A downgrade to 6.2 amd64 with syspatches resolved the problem.
Wipe and install, then restore the last configuration backup that I had before
the upgrade to 6.3, so this is the exact same certificates and configuration.
Logs :
Jun 28 09:24:46 tp-fw-fil-01 iked[92827]: ikev2_recv: IKE_SA_INIT request from
initiator 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 0, 528
bytes
Jun 28 09:24:46 tp-fw-fil-01 iked[92827]: ikev2_msg_send: IKE_SA_INIT response
from 192.168.6.2:500 to 192.168.1.109:500 msgid 0, 274 bytes
Jun 28 09:24:46 tp-fw-fil-01 iked[92827]: ikev2_recv: IKE_AUTH request from
initiator 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 7380
bytes
Jun 28 09:24:46 tp-fw-fil-01 iked[92827]: ikev2_msg_send: IKE_AUTH response
from 192.168.6.2:500 to 192.168.1.109:500 msgid 1, 1588 bytes
Jun 28 09:24:46 tp-fw-fil-01 iked[92827]: sa_state: VALID -> ESTABLISHED from
192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01'
Jun 28 09:25:16 tp-fw-fil-01 iked[92827]: ikev2_recv: INFORMATIONAL request
from initiator 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 2,
68 bytes
Jun 28 09:25:16 tp-fw-fil-01 iked[92827]: ikev2_pld_delete: deleted 1 spis
Jun 28 09:25:16 tp-fw-fil-01 iked[92827]: ikev2_msg_send: INFORMATIONAL
response from 192.168.6.2:500 to 192.168.1.109:500 msgid 2, 68 bytes
Jun 28 09:25:16 tp-fw-fil-01 iked[92827]: ikev2_recv: INFORMATIONAL request
from initiator 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 3,
68 bytes
Jun 28 09:25:16 tp-fw-fil-01 iked[92827]: ikev2_msg_send: INFORMATIONAL
response from 192.168.6.2:500 to 192.168.1.109:500 msgid 3, 60 bytes
Jun 28 09:25:16 tp-fw-fil-01 iked[92827]: sa_state: ESTABLISHED -> CLOSED from
192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01'
And dmesg :
OpenBSD 6.2 (GENERIC.MP) #2: Thu Jun 21 10:47:34 MDT 2018
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8478691328 (8085MB)
avail mem = 8214650880 (7834MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7a6b1000 (92 entries)
bios0: vendor HP version "U22" date 01/22/2018
bios0: HP ProLiant DL20 Gen9
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP SSDT HEST BERT ERST EINJ BGRT HPET WDDT APIC MCFG SLIT
SRAT SPMI RASF SPCR BDAT PCCT DMAR SSDT SSDT SSDT
acpi0: wakeup devices PEXA(S4) BR01(S4) BR02(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 23999999 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.00 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 3000000000 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 23MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0 addr 0x80000000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX8)
acpiprt2 at acpi0: bus 2 (PEXA)
acpiprt3 at acpi0: bus -1 (BR01)
acpiprt4 at acpi0: bus -1 (BR02)
acpipwrres0 at acpi0: P1PR
"PNP0C33" at acpi0 not configured
"ACPI0004" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"INT3F0D" at acpi0 not configured
"IPI0001" at acpi0 not configured
"ACPI000E" at acpi0 not configured
"ACPI000D" at acpi0 not configured
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Xeon E3-1200 v5 Host" rev 0x07
xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x31: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00
addr 1
"Intel 100 Series MEI" rev 0x31 at pci0 dev 22 function 0 not configured
