Hi!
Some more information:
If i add "rightsendcert=never" to the strongswan config, it works with PSK.
This is good workaround for Strongswan, but the same problem exist with
Cisco ASA vs Iked, but in Cisco ASA there is no "knob" for this
workaround.
strongswan config:
conn s2s
left=192.168.56.16 #Linux
leftid=192.168.56.16
right=192.168.56.11 # OpenBSD
rightid=192.168.56.11
rightsendcert=never # Ignore Cert auth reuqest from OpenBSD???
leftsubnet=192.0.2.128/25
rightsubnet=192.0.2.0/25
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
authby=secret
auto=add
iked config
ikev2 "strongswan" active esp \
from 192.0.2.0/25 to 192.0.2.128/25 \
local 192.168.56.11 peer 192.168.56.16 \
ikesa enc aes-256 auth hmac-sha2-256 prf hmac-sha2-256 group
modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
srcid 192.168.56.11 dstid 192.168.56.16 \
psk "netuddmegmilyentitkos"
Strongswan log:
Jan 16 09:49:59 debianvm1 charon: 12[NET] received packet: from
192.168.56.11[500] to 192.168.56.16[500] (446 bytes)
Jan 16 09:49:59 debianvm1 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Jan 16 09:49:59 debianvm1 charon: 12[IKE] 192.168.56.11 is initiating an
IKE_SA
Jan 16 09:49:59 debianvm1 charon: 12[IKE] IKE_SA (unnamed)[1] state change:
CREATED => CONNECTING
Jan 16 09:49:59 debianvm1 charon: 12[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 16 09:49:59 debianvm1 charon: 12[NET] sending packet: from
192.168.56.16[500] to 192.168.56.11[500] (456 bytes)
Jan 16 09:49:59 debianvm1 charon: 06[NET] received packet: from
192.168.56.11[500] to 192.168.56.16[500] (224 bytes)
Jan 16 09:49:59 debianvm1 charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
Jan 16 09:49:59 debianvm1 charon: 06[CFG] looking for peer configs matching
192.168.56.16[%any]...192.168.56.11[192.168.56.11]
Jan 16 09:49:59 debianvm1 charon: 06[CFG] selected peer config 's2s'
Jan 16 09:49:59 debianvm1 charon: 06[IKE] authentication of '192.168.56.11'
with pre-shared key successful
Jan 16 09:49:59 debianvm1 charon: 06[IKE] authentication of '192.168.56.16'
(myself) with pre-shared key
Jan 16 09:49:59 debianvm1 charon: 06[IKE] successfully created shared key
MAC
Jan 16 09:49:59 debianvm1 charon: 06[IKE] IKE_SA s2s[1] established between
192.168.56.16[192.168.56.16]...192.168.56.11[192.168.56.11]
Jan 16 09:49:59 debianvm1 charon: 06[IKE] IKE_SA s2s[1] state change:
CONNECTING => ESTABLISHED
Jan 16 09:49:59 debianvm1 charon: 06[IKE] scheduling reauthentication in
3338s
Jan 16 09:49:59 debianvm1 charon: 06[IKE] maximum IKE_SA lifetime 3518s
Jan 16 09:49:59 debianvm1 charon: 06[IKE] CHILD_SA s2s{1} established with
SPIs cb77c7c6_i b9fe46ca_o and TS 192.0.2.128/25 === 192.0.2.0/25
Jan 16 09:49:59 debianvm1 charon: 06[ENC] generating IKE_AUTH response 1 [
IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Jan 16 09:49:59 debianvm1 charon: 06[NET] sending packet: from
192.168.56.16[500] to 192.168.56.11[500] (224 bytes)
Iked log:
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/192.168.56.16
ikev2 "strongswan" active esp inet from 192.0.2.0/25 to 192.0.2.128/25
local 192.168.56.11 peer 192.168.56.16 ikesa enc aes-256 prf hmac-sha2-256
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 esn,noesn srcid 192.168.56.11 dstid 192.168.56.16 lifetime
10800 bytes 536870912 psk 0x6e65747564646d65676d696c79656e7469746b6f73
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
ca_reload: local cert type RSA_KEY
config_getpfkey: received pfkey fd 3
config_getocsp: ocsp_url none
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: no mobike
config_getfragmentation: no fragmentation
ikev2_init_ike_sa: initiating "strongswan"
ikev2_policy2id: srcid IPV4/192.168.56.11 length 8
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x9a20227fe1e27102 0x0000000000000000
192.168.56.11:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x9a20227fe1e27102
0x0000000000000000 192.168.56.16:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x9a20227fe1e27102 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
446 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
spi=0x9a20227fe1e27102: send IKE_SA_INIT req 0 peer 192.168.56.16:500 local
192.168.56.11:500, 446 bytes
spi=0x9a20227fe1e27102: sa_state: INIT -> SA_INIT
spi=0x9a20227fe1e27102: recv IKE_SA_INIT res 0 peer 192.168.56.16:500 local
192.168.56.11:500, 456 bytes, policy 'strongswan'
ikev2_recv: ispi 0x9a20227fe1e27102 rspi 0x3e25f0df392c5b0c
ikev2_recv: updated SA to peer 192.168.56.16:500 local 192.168.56.11:500
ikev2_pld_parse: header ispi 0x9a20227fe1e27102 rspi 0x3e25f0df392c5b0c
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
456 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x9a20227fe1e27102 0x3e25f0df392c5b0c
192.168.56.16:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x9a20227fe1e27102 0x3e25f0df392c5b0c
192.168.56.11:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
spi=0x9a20227fe1e27102: ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0x9a20227fe1e27102: ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 510
sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
ikev2_next_payload: length 12 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
