I am far from an expert; having issues myself at the moment, but maybe if we get all of the iked experimenters together, we can figure it out :)
First, try "-dvv" ... an extra "v" might give more info. Next, from the existing trace it looks like your endpoint responds, which is good, but your OpenBSD side doesn't seem to like it. My (uneducated) guess is that you should see what encryption pairs for both phases are configured on the endpoint, and try to explicitly specify them in your configuration. Also make sure that you are not firewall'ing ESP, et al. Check the docs on what to allow in PF. "tcpdump" the egress interface (and/or pflog0) to check whether you have anything going to /dev/null. --- Igor V. Gubenko System Engineer On 2018-02-15 09:14, Joel Carnat wrote: > Hi, > > My FTTH home-box provides IKEv2 server support. > I connected my iPhone, via 3G, to it. I can now access my internal home-LAN. > So I know it works. > > I want to do the same with an OpenBSD server hosted in "the Cloud" ; in > transport mode as far as I understood the docs. > I've struggled with ipsec.conf(5), ipsecctl(8) and iked(8) for a couple of > hours now but I can't connect OpenBSD to the box. > > The home-box is using IKEv2 and User/Password authentication mode. > The OpenBSD machine in 6.2/amd64. > > I have configured iked.conf(5) like this: > ikev2 active esp \ > from egress to 192.168.0.0/24 \ > peer 78.192.10.15 > > And running iked(8) goes: > # iked -dv > set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/78.192.10.15 > ikev2 "policy1" active esp inet from 108.61.176.54 to 192.168.0.0/24 local > any peer 78.192.10.15 ikesa enc aes-256,aes-192,aes-128,3des prf > hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group > modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth > hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rfc7427 > ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to 78.192.10.15:500 > msgid 0, 510 bytes > ikev2_recv: IKE_SA_INIT response from responder 78.192.10.15:500 to > 108.61.176.54:500 policy 'policy1' id 0, 456 bytes > > And that's all :( > > Is there a way to use l/p authent with iked(8)? > Or am I just not using the right software? In which case, what would the > proper tool be? > > Thanks for help.