ahci0 at pci0 dev 23 function 0 "Intel 100 Series AHCI" rev 0x31: msi, AHCI
1.3.1
ahci0: port 0: 3.0Gb/s
ahci0: PHY offline on port 1
ahci0: PHY offline on port 2
ahci0: PHY offline on port 3
ahci0: PHY offline on port 4
ahci0: PHY offline on port 5
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, WDC WD2500AAJS-6, 03.0> SCSI3 0/direct
fixed naa.50014ee103ce0c8b
sd0: 238475MB, 512 bytes/sector, 488397168 sectors
ppb0 at pci0 dev 29 function 0 "Intel 100 Series PCIE" rev 0xf1: msi
pci1 at ppb0 bus 1
"Hewlett-Packard iLO3 Slave" rev 0x06 at pci1 dev 0 function 0 not configured
"Matrox MGA G200eH" rev 0x01 at pci1 dev 0 function 1 not configured
"Hewlett-Packard iLO3 Management" rev 0x06 at pci1 dev 0 function 2 not
configured
uhci0 at pci1 dev 0 function 4 "Hewlett-Packard USB" rev 0x03: apic 2 int 17
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Hewlett-Packard UHCI root hub" rev
1.00/1.00 addr 1
ppb1 at pci0 dev 29 function 2 "Intel 100 Series PCIE" rev 0xf1: msi
pci2 at ppb1 bus 2
bge0 at pci2 dev 0 function 0 "Broadcom BCM5720" rev 0x00, BCM5720 A0
(0x5720000), APE firmware NCSI 1.4.16.0: msi, address ec:eb:b8:5d:94:58
brgphy0 at bge0 phy 1: BCM5720C 10/100/1000baseT PHY, rev. 0
bge1 at pci2 dev 0 function 1 "Broadcom BCM5720" rev 0x00, BCM5720 A0
(0x5720000), APE firmware NCSI 1.4.16.0: msi, address ec:eb:b8:5d:94:59
brgphy1 at bge1 phy 2: BCM5720C 10/100/1000baseT PHY, rev. 0
pcib0 at pci0 dev 31 function 0 "Intel C232 LPC" rev 0x31
"Intel 100 Series PMC" rev 0x31 at pci0 dev 31 function 2 not configured
ichiic0 at pci0 dev 31 function 4 "Intel 100 Series SMBus" rev 0x31: apic 2 int
16
iic0 at ichiic0
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: probed fifo depth: 0 bytes
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT
efifb0 at mainbus0: 1280x1024, 32bpp
wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0
wsdisplay0: screen 1-5 added (std, vt100 emulation)
uhub2 at uhub0 port 3 configuration 1 interface 0 "Standard Microsystems
product 0x2660" rev 2.00/8.01 addr 2
uhidev0 at uhub0 port 7 configuration 1 interface 0 "CHICONY HP Basic USB
Keyboard" rev 1.10/3.00 addr 3
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (88cf3e1bf9306dab.a) swap on sd0b dump on sd0b
wskbd1: disconnecting from wsdisplay0
wskbd1 detached
ukbd0 detached
uhidev0 detached
> >Synopsis: iked vpn from a windows 7 machine was ok with 6.2, can't
> >connect with 6.3 and current
> (2018-06-22)
> >Category: system
> >Environment:
> System : OpenBSD 6.3
> Details : OpenBSD 6.3-current (GENERIC.MP) #45: Fri Jun 22 00:06:39
> MDT 2018
>
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> We have a Windows 7 machine with a IKEv2 connection to OpenBSD, using
> only machine certificates.
> Was working correctly from 5.8 to 6.2, but recently upgraded to 6.3
> stable with syspatches, and
> now the VPN won't connect.
> On the OpenBSD side, the VPN goes from VALID to ESTABLISHED, but the
> Windows side tries to
> authenticate after the connection.
> No Windows patches were applied in the months prior to the update, so
> no known changes on the
> Windows side.
> I tried reverting the syspatches from 6.3 stable, and upgraded to the
> latest snapshot (2018-06-
> 22), with the same results.