pfkey_sa_getspi: spi 0xb9fe46ca
pfkey_sa_init: new spi 0xb9fe46ca
ikev2_add_proposals: length 48
ikev2_next_payload: length 52 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 152
ikev2_msg_encrypt: padded length 160
ikev2_msg_encrypt: length 153, padding 7, output length 192
ikev2_next_payload: length 196 nextpayload IDi
ikev2_msg_integr: message length 224
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x9a20227fe1e27102 rspi 0x3e25f0df392c5b0c
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 224
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 7
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00
length 12
ikev2_pld_id: id IPV4/192.168.56.11 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 52
ikev2_pld_sa: more 0 reserved 0 length 48 proposal #1 protoid ESP spisize 4
xforms 4 spi 0xb9fe46ca
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.127
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.128 end 192.0.2.255
spi=0x9a20227fe1e27102: send IKE_AUTH req 1 peer 192.168.56.16:500 local
192.168.56.11:500, 224 bytes
config_free_proposals: free 0x1af63e3a5a00
spi=0x9a20227fe1e27102: recv IKE_AUTH res 1 peer 192.168.56.16:500 local
192.168.56.11:500, 224 bytes, policy 'strongswan'
ikev2_recv: ispi 0x9a20227fe1e27102 rspi 0x3e25f0df392c5b0c
ikev2_recv: updated SA to peer 192.168.56.16:500 local 192.168.56.11:500
ikev2_pld_parse: header ispi 0x9a20227fe1e27102 rspi 0x3e25f0df392c5b0c
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 3
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00
length 12
ikev2_pld_id: id IPV4/192.168.56.16 length 8
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00
length 40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
spi=0x9a20227fe1e27102: sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0xcb77c7c6
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.0 end 192.0.2.127
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 192.0.2.128 end 192.0.2.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
ikev2_msg_auth: responder auth data length 520
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
spi=0x9a20227fe1e27102: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0008 -> 0x0018 auth,authvalid (required 0x0030
authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0018 -> 0x0038 auth,authvalid,sa (required 0x0030
authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
spi=0x9a20227fe1e27102: sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_add: add spi 0xcb77c7c6
ikev2_childsa_enable: loaded CHILD SA spi 0xcb77c7c6
pfkey_sa_add: update spi 0xb9fe46ca
ikev2_childsa_enable: loaded CHILD SA spi 0xb9fe46ca
ikev2_childsa_enable: loaded flow 0x1af5d81cb400
ikev2_childsa_enable: loaded flow 0x1af5d81cb800
ikev2_childsa_enable: remember SA peer 192.168.56.16:500
spi=0x9a20227fe1e27102: ikev2_childsa_enable: loaded SPIs: 0xcb77c7c6,
0xb9fe46ca
spi=0x9a20227fe1e27102: ikev2_childsa_enable: loaded flows:
ESP-192.0.2.0/25=192.0.2.128/25(0)
spi=0x9a20227fe1e27102: sa_state: VALID -> ESTABLISHED from
192.168.56.16:500 to 192.168.56.11:500 policy 'strongswan'
config_free_proposals: free 0x1af63e3a3380
dmesg:
OpenBSD 6.6-current (GENERIC.MP) #610: Wed Jan 15 15:45:31 MST 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 1056899072 (1007MB)
avail mem = 1012469760 (965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.36 MHz, 06-4e-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2400.28 MHz, 06-4e-03
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins, remapped
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
extent `acpipci0 pcibus' (0x0 - 0xff), flags=0
extent `acpipci0 pciio' (0x0 - 0xffffffff), flags=0
0xcf8 - 0xcff
0x10000 - 0xffffffff
extent `acpipci0 pcimem' (0x0 - 0xffffffffffffffff), flags=0
0x0 - 0x9ffff
0xc0000 - 0x3fffffff
0xfe000000 - 0xffffffffffffffff
acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: GFX0
cpu0: using Skylake AVX MDS workaround
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19,
address 08:00:27:8c:28:57
"InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not
configured
auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2 int
21, ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 2 int
22, version 1.0
piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2 int
23
iic0 at piixpm0
em1 at pci0 dev 8 function 0 "Intel 82540EM" rev 0x02: apic 2 int 16,
address 08:00:27:a3:95:43
em2 at pci0 dev 9 function 0 "Intel 82540EM" rev 0x02: apic 2 int 17,
address 08:00:27:87:24:1b
em3 at pci0 dev 10 function 0 "Intel 82540EM" rev 0x02: apic 2 int 18,
address 08:00:27:4c:2c:7d
mpi0 at pci0 dev 20 function 0 "Symbios Logic 53c1030" rev 0x00: apic 2 int
20
mpi0: VBox MPT Fusion, firmware 0.0.0.0
scsibus2 at mpi0: 16 targets, initiator 7
sd0 at scsibus2 targ 0 lun 0: <VBOX, HARDDISK, 1.0>
sd0: 4336MB, 512 bytes/sector, 8882048 sectors
mpi0: target 0 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev
1.00/1.00 addr 1
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (aa4cfb49c7b65e05.a) swap on sd0b dump on sd0b
Thx
csszep
csszep <[email protected]> ezt írta (időpont: 2019. dec. 13., P, 11:38):
> Hi!
