Hello, I hope someone could point me in the right direction with my problem I am facing with openiked on a 64bit OpenBSD 6.0-stable. I want to connect two bridged firewalls, however, it seems the connection cannot be fully established. I tried with pf disabled but that did not change anything. 2 physical interfaces are configured in the bridge with 2 vether interfaces (one being the external IP and one being the internal IP e.g.192.168.201.1) In the logs I only get:
Feb 15 23:34:02 stage03 iked[3379]: ikev2_recv: IKE_SA_INIT request from initiator 11.11.11.11:500 to 33.33.33.33:500 policy 'testing' id 0, 518 bytes Feb 15 23:34:02 stage03 iked[3379]: ikev2_msg_send: IKE_SA_INIT response from 33.33.33.33:500 to 11.11.11.11:500 msgid 0, 446 bytes UDP Ports 500 and 4500 can be reached on both ends, but the connection does not get across this point. The configuration /etc/iked.conf is very simple: ikev2 "testing" active esp \ from 192.168.101.0/24 to 192.168.201.0/24 \ local 11.11.11.11 peer 33.33.33.33 \ psk thisisjustatestpassword with "passive" and the IP-addresses switched on the other end, 11.11.11.11 and 33.33.33.33 obviously changed for posting here. On the passive host, with "iked -d -vv -f /etc/iked.conf" I do get the output in [1], on the active host, I get [2]. Maybe I just cannot see the obvious problem, however, any advice is highly appreciated. Thanks, robert [1] ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ikev2 "testing" passive esp inet from 192.168.201.0/24 to 192.168.101.0/24 local 33.33.33.33 peer 11.11.11.11 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x7468697369736a757374617465737470617373776f7264 /etc/iked.conf: loaded 1 configuration rules ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ikev2_recv: IKE_SA_INIT request from initiator 11.11.11.11:500 to 33.33.33.33:500 policy 'testing' id 0, 518 bytes ikev2_recv: ispi 0x175fc9692a413ed6 rspi 0x0000000000000000 ikev2_policy2id: srcid FQDN/stage03.testing length 18 ikev2_pld_parse: header ispi 0x175fc9692a413ed6 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120 ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x175fc9692a413ed6 0x0000000000000000 11.11.11.11:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x175fc9692a413ed6 0x0000000000000000 33.33.33.33:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x175fc9692a413ed6 0xb86cd543a3ba0a2d 33.33.33.33:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x175fc9692a413ed6 0xb86cd543a3ba0a2d 11.11.11.11:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x175fc9692a413ed6 rspi 0xb86cd543a3ba0a2d nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 446 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT response from 33.33.33.33:500 to 11.11.11.11:500 msgid 0, 446 bytes config_free_proposals: free 0x1e1c26e85900 [2] ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ikev2 "testing" active esp inet from 192.168.101.0/24 to 192.168.201.0/24 local 11.11.11.11 peer 33.33.33.33 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x /etc/iked.conf: loaded 1 configuration rules ca_reload: local cert type RSA_KEY ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 config_getocsp: ocsp_url none config_getpolicy: received policy config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ikev2_init_ike_sa: initiating "testing" ikev2_policy2id: srcid FQDN/puffy.testing length 16 ikev2_add_proposals: length 116 ikev2_next_payload: length 120 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x175fc9692a413ed6 0x0000000000000000 11.11.11.11:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x175fc9692a413ed6 0x0000000000000000 33.33.33.33:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x175fc9692a413ed6 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120 ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 xforms 12 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT request from 11.11.11.11:500 to 33.33.33.33:500 msgid 0, 518 bytes sa_state: INIT -> SA_INIT ikev2_recv: IKE_SA_INIT response from responder 33.33.33.33:500 to 11.11.11.11:500 policy 'testing' id 0, 446 bytes ikev2_recv: ispi 0x175fc9692a413ed6 rspi 0xb86cd543a3ba0a2d ikev2_recv: updated SA to peer 33.33.33.33:500 local 11.11.11.11:500 ikev2_pld_parse: header ispi 0x175fc9692a413ed6 rspi 0xb86cd543a3ba0a2d nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 446 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x175fc9692a413ed6 0xb86cd543a3ba0a2d 33.33.33.33:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x175fc9692a413ed6 0xb86cd543a3ba0a2d 11.11.11.11:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_msg_auth: initiator auth data length 582 ikev2_msg_authsign: no pre-shared key found ikev2_init_auth: failed to get cert config_free_proposals: free 0x1ee2eac45780 ikev2_init_ike_sa: "testing" is already active