>
> Logs from a connection with 6.2 stable :
>
> Jun 2 19:25:48 tp-fw-fil-01 iked[91396]: ikev2_recv: IKE_SA_INIT request
> from initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 0, 528 bytes
> Jun 2 19:25:48 tp-fw-fil-01 iked[91396]: ikev2_msg_send: IKE_SA_INIT
> response from 192.168.6.2:500 to
> 192.168.1.109:500 msgid 0, 274 bytes
> Jun 2 19:25:48 tp-fw-fil-01 iked[91396]: ikev2_recv: IKE_AUTH request from
> initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 7380 bytes
> Jun 2 19:25:48 tp-fw-fil-01 iked[91396]: ikev2_msg_send: IKE_AUTH response
> from 192.168.6.2:500 to
> 192.168.1.109:500 msgid 1, 1588 bytes
> Jun 2 19:25:48 tp-fw-fil-01 iked[91396]: sa_state: VALID -> ESTABLISHED from
> 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> Jun 2 19:28:03 tp-fw-fil-01 iked[91396]: ikev2_recv: INFORMATIONAL request
> from initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 2, 68 bytes
> Jun 2 19:28:03 tp-fw-fil-01 iked[91396]: ikev2_pld_delete: deleted 1 spis
> Jun 2 19:28:03 tp-fw-fil-01 iked[91396]: ikev2_msg_send: INFORMATIONAL
> response from 192.168.6.2:500
> to 192.168.1.109:500 msgid 2, 68 bytes
> Jun 2 19:28:03 tp-fw-fil-01 iked[91396]: ikev2_recv: INFORMATIONAL request
> from initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 3, 68 bytes
> Jun 2 19:28:03 tp-fw-fil-01 iked[91396]: ikev2_msg_send: INFORMATIONAL
> response from 192.168.6.2:500
> to 192.168.1.109:500 msgid 3, 60 bytes
> Jun 2 19:28:03 tp-fw-fil-01 iked[91396]: sa_state: ESTABLISHED -> CLOSED
> from 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
>
> And logs from a connection with 6.3 :
>
> Jun 22 08:12:57 tp-fw-fil-01 iked[22074]: ikev2_recv: IKE_SA_INIT request
> from initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 0, 528 bytes
> Jun 22 08:12:57 tp-fw-fil-01 iked[22074]: ikev2_msg_send: IKE_SA_INIT
> response from 192.168.6.2:500 to
> 192.168.1.109:500 msgid 0, 278 bytes
> Jun 22 08:12:57 tp-fw-fil-01 iked[22074]: ikev2_recv: IKE_AUTH request from
> initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 7392 bytes
> Jun 22 08:12:57 tp-fw-fil-01 iked[22074]: ikev2_msg_send: IKE_AUTH response
> from 192.168.6.2:500 to
> 192.168.1.109:500 msgid 1, 1616 bytes, NAT-T
> Jun 22 08:12:57 tp-fw-fil-01 iked[22074]: sa_state: VALID -> ESTABLISHED from
> 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> Jun 22 08:12:58 tp-fw-fil-01 iked[22074]: ikev2_recv: IKE_AUTH request from
> initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 7392 bytes
> Jun 22 08:13:00 tp-fw-fil-01 iked[22074]: ikev2_recv: IKE_AUTH request from
> initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 7392 bytes
> Jun 22 08:13:04 tp-fw-fil-01 iked[22074]: ikev2_recv: IKE_AUTH request from
> initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 7392 bytes
> Jun 22 08:13:08 tp-fw-fil-01 iked[22074]: ikev2_recv: INFORMATIONAL request
> from initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 80 bytes
> Jun 22 08:13:09 tp-fw-fil-01 iked[22074]: ikev2_recv: INFORMATIONAL request
> from initiator
> 192.168.1.109:500 to 192.168.6.2:500 policy 'hv-wrk-st-01' id 1, 80 bytes
>
> With debug (-dvvT) :
>
> set_policy_auth_method: using rsa for peer
> /etc/iked/pubkeys/ipv4/192.168.1.109
> set_policy: found pubkey for /etc/iked/pubkeys/ipv4/192.168.1.109
> ikev2 "hv-wrk-st-01" passive esp inet from 192.168.6.2 to 192.168.1.109 from
> 10.10.10.0/24 to
> 10.10.10.208 local 192.168.6.2 peer 192.168.1.109 ikesa enc
> aes-256,aes-192,aes-128,3des prf hmac-
> sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
> modp2048,modp1536,modp1024 childsa enc aes-
> 256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid 192.168.6.2 dstid
> 192.168.1.109 lifetime 10800
> bytes 536870912 rsa config address 10.10.10.208 config netmask 255.255.255.0
> config name-server
> 192.168.1.35 config netbios-server 192.168.1.35
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1191
> ca_pubkey_serialize: type RSA_KEY length 270
> config_getpolicy: received policy
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1191
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getmobike: mobike
> ca_reload: loaded ca file ca.crt
> ca_reload: loaded crl file ca.crl
> ca_reload: /C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service informatique/CN=VPN
> CA/[email protected]
> ca_reload: loaded 1 ca certificate
> ca_reload: loaded cert file 192.168.6.2.crt
