Hi misc,
Cannot get the iphone to connect to an iked server with ikev2 using
certificate exported by ikectl. Logs below.
I imported p6.local.pfx cert from the zip generated by:
#ikectl ca VPN certificate p6.local export
into the iPhone profile. But iked fails with:
spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but
without matching key.
Local ID is p6.local
Remote ID is the server IP address.
Any ideas?
----
certs were generated / exported thus way:
certs generation was done this way:
ikectl ca VPN create
ikectl ca VPN install
ikectl ca VPN certificate 33.33.33.33 create server
ikectl ca VPN certificate 33.33.33.33 install
ikectl ca VPN certificate p6.local create client
ikectl ca VPN certificate p6.local install
ikectl ca VPN certificate p6.local export
Then imported p6.local.pfx from p6.local.zip into the iphone
----
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
table <badhosts> persist
block quick on em0 from <badhosts> to any
block return # block stateless traffic
pass # establish keep-state
# NAT
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass quick proto udp from any to self port {isakmp, ipsec-nat-t} keep
state
pass on enc0 from any to self keep state (if-bound)
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
----
/etc/iked.conf
ikev2 "vpn" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
from ::0/0 to ::0/0 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 33.33.33.33 \
dstid p6.local \
config address 172.24.24.0/24 \
config address 2001:470:203a:a0::/64 \
config name-server 172.24.24.1 \
config name-server 2001:470:203a:a0::1 \
----
----
host9# iked -d -v
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config address 2001:470:203a:a0:: config name-server 172.24.24.1 config
name-server 2001:470:203a:a0::1
spi=0xe461b2e822193627: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe461b2e822193627: send IKE_SA_INIT res 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 473 bytes
spi=0xe461b2e822193627: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 496 bytes, policy 'vpn'
spi=0xe461b2e822193627: ikev2_send_auth_failed: authentication failed
for FQDN/p6.local
spi=0xe461b2e822193627: send IKE_AUTH res 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 80 bytes, NAT-T
spi=0xe461b2e822193627: sa_free: authentication failed
spi=0xe461b2e822193627: ca_getreq: found cert with matching ID but
without matching key.
spi=0xe71692de490589ab: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 604 bytes, policy 'vpn'
spi=0xe71692de490589ab: send IKE_SA_INIT res 0 peer 44.55.66.77:11461
local 33.33.33.33:500, 473 bytes
spi=0xe71692de490589ab: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 496 bytes, policy 'vpn'
spi=0xe71692de490589ab: ikev2_send_auth_failed: authentication failed
for FQDN/p6.local
spi=0xe71692de490589ab: send IKE_AUTH res 1 peer 44.55.66.77:11460 local
33.33.33.33:4500, 80 bytes, NAT-T
spi=0xe71692de490589ab: sa_free: authentication failed
spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but
without matching key.
^Cikev2 exiting, pid 93228
ca exiting, pid 55488
control exiting, pid 6213
parent terminating
----
----
host9# iked -d -vv
create_ike: using signature for peer p6.local
ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from
::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf
hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth
hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local
lifetime 10800 bytes 4294967296 signature config address 172.24.24.0
config address 2001:470:203a:a0:: config name-server 172.24.24.1 config
name-server 2001:470:203a:a0::1
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1193
config_getpfkey: received pfkey fd 3
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN
CA/emailAddress=r...@openbsd.org
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 33.33.33.33.crt
ca_reload: loaded cert file phone.local.crt
ca_reload: loaded cert file p6.local.crt
ca_validate_cert: /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=phone.local/emailAddress=r...@openbsd.org
ok
ca_validate_cert: /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=33.33.33.33/emailAddress=r...@openbsd.org
ok
ca_validate_cert: /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p6.local/emailAddress=r...@openbsd.org
ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
policy_lookup: setting policy 'vpn'
spi=0xa401bda7cbb03777: recv IKE_SA_INIT req 0 peer 44.55.66.77:35027
local 33.33.33.33:500, 604 bytes, policy 'vpn'
ikev2_recv: ispi 0xa401bda7cbb03777 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/33.33.33.33 length 8
ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 604 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 220
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #3 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #5 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xa401bda7cbb03777 0x0000000000000000
