On 29 June 2017, Liviu Daia <[email protected]> wrote:
[...]
> On the server:
>
> # iked -d
> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to
> x.y.z.t:500 policy 'sb1' id 0, 510 bytes
> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500
> msgid 0, 471 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500
> policy 'sb1' id 1, 1520 bytes
> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid
> 1, 1440 bytes
> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy
> 'sb1'
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500
> policy 'sb1' id 2, 1520 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500
> policy 'sb1' id 2, 1520 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500
> policy 'sb1' id 2, 1520 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500
> policy 'sb1' id 2, 1520 bytes
>
> On the home router:
>
> # iked -d
> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500
> msgid 0, 510 bytes
> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to
> 89.136.163.27:500 policy 'home' id 0, 471 bytes
> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid
> 1, 1520 bytes
> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500
> policy 'home' id 1, 1440 bytes
> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid
> 2, 1520 bytes
>
> The warning about pubkey doesn't go away if I copy the server's
> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
> /etc/iked/certs. And then there's this, which doesn't look normal:
>
> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
[...]
Ok this post sent me on the right course:
http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html
Here's what I did:
cd /etc/ssl/vpn/private
openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router.
After that the VPN works, I can send packets from a machine at home
and I'm seeing them on enc0 on the remote server:
# tcpdump -n -i enc0
tcpdump: listening on enc0, link-type ENC
05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >
10.0.0.102: icmp: echo request (encap)
05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >
10.0.0.102: icmp: echo request (encap)
05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >
10.0.0.102: icmp: echo request (encap)
...
However, I'm now running into what seems to be a firewall problem,
an I'm getting no answer. I do have "pass quick inet proto esp" on both
VPN ends. Any idea where / how to fix this?
Also, IPs aren't assigned automatically to the VPN ends. I can
add them to hostname.enc0, but is this the right thing to do? I tried
adding a line
config address 10.0.0.102
to /etc/iked.conf, but that's rejected as a syntax error. A clue stick
again please?
Regards,
Liviu Daia
