Hello *,
I am trying to set up an IPsec connection between OpenBSD 6.2
and an IPFire firewall, while the OpenBSD is a road warrior.
There, I use "iked", while the firewall is running "strongswan".
After struggling with some cryptography issues (curve25519 and
brainpool512 did not work, neither did aes-gcm), the IKE
connection is now established, but the firewall requires a
request for a virtual IP:
[log snippet from "iked" @ OpenBSD:]
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED
[log snippet from "strongswan" @ IPFire:]
21:45:26 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
N(AUTH_LFT) N(FAIL_CP_REQ) ]
21:45:26 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
21:45:26 charon: 07[IKE] configuration payload negotiation failed, no CHILD_SA
built
21:45:26 charon: 07[IKE] expected a virtual IP request, sending
FAILED_CP_REQUIRED
Until now, I tried inserting the following directives to my
/etc/iked.conf - without luck, they didn't seem to change anything:
(1) config address 10.XXX.XXX.XXX
(2) config address 10.XXX.XXX.XXX/24
(3) config address 10.XXX.XXX.XXX\
config address 10.XXX.XXX.XXX/24
How do I configure "iked" to request a virtual IP?
Any help is highly appreciated, since I am flying blind here.
Thanks and best regards,
Peter Müller
