 nextpayload NONCE > > ikev2_next_payload: length 36 nextpayload VENDOR > > ikev2_next_payload: length 16 nextpayload NOTIFY > > ikev2_nat_detection: local source 0xb825bd62181aa707 0xe5481ced5de262ea > > 203.0.113.92:500 > > ikev2_next_payload: length 28 nextpayload NOTIFY > > ikev2_nat_detection: local destination 0xb825bd62181aa707 0xe5481ced5de262ea > > 192.0.51.245:23804 > > ikev2_next_payload: length 28 nextpayload NOTIFY > > ikev2_next_payload: length 14 nextpayload NONE > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > > 330 response 1 > > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > > xforms 3 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 > > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > > ikev2_pld_ke: dh group ECP_521 reserved 0 > > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > > 16 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > > spi=0xb825bd62181aa707: send IKE_SA_INIT res 0 peer 192.0.51.245:23804 > > local 203.0.113.92:500, 330 bytes > > config_free_proposals: free 0x292d636b0f0 > > spi=0xb825bd62181aa707: recv IKE_AUTH req 1 peer 192.0.51.245:3916 local > > 203.0.113.92:4500, 251 bytes, policy 'LINUX-CLIENT_INET4_LAN' > > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > ikev2_recv: updated SA to peer 192.0.51.245:3916 local 203.0.113.92:4500 > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 251 > > response 0 > > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 223 > > ikev2_msg_decrypt: IV length 8 > > ikev2_msg_decrypt: encrypted payload length 199 > > ikev2_msg_decrypt: integrity checksum length 12 > > ikev2_msg_decrypt: AAD length 32 > > ikev2_msg_decrypt: decrypted payload length 199/199 padding 0 > > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > > length 31 > > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > > length 27 > > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > > length 72 > > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > > length 4 > > ikev2_validate_sa: malformed payload: too short for header (0 < 8) > > spi=0xb825bd62181aa707: ikev2_resp_recv: failed to parse message > > spi=0xb825bd62181aa707: recv IKE_AUTH req 1 peer 192.0.51.245:3916 local > > 203.0.113.92:4500, 251 bytes, policy 'LINUX-CLIENT_INET4_LAN' > > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > ikev2_recv: updated SA to peer 192.0.51.245:3916 local 203.0.113.92:4500 > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 251 > > response 0 > > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 223 > > ikev2_msg_decrypt: IV length 8 > > ikev2_msg_decrypt: encrypted payload length 199 > > ikev2_msg_decrypt: integrity checksum length 12 > > ikev2_msg_decrypt: AAD length 32 > > ikev2_msg_decrypt: decrypted payload length 199/199 padding 0 > > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > > length 31 > > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > > length 27 > > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > > length 72 > > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > > length 4 > > ikev2_validate_sa: malformed payload: too short for header (0 < 8) > > spi=0xb825bd62181aa707: ikev2_resp_recv: failed to parse message > > ^Ccontrol exiting, pid 6682 > > ca exiting, pid 23273 > > config_doreset: flushing policies > > config_free_proposals: free 0x292d6376c80 > > config_free_proposals: free 0x292d6376910 > > config_free_flows: free 0x292d638f400 > > config_free_flows: free 0x292d638f800 > > config_free_flows: free 0x292d6361c00 > > config_free_flows: free 0x292d6361000 > > config_free_proposals: free 0x292d6395000 > > config_free_proposals: free 0x292d6395d20 > > config_free_proposals: free 0x292d6395870 > > config_free_proposals: free 0x292d6384f00 > > config_free_flows: free 0x292d6383000 > > config_free_proposals: free 0x292d636bc80 > > config_free_proposals: free 0x292d6395730 > > config_free_proposals: free 0x292d6376b90 > > config_free_proposals: free 0x292d636b500 > > config_free_flows: free 0x292d6361800 > > config_free_proposals: free 0x292d6376cd0 > > config_free_proposals: free 0x292d6384410 > > config_free_proposals: free 0x292d636b460 > > config_free_proposals: free 0x292d6384d70 > > config_free_flows: free 0x292d6383c00 > > config_doreset: flushing SAs > > config_free_proposals: free 0x292d63958c0 > > config_free_proposals: free 0x292d636bd70 > > config_free_childsas: free 0x292d636c840 > > config_free_childsas: free 0x292d6366540 > > sa_free_flows: free 0x292d635c800 > > sa_free_flows: free 0x292d638f000 > > sa_free_flows: free 0x29390660400 > > sa_free_flows: free 0x292d635c400 > > sa_free_flows: free 0x292d6383400 > > sa_free_flows: free 0x292d635c000 > > sa_free_flows: free 0x29390655800 > > sa_free_flows: free 0x292d6389800 > > config_free_proposals: free 0x292d6376f00 > > config_free_proposals: free 0x292d6376f50 > > config_free_flows: free 0x292d6361400 > > config_free_flows: free 0x292d6383800 > > config_free_flows: free 0x292d6389c00 > > config_free_flows: free 0x292d637fc00 > > config_free_proposals: free 0x292d6384730 > > config_free_proposals: free 0x292d63954b0 > > config_free_proposals: free 0x292d6376960 > > config_free_flows: free 0x292d6389000 > > config_free_flows: free 0x292d6389400 > > config_doreset: flushing users > > ikev2 exiting, pid 47679 > > parent terminating > > > > > > Client Logs > > > > # iked -dvv > > create_ike: using unknown for peer openbsd-server.example.com > > ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 > > to > > 10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer 203.0.113.92 > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 srcid > > linux-client.example.com dstid openbsd-server.example.com lifetime 3600 > > bytes > > 1073741824 psk 0x746869732d69732d612d6c6f6e672d746573742d70772d39 tag > > "$name-$id" > > /etc/iked.conf: loaded 1 configuration rules > > ca_privkey_serialize: type ECDSA length 121 > > ca_pubkey_serialize: type ECDSA length 91 > > config_getpolicy: received policy > > config_getpfkey: received pfkey fd 3 > > ca_privkey_to_method: type ECDSA method ECDSA_256 > > ca_getkey: received private key type ECDSA length 121 > > ca_getkey: received public key type ECDSA length 91 > > ca_dispatch_parent: config reset > > ca_reload: local cert type ECDSA > > config_getocsp: ocsp_url none tolerate 0 maxage -1 > > ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0 > > config_getcompile: compilation done > > config_getsocket: received socket fd 4 > > config_getsocket: received socket fd 5 > > config_getsocket: received socket fd 6 > > config_getsocket: received socket fd 7 > > config_getstatic: dpd_check_interval 60 > > config_getstatic: no enforcesingleikesa > > config_getstatic: no fragmentation > > config_getstatic: mobike > > config_getstatic: nattport 4500 > > config_getstatic: no stickyaddress > > ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS" > > ikev2_policy2id: srcid FQDN/linux-client.example.com length 27 > > ikev2_add_proposals: length 36 > > ikev2_next_payload: length 40 nextpayload KE > > ikev2_next_payload: length 140 nextpayload NONCE > > ikev2_next_payload: length 36 nextpayload VENDOR > > ikev2_next_payload: length 16 nextpayload NOTIFY > > ikev2_nat_detection: local source 0xb825bd62181aa707 0x0000000000000000 > > 0.0.0.0:500 > > ikev2_next_payload: length 28 nextpayload NOTIFY > > ikev2_nat_detection: local destination 0xb825bd62181aa707 0x0000000000000000 > > 203.0.113.92:500 > > ikev2_next_payload: length 28 nextpayload NOTIFY > > ikev2_next_payload: length 14 nextpayload NONE > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x0000000000000000 > > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > > 330 response 0 > > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > > xforms 3 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 > > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 > > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > > ikev2_pld_ke: dh group ECP_521 reserved 0 > > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > > 16 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > > spi=0xb825bd62181aa707: send IKE_SA_INIT req 0 peer 203.0.113.92:500 local > > 0.0.0.0:500, 330 bytes > > spi=0xb825bd62181aa707: sa_state: INIT -> SA_INIT > > spi=0xb825bd62181aa707: recv IKE_SA_INIT res 0 peer 203.0.113.92:500 local > > 172.20.10.7:500, 330 bytes, policy 'OPENBSD-SERVER_INET4_NETS' > > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > ikev2_recv: updated SA to peer 203.0.113.92:500 local 172.20.10.7:500 > > ikev2_policy2id: srcid FQDN/linux-client.example.com length 27 > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > > 330 response 1 > > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > > xforms 3 spi 0 > > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 > > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > > ikev2_pld_ke: dh group ECP_521 reserved 0 > > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > > 16 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > > ikev2_nat_detection: peer source 0xb825bd62181aa707 0xe5481ced5de262ea > > 203.0.113.92:500 > > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > > 28 > > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > > ikev2_nat_detection: peer destination 0xb825bd62181aa707 0xe5481ced5de262ea > > 172.20.10.7:500 > > ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT > > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > > ikev2_pld_notify: signature hash SHA2_256 (2) > > ikev2_pld_notify: signature hash SHA2_384 (3) > > ikev2_pld_notify: signature hash SHA2_512 (4) > > ikev2_enable_natt: detected NAT, enabling UDP encapsulation, updated SA to > > peer 203.0.113.92:4500 local 172.20.10.7:4500 > > proposals_negotiate: score 3 > > sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth > > spi=0xb825bd62181aa707: ikev2_sa_keys: DHSECRET with 66 bytes > > ikev2_sa_keys: SKEYSEED with 64 bytes > > spi=0xb825bd62181aa707: ikev2_sa_keys: S with 80 bytes > > ikev2_prfplus: T1 with 64 bytes > > ikev2_prfplus: T2 with 64 bytes > > ikev2_prfplus: T3 with 64 bytes > > ikev2_prfplus: T4 with 64 bytes > > ikev2_prfplus: T5 with 64 bytes > > ikev2_prfplus: Tn with 320 bytes > > ikev2_sa_keys: SK_d with 64 bytes > > ikev2_sa_keys: SK_ei with 36 bytes > > ikev2_sa_keys: SK_er with 36 bytes > > ikev2_sa_keys: SK_pi with 64 bytes > > ikev2_sa_keys: SK_pr with 64 bytes > > ikev2_msg_auth: initiator auth data length 426 > > sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth > > ikev2_policy2id: dstid FQDN/openbsd-server.example.com length 23 > > ikev2_next_payload: length 31 nextpayload IDr > > ikev2_next_payload: length 27 nextpayload AUTH > > spi=0xb825bd62181aa707: ikev2_cp_request_configured: no > > ikev2_next_payload: length 72 nextpayload SA > > ikev2_add_proposals: length 0 > > ikev2_next_payload: length 4 nextpayload TSi > > ikev2_next_payload: length 24 nextpayload TSr > > ikev2_next_payload: length 40 nextpayload NONE > > ikev2_next_payload: length 223 nextpayload IDi > > ikev2_msg_encrypt: decrypted length 198 > > ikev2_msg_encrypt: padded length 199 > > ikev2_msg_encrypt: length 199, padding 0, output length 219 > > ikev2_msg_integr: message length 251 > > ikev2_msg_integr: integrity checksum length 12 > > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 251 > > response 0 > > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 223 > > ikev2_msg_decrypt: IV length 8 > > ikev2_msg_decrypt: encrypted payload length 199 > > ikev2_msg_decrypt: integrity checksum length 12 > > ikev2_msg_decrypt: AAD length 32 > > ikev2_msg_decrypt: decrypted payload length 199/199 padding 0 > > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > > length 31 > > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > > length 27 > > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > > length 72 > > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > > length 4 > > ikev2_validate_sa: malformed payload: too short for header (0 < 8) > > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > > length 24 > > ikev2_pld_tss: count 1 length 16 > > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > > 65535 > > ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 > > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > > length 40 > > ikev2_pld_tss: count 2 length 32 > > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > > 65535 > > ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 > > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > > 65535 > > ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 > > spi=0xb825bd62181aa707: send IKE_AUTH req 1 peer 203.0.113.92:4500 local > > 172.20.10.7:4500, 251 bytes, NAT-T > > config_free_proposals: free 0x1cfd618 > > spi=0xb825bd62181aa707: retransmit 1 IKE_AUTH req 1 peer 203.0.113.92:4500 > > local 172.20.10.7:4500 > > ^Cconfig_doreset: flushing policies > > config_doreset: flushing SAs > > config_free_proposals: free 0x1cf8e10 > > config_free_proposals: free 0x1ca5678 > > config_free_flows: free 0x1ca29b8 > > config_free_flows: free 0x1ca2ba8 > > ca exiting, pid 3414 > > config_doreset: flushing users > > control exiting, pid 3415 > > ikev2 exiting, pid 3416 > > parent terminating > > >