44.55.66.77:35027
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xa401bda7cbb03777
0x0000000000000000 33.33.33.33:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
proposals_negotiate: score 4
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
policy_lookup: setting policy 'vpn'
spi=0xa401bda7cbb03777: sa_state: INIT -> SA_INIT
proposals_negotiate: score 4
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0xa401bda7cbb03777: ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0xa401bda7cbb03777: ikev2_sa_keys: S with 64 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload VENDOR
ikev2_next_payload: length 16 nextpayload NOTIFY
ikev2_nat_detection: local source 0xa401bda7cbb03777 0xa7b83476f3b174ff
33.33.33.33:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xa401bda7cbb03777
0xa7b83476f3b174ff 44.55.66.77:35027
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 473 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00
length 36
ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00
length 16
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00
length 25
ikev2_pld_certreq: type X509_CERT length 20
spi=0xa401bda7cbb03777: send IKE_SA_INIT res 0 peer 44.55.66.77:35027
local 33.33.33.33:500, 473 bytes
config_free_proposals: free 0xab8d70b5780
config_free_proposals: free 0xab8d70cca00
config_free_proposals: free 0xab8d70c4d80
config_free_proposals: free 0xab8d70c5580
config_free_proposals: free 0xab8d70b5380
spi=0xa401bda7cbb03777: recv IKE_AUTH req 1 peer 44.55.66.77:35037 local
33.33.33.33:4500, 496 bytes, policy 'vpn'
ikev2_recv: ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff
ikev2_recv: updated SA to peer 44.55.66.77:35037 local 33.33.33.33:4500
ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
496 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 468
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 432
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 432/432 padding 3
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical
0x00 length 16
ikev2_pld_id: id FQDN/p6.local length 12
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload IDr nextpayload CP critical 0x00
length 12
ikev2_pld_id: id IPV4/33.33.33.33 length 8
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical
0x00 length 40
ikev2_pld_cp: type REQUEST length 32
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type
ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 200
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x0209efaa
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #2 protoid ESP
spisize 4 xforms 3 spi 0x0d0e3511
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid ESP
spisize 4 xforms 3 spi 0x078c1fac
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #4 protoid ESP
spisize 4 xforms 3 spi 0x00f6cb41
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #5 protoid ESP
spisize 4 xforms 3 spi 0x0d8e4376
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 64
ikev2_pld_tss: count 2 length 56
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical
0x00 length 64
ikev2_pld_tss: count 2 length 56
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_handle_notifies: mobike enabled
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'p6.local'
policy_lookup: localid '33.33.33.33'
proposals_negotiate: score 4
policy_lookup: setting policy 'vpn'
ikev2_policy2id: srcid IPV4/33.33.33.33 length 8
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
spi=0xa401bda7cbb03777: ikev2_ike_auth_recv: missing auth payload
spi=0xa401bda7cbb03777: ikev2_send_auth_failed: authentication failed
for FQDN/p6.local
ikev2_next_payload: length 8 nextpayload NONE
ikev2_next_payload: length 52 nextpayload NOTIFY
ikev2_msg_encrypt: decrypted length 8
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 9, padding 7, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
80 response 1
ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length
52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED
spi=0xa401bda7cbb03777: send IKE_AUTH res 1 peer 44.55.66.77:35037 local
33.33.33.33:4500, 80 bytes, NAT-T
spi=0xa401bda7cbb03777: sa_state: SA_INIT -> CLOSING
ikev2_resp_recv: failed to send auth response
spi=0xa401bda7cbb03777: sa_state: CLOSING -> CLOSED from
44.55.66.77:35037 to 33.33.33.33:4500 policy 'vpn'
ikev2_recv: closing SA
spi=0xa401bda7cbb03777: sa_free: authentication failed
config_free_proposals: free 0xab8d70c4700
config_free_proposals: free 0xab8d70cc200
config_free_proposals: free 0xab8d70b5900
config_free_proposals: free 0xab8d70c5a00
config_free_proposals: free 0xab8d70c5280
config_free_proposals: free 0xab8d70b5f00
ca_getreq: found CA /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN
CA/emailAddress=r...@openbsd.org
ca_x509_subjectaltname_do: did not find subjectAltName in certificate
ca_cert_local: certificate key mismatch
spi=0xa401bda7cbb03777: ca_getreq: found cert with matching ID but
without matching key.
