Hi!
I"m trying to setup a simple s2s tunnel between iked and strongswan with
preshared key in current.
Strongswan config:
conn s2s
left=192.168.56.16
leftid=192.168.56.16
right=192.168.56.11
rightid=192.168.56.11
leftsubnet=192.0.2.128/25
rightsubnet=192.0.2.0/25
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
authby=secret
auto=add
Iked config:
ikev2 "strongswan" active esp \
from 192.0.2.0/25 to 192.0.2.128/25 \
local 192.168.56.11 peer 192.168.56.16 \
ikesa enc aes-256 auth hmac-sha2-256 prf hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 192.168.56.11 dstid 192.168.56.245 \
psk "netuddmegmilyentitkos"
Iked log:
iked -dvv
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/192.168.56.245
ikev2 "strongswan" active esp inet from 192.0.2.0/25 to 192.0.2.128/25
local 192.168.56.11 peer 192.168.56.16 ikesa enc aes-256 prf hmac-sha2-256
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 esn,noesn srcid 192.168.56.11 dstid 192.168.56.245 lifetime
10800 bytes 536870912 psk 0x6e65747564646d65676d696c79656e7469746b6f73
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: no mobike
config_getfragmentation: no fragmentation
ikev2_init_ike_sa: initiating "strongswan"
ikev2_policy2id: srcid IPV4/192.168.56.11 length 8
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x8fadb3cb73817e09 0x0000000000000000
192.168.56.11:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x8fadb3cb73817e09
0x0000000000000000 192.168.56.16:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x8fadb3cb73817e09 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
446 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0x8fadb3cb73817e09: send IKE_SA_INIT req 0 peer 192.168.56.16:500 local
192.168.56.11:500, 446 bytes
spi=0x8fadb3cb73817e09: sa_state: INIT -> SA_INIT
spi=0x8fadb3cb73817e09: recv IKE_SA_INIT res 0 peer 192.168.56.16:500 local
192.168.56.11:500, 481 bytes, policy 'strongswan'
ikev2_recv: ispi 0x8fadb3cb73817e09 rspi 0x137d30176aa85262
ikev2_recv: updated SA to peer 192.168.56.16:500 local 192.168.56.11:500
ikev2_pld_parse: header ispi 0x8fadb3cb73817e09 rspi 0x137d30176aa85262
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
481 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x8fadb3cb73817e09 0x137d30176aa85262
192.168.56.16:500
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x8fadb3cb73817e09 0x137d30176aa85262
192.168.56.11:500
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length
25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
ikev2_policy2id: srcid IPV4/192.168.56.11 length 8
sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
spi=0x8fadb3cb73817e09: ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x8fadb3cb73817e09: ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 510
sa_stateok: SA_INIT flags 0x0008, require 0x0009 cert,auth
config_free_proposals: free 0x150956292f80
ca_getreq: no valid local certificate found
ikev2_getimsgdata: imsg 21 rspi 0x137d30176aa85262 ispi 0x8fadb3cb73817e09
initiator 1 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
strongswan log:
Dec 13 11:31:12 debianvm1 charon: 05[NET] received packet: from
192.168.56.11[500] to 192.168.56.16[500] (446 bytes)
Dec 13 11:31:12 debianvm1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Dec 13 11:31:12 debianvm1 charon: 05[IKE] 192.168.56.11 is initiating an
IKE_SA
Dec 13 11:31:12 debianvm1 charon: 05[IKE] sending cert request for "C=HU
O=Strongswan CN=Strongswan CA"
Dec 13 11:31:12 debianvm1 charon: 05[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Dec 13 11:31:12 debianvm1 charon: 05[NET] sending packet: from
192.168.56.16[500] to 192.168.56.11[500] (481 bytes)
Dec 13 11:31:42 debianvm1 charon: 06[JOB] deleting half open IKE_SA after
timeout
Iked and Strongswan send out Cert requests but why?
----------
OpenBSD 6.6-current (GENERIC.MP) #520: Wed Dec 11 14:25:35 MST 2019
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1056899072 (1007MB)
avail mem = 1012514816 (965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2401.13 MHz, 06-4e-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 999MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2417.53 MHz, 06-4e-03
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: GFX0
cpu0: using Skylake AVX MDS workaround
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19,
address 08:00:27:8c:28:57
"InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not
configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2 int
21, ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 2 int
22, version 1.0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int
23
iic0 at piixpm0
em1 at pci0 dev 8 function 0 "Intel 82540EM" rev 0x02: apic 2 int 16,
address 08:00:27:a3:95:43
em2 at pci0 dev 9 function 0 "Intel 82540EM" rev 0x02: apic 2 int 17,
address 08:00:27:87:24:1b
em3 at pci0 dev 10 function 0 "Intel 82540EM" rev 0x02: apic 2 int 18,
address 08:00:27:4c:2c:7d
mpi0 at pci0 dev 20 function 0 "Symbios Logic 53c1030" rev 0x00: apic 2 int
20
mpi0: VBox MPT Fusion, firmware 0.0.0.0
scsibus2 at mpi0: 16 targets, initiator 7
sd0 at scsibus2 targ 0 lun 0: <VBOX, HARDDISK, 1.0>
sd0: 4336MB, 512 bytes/sector, 8882048 sectors
mpi0: target 0 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev
1.00/1.00 addr 1
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (aa4cfb49c7b65e05.a) swap on sd0b dump on sd0b
