OpenBSD 6.1 installed from image and runs fine.
I tried to set up an "active" connection towards a CISCO router (Cisco IOS
Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5,
RELEASE SOFTWARE (fc1)).
Passive mode runs great when the router initiates the connection, but the
CISCO router does not accept the IPSEC_SA proposal.
This is because the CISCO router enforces RFC5996/3.3.1 so that all
proposals must be starting from 1.
Openiked however sends the IPSEC_SA as proposal 2 (as proposals are handled
somewhat globally in openiked.)
As they are sent in two different messages, the IPSEC_SA proposal should be
proposal 2, and not proposal 1.
I also see that Openiked sends only one proposal per message, so I tried
out the attached patch.
With the patch applied, Openiked with an active configuration was able to
negotiate the tunnel and worked.
Thank you!
diff --git a/openbsd/sbin/iked/parse.y b/openbsd/sbin/iked/parse.y
index 722d908..9420a6d 100644
--- a/openbsd/sbin/iked/parse.y
+++ b/openbsd/sbin/iked/parse.y
@@ -2708,7 +2708,8 @@ create_ike(char *name, int af, uint8_t ipproto, struct
ipsec_hosts *hosts,
TAILQ_INIT(&pol.pol_proposals);
RB_INIT(&pol.pol_flows);
- prop[0].prop_id = ++pol.pol_nproposals;
+ prop[0].prop_id = 1;
+ ++pol.pol_nproposals;
prop[0].prop_protoid = IKEV2_SAPROTO_IKE;
if (ike_sa == NULL || ike_sa->xfs == NULL) {
prop[0].prop_nxforms = ikev2_default_nike_transforms;
@@ -2740,7 +2740,8 @@ create_ike(char *name, int af, uint8_t ipproto, struct
ipsec_hosts *hosts,
}
TAILQ_INSERT_TAIL(&pol.pol_proposals, &prop[0], prop_entry);
- prop[1].prop_id = ++pol.pol_nproposals;
+ prop[1].prop_id = 1;
+ ++pol.pol_nproposals;
prop[1].prop_protoid = saproto;
if (ipsec_sa == NULL || ipsec_sa->xfs == NULL) {
prop[1].prop_nxforms = ikev2_default_nesp_transforms;
