Hello,

thanks for the reply.

> Hello
> 
> On 01/30/18 22:00, Peter Müller wrote:
> > Hello *,
> > 
> > I am trying to set up an IPsec connection between OpenBSD 6.2
> > and an IPFire firewall, while the OpenBSD is a road warrior.
> > There, I use "iked", while the firewall is running "strongswan".
> > 
> > After struggling with some cryptography issues (curve25519 and
> > brainpool512 did not work, neither did aes-gcm), the IKE
> > connection is now established, but the firewall requires a
> > request for a virtual IP:
> > 
> > [log snippet from "iked" @ OpenBSD:]
> > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 
> > 0x00 length 12
> > ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
> > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 
> > length 8
> > ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED
> > 
> > [log snippet from "strongswan" @ IPFire:]
> > 21:45:26 charon:  07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH 
> > N(AUTH_LFT) N(FAIL_CP_REQ) ]
> > 21:45:26 charon:  07[IKE] failed to establish CHILD_SA, keeping IKE_SA
> > 21:45:26 charon:  07[IKE] configuration payload negotiation failed, no 
> > CHILD_SA built
> > 21:45:26 charon:  07[IKE] expected a virtual IP request, sending 
> > FAILED_CP_REQUIRED
> > 
> > Until now, I tried inserting the following directives to my
> > /etc/iked.conf - without luck, they didn't seem to change anything:
> > 
> > (1) config address 10.XXX.XXX.XXX
> > 
> > (2) config address 10.XXX.XXX.XXX/24
> > 
> > (3) config address 10.XXX.XXX.XXX\
> >      config address 10.XXX.XXX.XXX/24
> > 
> > How do I configure "iked" to request a virtual IP?
> > 
> > Any help is highly appreciated, since I am flying blind here.
> > 
> > Thanks and best regards,
> > Peter Müller
> >   
> 
> Last time I looked, OpenIKED was not yet able to request a config 
> payload, only reply to one. Looking at the source code of iked confirms 
> this.
I see. Since IPFire requires an a request for a virtual IP address when
using a road warrior IPsec connection, OpenBSD seems to be incompatible then.

A workaround might be a net-to-net IPsec connection, with a /32 announcement
at the side of the OpenBSD machine. Will try that and report.

Best regards,
Peter Müller
> 
> /src/sbin/iked/ikev2.c
> ========================
> ssize_t
> ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
> {
> ...
>       switch (sa->sa_cp) {
>       case IKEV2_CP_REQUEST:
>               cp->cp_type = IKEV2_CP_REPLY;
>               break;
>       case IKEV2_CP_REPLY:
>       case IKEV2_CP_SET:
>       case IKEV2_CP_ACK:
>               /* Not yet supported */ <===!!!
>               return (-1);
>       }
> ...
> 
> Cheers Kim
> 


Reply via email to