> ca_validate_cert: /C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service
> informatique/CN=192.168.6.2/[email protected] ok
> ca_reload: local cert type X509_CERT
> config_getocsp: ocsp_url none
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_recv: IKE_SA_INIT request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-
> 01' id 0, 528 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x0000000000000000
> ikev2_policy2id: srcid IPV4/192.168.6.2 length 8
> ikev2_pld_parse: header ispi 0x686867d8a1ded25e rspi 0x0000000000000000
> nextpayload SA version 0x20
> exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
> ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group MODP_1024 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x686867d8a1ded25e 0x0000000000000000
> 192.168.1.109:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x686867d8a1ded25e 0x0000000000000000
> 192.168.6.2:500
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 21
> ikev2_sa_negotiate: score 12
> ikev2_sa_negotiate: score 17
> ikev2_sa_negotiate: score 8
> ikev2_sa_negotiate: score 0
> ikev2_sa_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> ikev2_sa_keys: DHSECRET with 128 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> ikev2_sa_keys: S with 96 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 136 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload CERTREQ
> ikev2_add_certreq: type RSA_KEY length 1
> ikev2_next_payload: length 5 nextpayload NONE
> ikev2_pld_parse: header ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> nextpayload SA version 0x20
> exchange IKE_SA_INIT flags 0x20 msgid 0 length 278 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group MODP_1024 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload CERTREQ critical 0x00 length 36
> ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length
> 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
> ikev2_pld_certreq: type RSA_KEY length 0
> ikev2_msg_send: IKE_SA_INIT response from 192.168.6.2:500 to
> 192.168.1.109:500 msgid 0, 278 bytes
> config_free_proposals: free 0x104c9a284100
> config_free_proposals: free 0x104c9a284680
> config_free_proposals: free 0x104ca58b1200
> config_free_proposals: free 0x104ca58b1500
> config_free_proposals: free 0x104ca58b1480
> config_free_proposals: free 0x104ca58b1580
> ikev2_recv: IKE_AUTH request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> id 1, 7392 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.6.2:500
> ikev2_pld_parse: header ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> nextpayload SK version 0x20
> exchange IKE_AUTH flags 0x08 msgid 1 length 7392 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 7364
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 7328
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 7328/7328 padding 2
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00
> length 199
> ikev2_pld_id: id ASN1_DN//C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service
> informatique/CN=192.168.1.109/[email protected]
> length 195
> ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00
> length 1097
> ikev2_pld_cert: type X509_CERT length 1092
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00
> length 5605
> ikev2_pld_certreq: type X509_CERT length 5600
> ikev2_policy2id: srcid IPV4/192.168.6.2 length 8
> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00
> length 264
> ikev2_pld_auth: method RSA_SIG length 256
> sa_state: SA_INIT -> AUTH_REQUEST
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00
> length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length
> 24
> ikev2_pld_cp: type REQUEST length 16
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
> ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
> ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
> 80
> ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4
> xforms 3 spi 0x2454cec5
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #2 protoid ESP spisize 4
> xforms 3 spi 0x2454cec5
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 24
> ikev2_pld_ts: count 1 length 16
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> policy_lookup: peerid '/C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service
> informatique/CN=192.168.1.109/[email protected]'
> ikev2_msg_auth: responder auth data length 358
> ca_setauth: auth length 358
