Hello *, I am trying to set up an IPsec connection between OpenBSD 6.2 and an IPFire firewall, while the OpenBSD is a road warrior. There, I use "iked", while the firewall is running "strongswan".
After struggling with some cryptography issues (curve25519 and brainpool512 did not work, neither did aes-gcm), the IKE connection is now established, but the firewall requires a request for a virtual IP: [log snippet from "iked" @ OpenBSD:] ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 12 ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED [log snippet from "strongswan" @ IPFire:] 21:45:26 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(FAIL_CP_REQ) ] 21:45:26 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA 21:45:26 charon: 07[IKE] configuration payload negotiation failed, no CHILD_SA built 21:45:26 charon: 07[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED Until now, I tried inserting the following directives to my /etc/iked.conf - without luck, they didn't seem to change anything: (1) config address 10.XXX.XXX.XXX (2) config address 10.XXX.XXX.XXX/24 (3) config address 10.XXX.XXX.XXX\ config address 10.XXX.XXX.XXX/24 How do I configure "iked" to request a virtual IP? Any help is highly appreciated, since I am flying blind here. Thanks and best regards, Peter Müller