IKED/carp/sasyncd: Wrong source ip address/No IKEv2 response

Tue, 29 Mar 2016 02:25:53 -0700 

Hi,

I've got two problems running IKED with carp and sasyncd. I've tested the 
following setup both on OpenBSD 5.8 and -current (latest snapshot) with the 
same results.

My IKED.conf:

ikev2 vpn_lab passive esp \
        from 172.20.0.0/16 to 172.16.0.0/16 \
        from 172.21.0.0/16 to 172.16.0.0/16 \
        local 1.1.3.1 peer 1.1.4.2 \
        ikesa auth hmac-sha2-256 enc aes-256 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid 1.1.3.1 dstid 1.1.4.2 \
        ikelifetime 28800 lifetime 3600 \
        psk *****************
        
If I start IKED in active mode (no sasyncd) and I try to establish the tunnel 
from the peer gateway IKED will at least send a response to the IKEv2 packet.

Unfortunately, although the log states that it uses the virtual carp ip as 
source ip address, the ip of the corresponding node dedicated interface is 
being used instead.

I've read the manual pages for iked(8) and iked.conf(5) several times but 
didn't find anything related.

root@fw-lab-01-node0:~# iked -dvvvT
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
/etc/iked.conf: loaded 2 configuration rules
config_getpolicy: received policy
ikev2 "vpn_lab" passive esp inet from 172.20.0.0/16 to 172.16.0.0/16 from 
172.21.0.0/16 to 172.16.0.0/16 local any peer 1.1.4.2 ikesa enc aes-256 prf 
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256 group modp2048 childsa enc 
aes-256 auth hmac-sha2-256 group modp2048 srcid 1.1.3.1 dstid 1.1.4.2 
ikelifetime 28800 lifetime 3600 bytes 536870912 *****************
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/1.1.3.1 length 8
ikev2_pld_parse: header ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 364 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
79fdbeb8 f0bdecf1 4ee3a1f0 844192bf 4cb2c415 654933f6 1d710589 efaa47eb
d75c3b79 0216cd08 482040ca 31163c17 048b2b3d 02d5bba5 be26d022 5f491458
3a4ccfce 5d59288d c41d5109 dacf3242 225a1dcd ddedb114 a468f489 b4893884
0a5791d3 da8b3930 09f66e39 115d7f56 effd5e45 5f831118 04a7f3a9 64af0142
112ab7cc fd653c87 6dbce749 f76ebfd2 dd268502 16440f1b bf2065a0 6453f195
31ae908e c6f56da9 4a267e1c 5ac8a0be 8fc1ed0f c297d455 36fd5052 20edea05
456a4285 57de9d6e 5ae07a9b f64b85f7 092d461b 2644bd0a f80a57ba 343fe99b
8723534f 4987c906 0d374618 fdbb772b c2d54b37 df3988b9 60b2256a b342fa19
ikev2_pld_payloads: payload NONCE nextpayload NONE critical 0x00 length 24
71103239 c0d255b6 c2233cbb 05680c31 8d0580bc
sa_state: INIT -> SA_INIT
ikev2_match_proposals: xform 1 <-> 1 (1): ENCR AES_CBC (keylength 256 <-> 256) 
256
ikev2_match_proposals: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 
<-> 256)
ikev2_match_proposals: xform 1 <-> 1 (1): DH MODP_2048 (keylength 0 <-> 0)
ikev2_sa_negotiate: score 4
ikev2_sa_negotiate: score 1: ENCR AES_CBC 256
ikev2_sa_negotiate: score 1: PRF HMAC_SHA2_256
ikev2_sa_negotiate: score 1: INTEGR HMAC_SHA2_256_128
ikev2_sa_negotiate: score 1: DH MODP_2048
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 32 bytes
039ee5e0 aa4d8f7b 82633654 d9b09105 ea6f32f0 34cf0091 913c688f 2bbf86c3
ikev2_sa_keys: S with 68 bytes
71103239 c0d255b6 c2233cbb 05680c31 8d0580bc a8cd7537 c0f66afd 0eb51178
38b033ce af14d1a1 532e6e43 b60a6bac b082a7bb dbc919cb ca8062f7 7ab7b618
6ba359a9
ikev2_prfplus: T1 with 32 bytes
b55977ac c1bfea85 bef66337 ce2a38ef f7d8c36e f09aff52 86e318e3 c74040ce
ikev2_prfplus: T2 with 32 bytes