>
> I"m trying to setup a simple s2s tunnel between iked and strongswan with
> preshared key in current.
>
> Strongswan config:
>
> conn s2s
> left=192.168.56.16
> leftid=192.168.56.16
> right=192.168.56.11
> rightid=192.168.56.11
> leftsubnet=192.0.2.128/25
> rightsubnet=192.0.2.0/25
> ike=aes256-sha256-modp2048!
> esp=aes256-sha256-modp2048!
> authby=secret
> auto=add
>
>
>
> Iked config:
>
> ikev2 "strongswan" active esp \
> from 192.0.2.0/25 to 192.0.2.128/25 \
> local 192.168.56.11 peer 192.168.56.16 \
> ikesa enc aes-256 auth hmac-sha2-256 prf hmac-sha2-256 group
> modp2048 \
> childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
> srcid 192.168.56.11 dstid 192.168.56.245 \
> psk "netuddmegmilyentitkos"
>
>
> Iked log:
>
> iked -dvv
> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/
> 192.168.56.245
> ikev2 "strongswan" active esp inet from 192.0.2.0/25 to 192.0.2.128/25
> local 192.168.56.11 peer 192.168.56.16 ikesa enc aes-256 prf hmac-sha2-256
> auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
> group modp2048 esn,noesn srcid 192.168.56.11 dstid 192.168.56.245 lifetime
> 10800 bytes 536870912 psk 0x6e65747564646d65676d696c79656e7469746b6f73
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1191
> ca_pubkey_serialize: type RSA_KEY length 270
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1191
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> config_getpolicy: received policy
> config_getpfkey: received pfkey fd 3
> ca_reload: local cert type RSA_KEY
> config_getocsp: ocsp_url none
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getmobike: no mobike
> config_getfragmentation: no fragmentation
> ikev2_init_ike_sa: initiating "strongswan"
> ikev2_policy2id: srcid IPV4/192.168.56.11 length 8
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 264 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x8fadb3cb73817e09 0x0000000000000000
> 192.168.56.11:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x8fadb3cb73817e09
> 0x0000000000000000 192.168.56.16:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x8fadb3cb73817e09 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 446 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize
> 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x8fadb3cb73817e09: send IKE_SA_INIT req 0 peer 192.168.56.16:500
> local 192.168.56.11:500, 446 bytes
> spi=0x8fadb3cb73817e09: sa_state: INIT -> SA_INIT
> spi=0x8fadb3cb73817e09: recv IKE_SA_INIT res 0 peer 192.168.56.16:500
> local 192.168.56.11:500, 481 bytes, policy 'strongswan'
> ikev2_recv: ispi 0x8fadb3cb73817e09 rspi 0x137d30176aa85262
> ikev2_recv: updated SA to peer 192.168.56.16:500 local 192.168.56.11:500
> ikev2_pld_parse: header ispi 0x8fadb3cb73817e09 rspi 0x137d30176aa85262
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
> 481 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize
> 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
> HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
> ikev2_pld_ke: dh group MODP_2048 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length
> 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x8fadb3cb73817e09 0x137d30176aa85262
> 192.168.56.16:500
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x8fadb3cb73817e09
> 0x137d30176aa85262 192.168.56.11:500
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00
> length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA1 (1)
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTED
> ikev2_policy2id: srcid IPV4/192.168.56.11 length 8
> sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
> ikev2_sa_negotiate: score 4
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> spi=0x8fadb3cb73817e09: ikev2_sa_keys: DHSECRET with 256 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0x8fadb3cb73817e09: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_msg_auth: initiator auth data length 510
