Hello,
thanks for the reply.
> Hello
>
> On 01/30/18 22:00, Peter Müller wrote:
> > Hello *,
> >
> > I am trying to set up an IPsec connection between OpenBSD 6.2
> > and an IPFire firewall, while the OpenBSD is a road warrior.
> > There, I use "iked", while the firewall is running "strongswan".
> >
> > After struggling with some cryptography issues (curve25519 and
> > brainpool512 did not work, neither did aes-gcm), the IKE
> > connection is now established, but the firewall requires a
> > request for a virtual IP:
> >
> > [log snippet from "iked" @ OpenBSD:]
> > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical
> > 0x00 length 12
> > ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
> > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
> > length 8
> > ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED
> >
> > [log snippet from "strongswan" @ IPFire:]
> > 21:45:26 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
> > N(AUTH_LFT) N(FAIL_CP_REQ) ]
> > 21:45:26 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
> > 21:45:26 charon: 07[IKE] configuration payload negotiation failed, no
> > CHILD_SA built
> > 21:45:26 charon: 07[IKE] expected a virtual IP request, sending
> > FAILED_CP_REQUIRED
> >
> > Until now, I tried inserting the following directives to my
> > /etc/iked.conf - without luck, they didn't seem to change anything:
> >
> > (1) config address 10.XXX.XXX.XXX
> >
> > (2) config address 10.XXX.XXX.XXX/24
> >
> > (3) config address 10.XXX.XXX.XXX\
> > config address 10.XXX.XXX.XXX/24
> >
> > How do I configure "iked" to request a virtual IP?
> >
> > Any help is highly appreciated, since I am flying blind here.
> >
> > Thanks and best regards,
> > Peter Müller
> >
>
> Last time I looked, OpenIKED was not yet able to request a config
> payload, only reply to one. Looking at the source code of iked confirms
> this.
I see. Since IPFire requires an a request for a virtual IP address when
using a road warrior IPsec connection, OpenBSD seems to be incompatible then.
A workaround might be a net-to-net IPsec connection, with a /32 announcement
at the side of the OpenBSD machine. Will try that and report.
Best regards,
Peter Müller
>
> /src/sbin/iked/ikev2.c
> ========================
> ssize_t
> ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
> {
> ...
> switch (sa->sa_cp) {
> case IKEV2_CP_REQUEST:
> cp->cp_type = IKEV2_CP_REPLY;
> break;
> case IKEV2_CP_REPLY:
> case IKEV2_CP_SET:
> case IKEV2_CP_ACK:
> /* Not yet supported */ <===!!!
> return (-1);
> }
> ...
>
> Cheers Kim
>