9f57d0bd 76a54719 f045cfea 8c9b14f8 e0895363 6f634349 1a09eab2 a894839e
ikev2_prfplus: T3 with 32 bytes
b0fd6d56 b496102d c5d310e6 b5021bbc 78122804 b99cc894 b6c907a0 fc50f0cc
ikev2_prfplus: T4 with 32 bytes
c4f255ba b4946fcc 83fa1274 d82cdcdc bbf600c6 a9d3d649 83ec1afc 53783a9f
ikev2_prfplus: T5 with 32 bytes
67184b6d ad824b7b 8c9ac4a9 308a00c7 73d62229 71c0aa8f 4042c7db 94fa7801
ikev2_prfplus: T6 with 32 bytes
f990e9ab 5a63d062 3db82d9e bed97578 2367e530 30cdcda8 34a766a7 769b422b
ikev2_prfplus: T7 with 32 bytes
3b2a07f7 81bbaf04 b7030363 3727543e fd3353fb de52a39a f71e53c7 4fec17f4
ikev2_prfplus: Tn with 224 bytes
b55977ac c1bfea85 bef66337 ce2a38ef f7d8c36e f09aff52 86e318e3 c74040ce
9f57d0bd 76a54719 f045cfea 8c9b14f8 e0895363 6f634349 1a09eab2 a894839e
b0fd6d56 b496102d c5d310e6 b5021bbc 78122804 b99cc894 b6c907a0 fc50f0cc
c4f255ba b4946fcc 83fa1274 d82cdcdc bbf600c6 a9d3d649 83ec1afc 53783a9f
67184b6d ad824b7b 8c9ac4a9 308a00c7 73d62229 71c0aa8f 4042c7db 94fa7801
f990e9ab 5a63d062 3db82d9e bed97578 2367e530 30cdcda8 34a766a7 769b422b
3b2a07f7 81bbaf04 b7030363 3727543e fd3353fb de52a39a f71e53c7 4fec17f4
ikev2_sa_keys: SK_d with 32 bytes
b55977ac c1bfea85 bef66337 ce2a38ef f7d8c36e f09aff52 86e318e3 c74040ce
ikev2_sa_keys: SK_ai with 32 bytes
9f57d0bd 76a54719 f045cfea 8c9b14f8 e0895363 6f634349 1a09eab2 a894839e
ikev2_sa_keys: SK_ar with 32 bytes
b0fd6d56 b496102d c5d310e6 b5021bbc 78122804 b99cc894 b6c907a0 fc50f0cc
ikev2_sa_keys: SK_ei with 32 bytes
c4f255ba b4946fcc 83fa1274 d82cdcdc bbf600c6 a9d3d649 83ec1afc 53783a9f
ikev2_sa_keys: SK_er with 32 bytes
67184b6d ad824b7b 8c9ac4a9 308a00c7 73d62229 71c0aa8f 4042c7db 94fa7801
ikev2_sa_keys: SK_pi with 32 bytes
f990e9ab 5a63d062 3db82d9e bed97578 2367e530 30cdcda8 34a766a7 769b422b
ikev2_sa_keys: SK_pr with 32 bytes
3b2a07f7 81bbaf04 b7030363 3727543e fd3353fb de52a39a f71e53c7 4fec17f4
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NONE
ikev2_pld_parse: header ispi 0xdbc919cbca8062f7 rspi 0x7ab7b6186ba359a9 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 376 
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
15ce65cb 4550994b 7387d432 729dcc83 0309876f 608dc22d 6806fb24 a567c3ee
5f8dcdcc b62b58b4 558248fd 0c97731f deaccc86 b595925f ce287228 6d8e2145
540a3751 3d4c99c7 e6455bce d1be26e1 97bbfcae 511f5c90 9b702448 21196c5c
67341ee6 53d2ed26 3de9900a 3e4f27c8 53ca384c f87c2b90 7d5dc3a5 9ac3dcf7
14f04863 5382a24f 7e9d997c 3999cdf9 525ec115 38ed6b61 316d544d e7caf2f8
e6b2b2c2 34fc0989 4f18687e 6d7c78a6 4728316c e306244f c2a424b0 a418dbcb
7da33db1 13634e27 42268d4a d4ae3746 b730a634 95994eaa 83445516 b43b786d
d8f33872 ae1c242b 36619a8c 96da9574 7d42c70c 9aff35f2 576d6c3d f466ba75
ikev2_pld_payloads: payload NONCE nextpayload NONE critical 0x00 length 36
a8cd7537 c0f66afd 0eb51178 38b033ce af14d1a1 532e6e43 b60a6bac b082a7bb
ikev2_msg_send: IKE_SA_INIT response from 1.1.3.1:500 to 1.1.4.2:500 msgid 0, 
376 bytes
config_free_proposals: free 0xa17d5119480
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
ikev2_recv: updated SA to peer 1.1.4.2:500 local 1.1.3.1:500
ikev2_resp_recv: SA already exists
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
ikev2_recv: IKE_SA_INIT request from initiator 1.1.4.2:500 to 1.1.3.1:500 
policy 'vpn_lab' id 0, 364 bytes
ikev2_recv: ispi 0xdbc919cbca8062f7 rspi 0x0000000000000000
^Cca exiting, pid 9435
ikev2 exiting, pid 12189
ikev1 exiting, pid 28835
parent terminating
root@fw-lab-01-node0:~#