> sa_stateok: SA_INIT flags 0x0008, require 0x0009 cert,auth
> config_free_proposals: free 0x150956292f80
> ca_getreq: no valid local certificate found
> ikev2_getimsgdata: imsg 21 rspi 0x137d30176aa85262 ispi 0x8fadb3cb73817e09
> initiator 1 sa valid type 0 data length 0
> ikev2_dispatch_cert: cert type NONE length 0, ignored
>
>
> strongswan log:
>
> Dec 13 11:31:12 debianvm1 charon: 05[NET] received packet: from
> 192.168.56.11[500] to 192.168.56.16[500] (446 bytes)
> Dec 13 11:31:12 debianvm1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> Dec 13 11:31:12 debianvm1 charon: 05[IKE] 192.168.56.11 is initiating an
> IKE_SA
> Dec 13 11:31:12 debianvm1 charon: 05[IKE] sending cert request for "C=HU
> O=Strongswan CN=Strongswan CA"
> Dec 13 11:31:12 debianvm1 charon: 05[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
> Dec 13 11:31:12 debianvm1 charon: 05[NET] sending packet: from
> 192.168.56.16[500] to 192.168.56.11[500] (481 bytes)
> Dec 13 11:31:42 debianvm1 charon: 06[JOB] deleting half open IKE_SA after
> timeout
>
> Iked and Strongswan send out Cert requests but why?
>
> ----------
>
> OpenBSD 6.6-current (GENERIC.MP) #520: Wed Dec 11 14:25:35 MST 2019
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 1056899072 (1007MB)
> avail mem = 1012514816 (965MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
> bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
> bios0: innotek GmbH VirtualBox
> acpi0 at bios0: ACPI 4.0
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP APIC SSDT
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2401.13 MHz, 06-4e-03
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: CPU supports MTRRs but not enabled by BIOS
> cpu0: apic clock running at 999MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz, 2417.53 MHz, 06-4e-03
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,NXE,RDTSCP,LONG,LAHF,ABM,3DNOWP,ITSC,FSGSBASE,AVX2,INVPCID,RDSEED,CLFLUSHOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins, remapped
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
> acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
> acpiac0 at acpi0: AC unit online
> acpivideo0 at acpi0: GFX0
> cpu0: using Skylake AVX MDS workaround
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0: <VBOX, CD-ROM, 1.0> removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> vga1 at pci0 dev 2 function 0 "InnoTek VirtualBox Graphics Adapter" rev
> 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x02: apic 2 int 19,
> address 08:00:27:8c:28:57
> "InnoTek VirtualBox Guest Service" rev 0x00 at pci0 dev 4 function 0 not
> configured
> auich0 at pci0 dev 5 function 0 "Intel 82801AA AC97" rev 0x01: apic 2 int
> 21, ICH
> ac97: codec id 0x83847600 (SigmaTel STAC9700)
> audio0 at auich0
> ohci0 at pci0 dev 6 function 0 "Apple Intrepid USB" rev 0x00: apic 2 int
> 22, version 1.0
> piixpm0 at pci0 dev 7 function 0 "Intel 82371AB Power" rev 0x08: apic 2
> int 23
> iic0 at piixpm0
> em1 at pci0 dev 8 function 0 "Intel 82540EM" rev 0x02: apic 2 int 16,
> address 08:00:27:a3:95:43
> em2 at pci0 dev 9 function 0 "Intel 82540EM" rev 0x02: apic 2 int 17,
> address 08:00:27:87:24:1b
> em3 at pci0 dev 10 function 0 "Intel 82540EM" rev 0x02: apic 2 int 18,
> address 08:00:27:4c:2c:7d
> mpi0 at pci0 dev 20 function 0 "Symbios Logic 53c1030" rev 0x00: apic 2
> int 20
> mpi0: VBox MPT Fusion, firmware 0.0.0.0
> scsibus2 at mpi0: 16 targets, initiator 7
> sd0 at scsibus2 targ 0 lun 0: <VBOX, HARDDISK, 1.0>
> sd0: 4336MB, 512 bytes/sector, 8882048 sectors
> mpi0: target 0 Async at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> usb0 at ohci0: USB revision 1.0
> uhub0 at usb0 configuration 1 interface 0 "Apple OHCI root hub" rev
> 1.00/1.00 addr 1
> vscsi0 at root
> scsibus3 at vscsi0: 256 targets
> softraid0 at root
> scsibus4 at softraid0: 256 targets
> root on sd0a (aa4cfb49c7b65e05.a) swap on sd0b dump on sd0b
>
>
>
