Hello fellow OpenBSD users, I've run into a of couple issues with setting up and IKE IPSEC VPN with a windows 7 native client. Now I've ran through the lists and have found a solution to get it working somewhat how I'd like it working.
I currently have this in my iked.conf: ikev2 passive esp \ from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 10.10.10.1 \ config name-server 192.168.200.x And on my W7 client I have a static IP configured and using machine certificates. I connect there with no issue and everything is kosher...kind of. I want to use a username and password so I have this in my iked.conf: user "my user ID" "Wouldn't_you_like_to_know?" ikev2 passive esp \ from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \ eap "mschap-v2" \ srcid xxx.xxx.xxx.xxx \ config address 10.10.10.1 \ config name-server 192.168.200.x \ tag "$name-$id" When I do this I get an error: Error Code 13803 "IKE Negotiation in progress" and it just sits there. Has anyone gotten this to work before? I run iked in debug mode with verbose output and receiving the following; /etc/iked.conf: loaded 2 configuration rules config_new_user: inserting new user my_user user "my_user" "password" config_getpolicy: received policy ikev2 "win7" passive esp from 192.168.200.0/24 to 10.10.10.0/24 local any peer any ikesa enc aes-256,aes-192,ca_reload: loaded ca file ca.crt aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid xxx.xxx.xxx.xxxca_reload: loaded crl file ca.crl lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 10.10.10.7 ca_reload: /C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=cerberus.xxxxxxx.xxxxx/e mailAddress=info@xxxxxxx.xxxxxx config_getpfkey: received pfkey fd 4 ca_reload: loaded 1 ca certificate config_getcompile: compilation done config_getsocket: received socket fd 11 config_getsocket: received socket fd 12 config_getsocket: received socket fd 14 config_getsocket: received socket fd 20 ca_reload: loaded cert file xxx.xxx.xxx.xxx.crt ca_validate_cert: /C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd ress=i...@xxxxxxx.com ok ikev2_dispatch_cert: updated local CERTREQ signatures length 20 ikev2_recv: IKE_SA_INIT from initiator xxx.xxx.xxx.xxx:56506 to xxx.xxx.xxx.xxx:500 policy 'win7', 792 bytes ikev2_policy2id: srcid IPV4/xxx.xxx.xxx.xxx length 8 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 792 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 520 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x46459f2713e1d8d3 0x0000000000000000 xxx.xxx.xxx.xxx:56506 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x46459f2713e1d8d3 0x0000000000000000 xxx.xxx.xxx.xxx:500 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 23 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateflags: 0x00 -> 0x08 sa (required 0x00 ) ikev2_sa_keys: SKEYSEED with 20 bytes ikev2_sa_keys: S with 96 bytes ikev2_prfplus: T1 with 20 bytes ikev2_prfplus: T2 with 20 bytes ikev2_prfplus: T3 with 20 bytes ikev2_prfplus: T4 with 20 bytes ikev2_prfplus: T5 with 20 bytes ikev2_prfplus: T6 with 20 bytes ikev2_prfplus: T7 with 20 bytes ikev2_prfplus: T8 with 20 bytes ikev2_prfplus: Tn with 160 bytes ikev2_sa_keys: SK_d with 20 bytes ikev2_sa_keys: SK_ai with 20 bytes ikev2_sa_keys: SK_ar with 20 bytes ikev2_sa_keys: SK_ei with 24 bytes ikev2_sa_keys: SK_er with 24 bytes ikev2_sa_keys: SK_pi with 20 bytes ikev2_sa_keys: SK_pr with 20 bytes ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x46459f2713e1d8d3 0x7916745180423feb xxx.xxx.xxx.xxx:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x46459f2713e1d8d3 0x7916745180423feb xxx.xxx.xxx.xxx:56506 ikev2_next_payload: length 28 nextpayload CERTREQ ikev2_next_payload: length 25 nextpayload NONE ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT signatures length 20 ikev2_msg_send: IKE_SA_INIT from xxx.xxx.xxx.xxx:500 to xxx.xxx.xxx.xxx:56506, 325 bytes config_free_proposals: free 0x204397280 ikev2_recv: IKE_AUTH from initiator xxx.xxx.xxx.xxx:64175 to xxx.xxx.xxx.xxx:4500 policy 'win7', 988 bytes ikev2_recv: updating msg, natt 1 ikev2_recv: updated SA peer xxx.xxx.xxx.xxx:64175 local xxx.xxx.xxx.xxx:4500 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb nextpayload E version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 988 response 0 ikev2_pld_payloads: payload E nextpayload IDi critical 0x00 length 960 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 936 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 936/936 padding 2 ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 0x00 length 12 ikev2_pld_id: id IPV4/192.168.103.130 length 8 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload NOTIFY critical 0x00 length 685 ikev2_pld_certreq: type X509_CERT signatures length 680 ikev2_policy2id: dstid IPV4/xxx.xxx.xxx.xxx length 8 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 28 ikev2_pld_cp: type REQUEST length 20 ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 152 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x4a3aea35 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_state: SA_INIT -> EAP ikev2_msg_auth: responder auth data length 393 ca_setauth: auth length 393 ikev2_sa_negotiate: score 12 sa_stateflags: 0x08 -> 0x08 sa (required 0x0d cert,auth,sa) sa_stateok: EAP flags 0x08, require 0x0d cert,auth,sa config_free_proposals: free 0x204397280 ca_getreq: found CA /C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=cerberus.xxxxxxx.com/ema ilAddress=i...