root@fw-lab-01-node0:~# tcpdump -nei pflog0 port 500 or esp
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
09:05:06.583006 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 
1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: fc1a7032dc6dca4f->0000000000000000 msgid: 00000000 len: 364
09:05:31.502453 rule 28.external.1/(match) pass out on vmx0: 1.1.3.2.500 > 
1.1.4.2.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: fc1a7032dc6dca4f->6d6ec5e5ba4025e7 msgid: 00000000 len: 376
09:05:35.066184 rule 28.external.1/(match) pass out on vmx0: 1.1.3.2.500 > 
86.107.205.162.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: 378d8ecfd7bed230->246bb1ec6d892871 msgid: 00000000 len: 376
09:06:53.424084 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 
1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: fc1a7032dc6dca4f->0000000000000000 msgid: 00000000 len: 364
09:08:03.045205 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 
1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: dbc919cbca8062f7->0000000000000000 msgid: 00000000 len: 364
09:08:03.064505 rule 28.external.1/(match) pass out on vmx0: 1.1.3.2.500 > 
1.1.4.2.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: dbc919cbca8062f7->7ab7b6186ba359a9 msgid: 00000000 len: 376

^C
462 packets received by filter
0 packets dropped by kernel
root@fw-lab-01-node0:~#



If I start IKED in passive mode to let sasyncd change the mode based on the 
carp status, the gateway doesn't even reply to the IKEv2 packets. Although I 
start IKED w/ verbose logging, I don't even see any logs after sasyncd has set 
the mode to active.


root@fw-lab-01-node0:~# iked -dSvv
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: local cert type RSA_KEY
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
/etc/iked.conf: loaded 2 configuration rules
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2 "vpn_lab" passive esp inet from 172.20.0.0/16 to 172.16.0.0/16 from 
172.21.0.0/16 to 172.16.0.0/16 local 1.1.3.1 peer 1.1.4.2 ikesa enc aes-256 prf 
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256 group modp2048 childsa enc 
aes-256 auth hmac-sha2-256 group modp2048 srcid 1.1.3.1 dstid 1.1.4.2 
ikelifetime 28800 lifetime 3600 bytes 536870912 psk *****************
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 7
config_getsocket: received socket fd 8
config_getmode: mode active -> passive
config_getmode: mode passive -> active

^Ccontrol exiting, pid 97322
ikev2 exiting, pid 78182
ca exiting, pid 63356
parent terminating
root@fw-lab-01-node0:~#


root@fw-lab-01-node0:~# tcpdump -nei pflog0 port 500 or esp
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
10:00:15.776540 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 
1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT
        cookie: 0ad123b899395d35->0000000000000000 msgid: 00000000 len: 364

^C
312 packets received by filter
0 packets dropped by kernel
root@fw-lab-01-node0:~#



My sasyncd.conf:

# $OpenBSD: sasyncd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
# sample sasyncd configuration file
# see sasyncd.conf(5)

# IP addresses or hostnames of sasyncd(8) peers.
#peer 172.20.0.2
#peer 172.20.0.3
#peer 172.20.0.4
peer 172.20.100.19

# Track master/slave state on this carp(4) interface.
#interface carp1
interface carp0

# Shared AES key, 16/24/32 bytes.
#sharedkey 0x349fec85c11f6b658d5c457d4668e035f11dfdccb849d5053a8763787b74db70
sharedkey *****************

control iked


Any help would be appreciated.

Regards,
Bernd

Reply via email to