> ikev2_msg_auth: initiator auth data length 592
> ikev2_msg_authverify: method RSA_SIG keylen 1092 type X509_CERT
> ikev2_msg_authverify: authentication successful
> sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> ikev2_sa_negotiate: score 7
> ikev2_sa_negotiate: score 0
> sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0030, require 0x003b
> cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x104d33081d00
> config_free_proposals: free 0x104c9a284900
> ca_getreq: found CA /C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service
> informatique/CN=VPN CA/[email protected]
> ca_x509_subjectaltname: IPV4/192.168.6.2
> ca_getreq: found local certificate /C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service
> informatique/CN=192.168.6.2/[email protected]
> ca_setauth: auth length 256
> ikev2_getimsgdata: imsg 20 rspi 0x14bb05f02b099ef8 ispi 0x686867d8a1ded25e
> initiator 0 sa valid type 4
> data length 1090
> ikev2_dispatch_cert: cert type X509_CERT length 1090, ok
> sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0031, require 0x003b
> cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ikev2_getimsgdata: imsg 25 rspi 0x14bb05f02b099ef8 ispi 0x686867d8a1ded25e
> initiator 0 sa valid type 1
> data length 256
> ikev2_dispatch_cert: AUTH type 1 len 256
> sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required
> 0x003b
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x0039, require 0x003b
> cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> ca_validate_pubkey: unsupported public key type ASN1_DN
> ca_validate_cert: /C=CA/ST=Quebec/L=Saint-Georges/O=Ville de
> Saint-Georges/OU=Service
> informatique/CN=192.168.1.109/[email protected] ok
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
> (required 0x003b
> cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x003b, require 0x003b
> cert,certvalid,auth,authvalid,sa
> sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x003b, require 0x003b
> cert,certvalid,auth,authvalid,sa
> sa_stateok: VALID flags 0x003b, require 0x003b
> cert,certvalid,auth,authvalid,sa
> ikev2_sa_tag: (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 104
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_getspi: spi 0xb2dc70a5
> pfkey_sa_init: new spi 0xb2dc70a5
> ikev2_next_payload: length 12 nextpayload CERT
> ikev2_next_payload: length 1095 nextpayload AUTH
> ikev2_next_payload: length 264 nextpayload CP
> ikev2_next_payload: length 40 nextpayload NOTIFY
> ikev2_add_mobike: done
> ikev2_next_payload: length 8 nextpayload SA
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 40 nextpayload TSr
> ikev2_next_payload: length 40 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 1543
> ikev2_msg_encrypt: padded length 1552
> ikev2_msg_encrypt: length 1544, padding 8, output length 1584
> ikev2_next_payload: length 1588 nextpayload IDr
> ikev2_msg_integr: message length 1616
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> nextpayload SK version 0x20
> exchange IKE_AUTH flags 0x20 msgid 1 length 1616 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1588
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1552
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1552/1552 padding 8
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
> length 12
> ikev2_pld_id: id IPV4/192.168.6.2 length 8
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
> length 1095
> ikev2_pld_cert: type X509_CERT length 1090
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00
> length 264
> ikev2_pld_auth: method RSA_SIG length 256
> ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00
> length 40
> ikev2_pld_cp: type REPLY length 32
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
> ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
> ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 4
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00
> length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
> 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
> xforms 3 spi 0xb2dc70a5
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
> length 40
> ikev2_pld_ts: count 2 length 32
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.168.1.109 end 192.168.1.109
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 10.10.10.208 end 10.10.10.208
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
> length 40
> ikev2_pld_ts: count 2 length 32