@xxxxxxx.com ca_x509_subjectaltname: IPV4/xxx.xxx.xxx.xxx ca_getreq: found local certificate /C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd ress=i...@xxxxxxx.com ca_setauth: auth length 256 ikev2_getimsgdata: imsg 18 rspi 0x7916745180423feb ispi 0x46459f2713e1d8d3 initiator 0 sa valid type 4 data length 1045 ikev2_dispatch_cert: cert type 4 length 1045 sa_stateflags: 0x08 -> 0x09 cert,sa (required 0x0d cert,auth,sa) sa_stateok: EAP flags 0x09, require 0x0d cert,auth,sa ikev2_getimsgdata: imsg 21 rspi 0x7916745180423feb ispi 0x46459f2713e1d8d3 initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x09 -> 0x0d cert,auth,sa (required 0x0d cert,auth,sa) sa_stateok: EAP flags 0x0d, require 0x0d cert,auth,sa ikev2_next_payload: length 12 nextpayload CERT ikev2_next_payload: length 1050 nextpayload AUTH ikev2_next_payload: length 264 nextpayload EAP ikev2_next_payload: length 9 nextpayload NONE ikev2_msg_encrypt: decrypted length 1335 ikev2_msg_encrypt: padded length 1336 ikev2_msg_encrypt: length 1336, padding 0, output length 1356 ikev2_next_payload: length 1360 nextpayload IDr ikev2_msg_integr: message length 1388 ikev2_msg_integr: integrity checksum length 12 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb nextpayload E version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1388 response 1 ikev2_pld_payloads: payload E nextpayload IDr critical 0x00 length 1360 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 1336 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 1336/1336 padding 0 ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12 ikev2_pld_id: id IPV4/xxx.xxx.xxx.xxx length 8 ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1050 ikev2_pld_cert: type X509_CERT length 1045 ikev2_pld_payloads: decrypted payload AUTH nextpayload EAP critical 0x00 length 264 ikev2_pld_auth: method RSA_SIG length 256 ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00 length 9 ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY ikev2_msg_send: IKE_AUTH from xxx.xxx.xxx.xxx:4500 to xxx.xxx.xxx.xxx:64175, 1388 bytes ikev2_recv: IKE_AUTH from initiator xxx.xxx.xxx.xxx:64175 to xxx.xxx.xxx.xxx:4500 policy 'win7', 68 bytes ikev2_recv: updating msg, natt 1 ikev2_recv: updated SA peer xxx.xxx.xxx.xxx:64175 local xxx.xxx.xxx.xxx:4500 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb nextpayload E version 0x20 exchange IKE_AUTH flags 0x08 msgid 2 length 68 response 0 ikev2_pld_payloads: payload E nextpayload EAP critical 0x00 length 40 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 2 ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00 length 13 ikev2_pld_eap: RESPONSE id 0 length 9 EAP-IDENTITY eap_identity_response: identity 'my_user' length 4 ikev2_next_payload: length 35 nextpayload NONE ikev2_msg_encrypt: decrypted length 35 ikev2_msg_encrypt: padded length 40 ikev2_msg_encrypt: length 36, padding 4, output length 60 ikev2_next_payload: length 64 nextpayload EAP ikev2_msg_integr: message length 92 ikev2_msg_integr: integrity checksum length 12 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb nextpayload E version 0x20 exchange IKE_AUTH flags 0x20 msgid 2 length 92 response 1 ikev2_pld_payloads: payload E nextpayload EAP critical 0x00 length 64 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 40 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 40/40 padding 4 ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00 length 35 ikev2_pld_eap: REQUEST id 1 length 31 EAP-MSCHAP_V2 eap_parse: MSCHAP_V2 CHALLENGE id 1 length 26 valuesize 16 name '_iked' length 5 ikev2_msg_send: IKE_AUTH from xxx.xxx.xxx.xxx:4500 to xxx.xxx.xxx.xxx:64175, 92 bytes sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateok: EAP flags 0x0d, require 0x0d cert,auth,sa ikev2_next_payload: length 12 nextpayload CERT ikev2_next_payload: length 1050 nextpayload AUTH ikev2_next_payload: length 264 nextpayload EAP ikev2_next_payload: length 9 nextpayload NONE ikev2_msg_encrypt: decrypted length 1335 ikev2_msg_encrypt: padded length 1336 ikev2_msg_encrypt: length 1336, padding 0, output length 1356 ikev2_next_payload: length 1360 nextpayload IDr ikev2_msg_integr: message length 1388 ikev2_msg_integr: integrity checksum length 12 ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb nextpayload E version 0x20 exchange IKE_AUTH flags 0x20 msgid 3 length 1388 response 1 ikev2_pld_payloads: payload E nextpayload IDr critical 0x00 length 1360 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 1336 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 1336/1336 padding 0 ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12 ikev2_pld_id: id IPV4/xxx.xxx.xxx.xxx length 8 ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1050 ikev2_pld_cert: type X509_CERT length 1045 ikev2_pld_payloads: decrypted payload AUTH nextpayload EAP critical 0x00 length 264 ikev2_pld_auth: method RSA_SIG length 256 ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00 length 9 ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY ikev2_msg_send: IKE_AUTH from xxx.xxx.xxx.xxx:4500 to xxx.xxx.xxx.xxx:64175, 1388 bytes ^Cca exiting ikev2 exiting ikev1 exiting parent terminating Any help would be appreciated. Is there any setting or something I should apply? I'm running windows with 7 within NAT. Like I said, certs work fine, password and usernames do not.