Hi!
I am trying to get acqueinted with iked program and between two openbsd
4.9 snapshots (OpenBSD 4.9 (GENERIC) #477: Wed Mar 2 06:50:31 MST 2011)
it works with preshared keys and certificates all right as far as i can
see. In the beginning i made certificates with ikectl and then now with
xca program, i noticed that it seems crucial is to have x509 extension like
X509v3 Subject Alternative Name:
DNS:obsd-49-1.auul
Now i am trying to follow man iked.conf example to make openbsd and win7
ipsec between each other but so far havent succeeded yet. Here is what i
have
1. OpenBSD is at 192.168.10.51 (obsd-49-1.auul) and win7 is at
192.168.50.172 (imreo-lap.xxx.ee) and they are one ip hop away from each
other, no packet filtering between them
2. OpenBSD has appropriate certificates and key
(http://www.auul.pri.ee/ca.crt-text and
http://www.auul.pri.ee/obsd-49-1.auul.crt-text) and iked.conf contains
(where xxx in the domainname is substituted)
user "imre" "imreparool"
ikev2 "win7" esp \
from 192.168.151.0/24 to 192.168.12.0/24 \
local 192.168.10.51 peer 192.168.50.172 \
srcid obsd-49-1.auul dstid imreo-lap.xxx.ee \
eap "mschap-v2" \
config address 192.168.151.1 \
tag "$name-$id"
where 192.168.151.0/24 and 192.168.12.0/24 are networks a each side
which dont really exist at the moment
(ps. actually i havent found in the manpage anything about this 'config
address' parameter, if somebody could comment on thet also)
3. i believe win7 has appropriate certificates and private key installed
(http://www.auul.pri.ee/ca.crt-text and
http://www.auul.pri.ee/imreo-lap.xxx.ee.crt-text) since i exported from
xca .p12 with chain and installed it into win7 wich mmc
4. When i start iked and try to access it from win7 (using ike v2,
require data encryption and eap-mschap v2) i get the following after
entering imre as username and imreparool as password
obsd-49-1:/etc# iked -dv
user "imre" "imreparool"
ikev2 "win7" passive esp inet from 192.168.151.0/24 to 192.168.12.0/24
local 192.168.10.51 peer 192.168.50.172 ikesa enc
aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth
hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid
obsd-49-1.auul dstid imreo-lap.xxx.ee lifetime 10800 bytes 536870912 eap
"MSCHAP_V2" config address 192.168.151.1 tag "$name-$id"
ikev2_recv: IKE_SA_INIT from initiator 192.168.50.172:500 to
192.168.10.51:500 policy 'win7', 528 bytes
ikev2_msg_send: IKE_SA_INIT from 192.168.10.51:500 to
192.168.50.172:500, 325 bytes
ikev2_recv: IKE_AUTH from initiator 192.168.50.172:4500 to
192.168.10.51:4500 policy 'win7', 828 bytes
ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
ikev2_msg_send: IKE_AUTH from 192.168.10.51:4500 to 192.168.50.172:4500,
1100 bytes
ikev2_recv: IKE_AUTH from initiator 192.168.50.172:4500 to
192.168.10.51:4500 policy 'win7', 68 bytes
ikev2_pld_eap: RESPONSE id 0 length 9 EAP-IDENTITY
ikev2_pld_eap: REQUEST id 1 length 31 EAP-MSCHAP_V2
eap_parse: MSCHAP_V2 CHALLENGE id 1 length 26 valuesize 16 name '_iked'
length 5
ikev2_msg_send: IKE_AUTH from 192.168.10.51:4500 to 192.168.50.172:4500,
92 bytes
ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
ikev2_msg_send: IKE_AUTH from 192.168.10.51:4500 to 192.168.50.172:4500,
1100 bytes
And when run with -vvv it says in the end (another run, whole log is at
http://www.auul.pri.ee/iked-win7.log)
...
ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
ikev2_msg_send: IKE_AUTH from 192.168.10.51:4500 to 192.168.50.172:4500,
1100 bytes
ikev2_recv: IKE_AUTH from initiator 192.168.50.172:4500 to
192.168.10.51:4500 policy 'win7', 124 bytes
ikev2_recv: updating msg, natt 1
ikev2_recv: invalid sequence number 3 (SA msgid 4 reqid 0)
and windows says (and has all common updates installed)
Verifying user name and password, Error 13803, IKE Negotiation in progress
I would be very thankful if somebody could comment on this and point me
to the right direction.
Best regards, Imre
PS I also want to add that between this win7 and debian with strongswan
ikev2 works (to be exact there i use it so that i needed to install only
ca certificate and enter username and password, ie no user certificate),
i decided to try this out to get confidence that something isnt totally
wrong on windows's side. In this case it appeared that certificate
needed to have x509 extension '1.3.6.1.5.5.8.2.2 (IP security end
entity) so i added this to the certificate on OpenBSD's case too.
(Following the story from
http://wiki.strongswan.org/projects/strongswan/wiki/Windows7)
////