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 192.168.6.2 end 192.168.6.2
> ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
> 65535
> ikev2_pld_ts: start 10.10.10.0 end 10.10.10.255
> ikev2_msg_send: IKE_AUTH response from 192.168.6.2:500 to 192.168.1.109:500
> msgid 1, 1616 bytes, NAT-T
> pfkey_sa_add: update spi 0xb2dc70a5
> ikev2_childsa_enable: loaded CHILD SA spi 0xb2dc70a5
> pfkey_sa_add: add spi 0x2454cec5
> ikev2_childsa_enable: loaded CHILD SA spi 0x2454cec5
> ikev2_childsa_enable: loaded flow 0x104d5aca5800
> ikev2_childsa_enable: loaded flow 0x104d3acd0800
> ikev2_childsa_enable: loaded flow 0x104ce8fd6000
> ikev2_childsa_enable: loaded flow 0x104ca30c8c00
> ikev2_childsa_enable: remember SA peer 192.168.1.109:500
> sa_state: VALID -> ESTABLISHED from 192.168.1.109:500 to 192.168.6.2:500
> policy 'hv-wrk-st-01'
> ikev2_recv: IKE_AUTH request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> id 1, 7392 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: INFORMATIONAL request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-
> st-01' id 1, 80 bytes
> ikev2_recv: ispi 0x9462f9b291b2284b rspi 0x993373b1ca4c641d
> ikev2_recv: IKE_AUTH request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> id 1, 7392 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: INFORMATIONAL request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-
> st-01' id 1, 80 bytes
> ikev2_recv: ispi 0x34893a917e7a3277 rspi 0x71fab8ba6b33234c
> ikev2_recv: IKE_AUTH request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> id 1, 7392 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: IKE_AUTH request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-st-01'
> id 1, 7392 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: INFORMATIONAL request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-
> st-01' id 1, 80 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: INFORMATIONAL request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-
> st-01' id 1, 80 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ikev2_recv: INFORMATIONAL request from initiator 192.168.1.109:500 to
> 192.168.6.2:500 policy 'hv-wrk-
> st-01' id 1, 80 bytes
> ikev2_recv: ispi 0x686867d8a1ded25e rspi 0x14bb05f02b099ef8
> ^Cikev2 exiting, pid 81476
> ca exiting, pid 22157
> control exiting, pid 95084
> parent terminating
>
>
> /etc/iked.conf :
>
> ikev2 "hv-wrk-st-01" passive esp \
> from 192.168.6.2 to 192.168.1.109 \
> from 10.10.10.0/24 to 10.10.10.208 \
> local 192.168.6.2 peer 192.168.1.109 \
> srcid 192.168.6.2 dstid 192.168.1.109 \
> config address 10.10.10.208 \
> config netmask 255.255.255.0 \
> config name-server 192.168.1.35 \
> config netbios-server 192.168.1.35
>
>
> OpenBSD is 192.168.6.2, iked normally started with -T flag.
> Windows is 192.168.1.109 (10.10.10.208 is registered by OpenBSD at boot
> time with arp -s
> permanent pub, there are local machines without a gateway configured)
> All certificates are ok. Pubkeys are in /etc/iked/pubkeys/ipv4/ for
> both the OpenBSD and
> Windows certificates.
>
> >How-To-Repeat:
>
> >Fix:
>
>
>
> dmesg:
> OpenBSD 6.3-current (GENERIC.MP) #45: Fri Jun 22 00:06:39 MDT 2018
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8478691328 (8085MB)
> avail mem = 8143802368 (7766MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7a6b1000 (92 entries)
> bios0: vendor HP version "U22" date 01/22/2018
> bios0: HP ProLiant DL20 Gen9
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP SSDT HEST BERT ERST EINJ BGRT HPET WDDT APIC MCFG
> SLIT SRAT SPMI RASF SPCR
> BDAT PCCT DMAR SSDT SSDT SSDT
> acpi0: wakeup devices PEXA(S4) BR01(S4) BR02(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 23999999 Hz
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3001.41 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SS
> E2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
> CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES
> ,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SM
> EP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC
> ,XGETBV1,XSAVES,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 24MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1, IBE
> cpu1 at mainbus0: apid 4 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.03 MHz
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SS
> E2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
> CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES
> ,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SM
> EP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC
> ,XGETBV1,XSAVES,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 2, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.01 MHz
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SS
> E2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
> CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES
> ,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SM
> EP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC
> ,XGETBV1,XSAVES,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 1, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Xeon(R) CPU E3-1220 v5 @ 3.00GHz, 3000.01 MHz
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SS
> E2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-
> CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES
> ,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,SGX,BMI1,HLE,AVX2,SM
> EP,BMI2,ERMS,INVPCID,RTM,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT,PT,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC
> ,XGETBV1,XSAVES,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0x80000000, bus 0-255
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (PEX8)
> acpiprt2 at acpi0: bus 2 (PEXA)
> acpiprt3 at acpi0: bus -1 (BR01)
> acpiprt4 at acpi0: bus -1 (BR02)
> acpipwrres0 at acpi0: P1PR
> "PNP0C33" at acpi0 not configured
> "ACPI0004" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> acpicmos0 at acpi0
> "INT3F0D" at acpi0 not configured
> "IPI0001" at acpi0 not configured
> "ACPI000E" at acpi0 not configured
> "ACPI000D" at acpi0 not configured
> ipmi at mainbus0 not configured
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Xeon E3-1200 v5 Host" rev 0x07
> xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x31: msi, xHCI
> 1.0
> usb0 at xhci0: USB revision 3.0
> uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00
> addr 1
> "Intel 100 Series MEI" rev 0x31 at pci0 dev 22 function 0 not configured
> ahci0 at pci0 dev 23 function 0 "Intel 100 Series AHCI" rev 0x31: msi, AHCI
> 1.3.1
> ahci0: port 0: 3.0Gb/s
> ahci0: PHY offline on port 1
> ahci0: PHY offline on port 2
> ahci0: PHY offline on port 3
> ahci0: PHY offline on port 4
> ahci0: PHY offline on port 5
> scsibus1 at ahci0: 32 targets
> sd0 at scsibus1 targ 0 lun 0: <ATA, WDC WD2500AAJS-6, 03.0> SCSI3 0/direct
> fixed naa.50014ee103ce0c8b
> sd0: 238475MB, 512 bytes/sector, 488397168 sectors
> ppb0 at pci0 dev 29 function 0 "Intel 100 Series PCIE" rev 0xf1: msi
> pci1 at ppb0 bus 1
> "Hewlett-Packard iLO3 Slave" rev 0x06 at pci1 dev 0 function 0 not configured
> "Matrox MGA G200eH" rev 0x01 at pci1 dev 0 function 1 not configured
> "Hewlett-Packard iLO3 Management" rev 0x06 at pci1 dev 0 function 2 not
> configured
> uhci0 at pci1 dev 0 function 4 "Hewlett-Packard USB" rev 0x03: apic 2 int 17
> usb1 at uhci0: USB revision 1.0
> uhub1 at usb1 configuration 1 interface 0 "Hewlett-Packard UHCI root hub" rev
> 1.00/1.00 addr 1
> ppb1 at pci0 dev 29 function 2 "Intel 100 Series PCIE" rev 0xf1: msi
> pci2 at ppb1 bus 2
> bge0 at pci2 dev 0 function 0 "Broadcom BCM5720" rev 0x00, BCM5720 A0
> (0x5720000), APE firmware NCSI
> 1.4.16.0: msi, address ec:eb:b8:5d:94:58
> brgphy0 at bge0 phy 1: BCM5720C 10/100/1000baseT PHY, rev. 0
> bge1 at pci2 dev 0 function 1 "Broadcom BCM5720" rev 0x00, BCM5720 A0
> (0x5720000), APE firmware NCSI
> 1.4.16.0: msi, address ec:eb:b8:5d:94:59
> brgphy1 at bge1 phy 2: BCM5720C 10/100/1000baseT PHY, rev. 0
> pcib0 at pci0 dev 31 function 0 "Intel C232 LPC" rev 0x31
> "Intel 100 Series PMC" rev 0x31 at pci0 dev 31 function 2 not configured
> ichiic0 at pci0 dev 31 function 4 "Intel 100 Series SMBus" rev 0x31: apic 2
> int 16
> iic0 at ichiic0
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: probed fifo depth: 0 bytes
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> vmm0 at mainbus0: VMX/EPT
> efifb0 at mainbus0: 1024x768, 32bpp
> wsdisplay0 at efifb0 mux 1: console (std, vt100 emulation), using wskbd0
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> uhub2 at uhub0 port 3 configuration 1 interface 0 "Standard Microsystems
> product 0x2660" rev 2.00/8.01
> addr 2
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a (376b3ac4894daf6a.a) swap on sd0b dump on sd0b