ca_getreq: found local certificate /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=33.33.33.33/emailAddress=r...@openbsd.org
ikev2_getimsgdata: imsg 22 rspi 0xa7b83476f3b174ff ispi
0xa401bda7cbb03777 initiator 0 sa invalid type 4 data length 994
ikev2_dispatch_cert: invalid cert reply
policy_lookup: setting policy 'vpn'
spi=0xb5e5ba4386a986f3: recv IKE_SA_INIT req 0 peer 44.55.66.77:35027
local 33.33.33.33:500, 604 bytes, policy 'vpn'
ikev2_recv: ispi 0xb5e5ba4386a986f3 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/33.33.33.33 length 8
ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
length 604 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 220
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #3 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #5 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xb5e5ba4386a986f3 0x0000000000000000
44.55.66.77:35027
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xb5e5ba4386a986f3
0x0000000000000000 33.33.33.33:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
proposals_negotiate: score 4
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
policy_lookup: setting policy 'vpn'
spi=0xb5e5ba4386a986f3: sa_state: INIT -> SA_INIT
proposals_negotiate: score 4
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0xb5e5ba4386a986f3: ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0xb5e5ba4386a986f3: ikev2_sa_keys: S with 64 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload VENDOR
ikev2_next_payload: length 16 nextpayload NOTIFY
ikev2_nat_detection: local source 0xb5e5ba4386a986f3 0x34cfe60768e5e796
33.33.33.33:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xb5e5ba4386a986f3
0x34cfe60768e5e796 44.55.66.77:35027
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0
length 473 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00
length 36
ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00
length 16
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00
length 25
ikev2_pld_certreq: type X509_CERT length 20
spi=0xb5e5ba4386a986f3: send IKE_SA_INIT res 0 peer 44.55.66.77:35027
local 33.33.33.33:500, 473 bytes
config_free_proposals: free 0xab8d70c5500
config_free_proposals: free 0xab8d70c4e80
config_free_proposals: free 0xab8d70b5480
config_free_proposals: free 0xab8d70c5700
config_free_proposals: free 0xab8d70b5200
spi=0xb5e5ba4386a986f3: recv IKE_AUTH req 1 peer 44.55.66.77:35037 local
33.33.33.33:4500, 496 bytes, policy 'vpn'
ikev2_recv: ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796
ikev2_recv: updated SA to peer 44.55.66.77:35037 local 33.33.33.33:4500
ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length
496 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 468
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 432
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 432/432 padding 3
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical
0x00 length 16
ikev2_pld_id: id FQDN/p6.local length 12
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload IDr nextpayload CP critical 0x00
length 12
ikev2_pld_id: id IPV4/33.33.33.33 length 8
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical
0x00 length 40
ikev2_pld_cp: type REQUEST length 32
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type
ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 200
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP
spisize 4 xforms 3 spi 0x03783304
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #2 protoid ESP
spisize 4 xforms 3 spi 0x0dafe4ea
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid ESP
spisize 4 xforms 3 spi 0x0ef2c7af
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #4 protoid ESP
spisize 4 xforms 3 spi 0x0769d7b8
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #5 protoid ESP
spisize 4 xforms 3 spi 0x0011b792
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 64
ikev2_pld_tss: count 2 length 56
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical
0x00 length 64
ikev2_pld_tss: count 2 length 56
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_handle_notifies: mobike enabled
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'p6.local'
policy_lookup: localid '33.33.33.33'
proposals_negotiate: score 4
policy_lookup: setting policy 'vpn'
ikev2_policy2id: srcid IPV4/33.33.33.33 length 8
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
spi=0xb5e5ba4386a986f3: ikev2_ike_auth_recv: missing auth payload
spi=0xb5e5ba4386a986f3: ikev2_send_auth_failed: authentication failed
for FQDN/p6.local
ikev2_next_payload: length 8 nextpayload NONE
ikev2_next_payload: length 52 nextpayload NOTIFY
ikev2_msg_encrypt: decrypted length 8
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 9, padding 7, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length
80 response 1
ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length
52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
0x00 length 8
ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED
spi=0xb5e5ba4386a986f3: send IKE_AUTH res 1 peer 44.55.66.77:35037 local
33.33.33.33:4500, 80 bytes, NAT-T
spi=0xb5e5ba4386a986f3: sa_state: SA_INIT -> CLOSING
ikev2_resp_recv: failed to send auth response
spi=0xb5e5ba4386a986f3: sa_state: CLOSING -> CLOSED from
44.55.66.77:35037 to 33.33.33.33:4500 policy 'vpn'
ikev2_recv: closing SA
spi=0xb5e5ba4386a986f3: sa_free: authentication failed
config_free_proposals: free 0xab8d70c4d00
config_free_proposals: free 0xab8d70c4c00
config_free_proposals: free 0xab8d70c5300
config_free_proposals: free 0xab8d70c3180
config_free_proposals: free 0xab8d70b5580
config_free_proposals: free 0xab8d70c4800
ca_getreq: found CA /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN
CA/emailAddress=r...@openbsd.org
ca_x509_subjectaltname_do: did not find subjectAltName in certificate
ca_cert_local: certificate key mismatch
spi=0xb5e5ba4386a986f3: ca_getreq: found cert with matching ID but
without matching key.
ca_getreq: found local certificate /C=DE/ST=Lower
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=33.33.33.33/emailAddress=r...@openbsd.org
ikev2_getimsgdata: imsg 22 rspi 0x34cfe60768e5e796 ispi
0xb5e5ba4386a986f3 initiator 0 sa invalid type 4 data length 994
ikev2_dispatch_cert: invalid cert reply
^Cconfig_doreset: flushing policies
config_free_proposals: free 0xab8d70b5d80
config_free_proposals: free 0xab8d70c4680
config_free_flows: free 0xab8d70d4800
config_free_flows: free 0xab8d7099400
config_doreset: flushing SAs
config_doreset: flushing users
ikev2 exiting, pid 91232
ca exiting, pid 86139
control exiting, pid 58820
parent terminating
----
