On 6/16/20 1:35 PM, Patrick Wildt wrote:
> On Tue, Jun 16, 2020 at 01:09:32PM -0400, Daniel Ouellet wrote:
>> Hi Tobias,
>>
>> I put below the full configuration and the flows as well with the 6.6
>> binary and switch to the 6.7 binary without any other changes as well as
>> the full config.
>>
>> The config may be a bit weird at first as I tunnel routable IP's over
>> the iked over a Verizon Fios line. You can't get routable IP's from Fios
>> and I have needs for it. So that was my way around it for years now.
>>
>> Anyway, here below:
>>
>> gateway$ doas cat /etc/ipsec.conf
>> flow esp out from ::/0 to ::/0 type deny
>> flow esp from 66.63.44.64/27 to 66.63.44.96/28 type bypass
>> flow esp from 66.63.44.96/28 to 66.63.44.64/27 type bypass
>> flow esp from 66.63.44.67 to 66.63.44.97 type bypass
>> flow esp from 66.63.44.90 to 66.63.44.97 type bypass
>>
>> (This above was to allow the two local subnet to take to one an other as
>> they are in different dmz. I can delete that config and it changed
>> nothing anyway. Just wanted to write why in case you wonder.)
>>
>> gateway$ doas cat /etc/iked.conf
>> # All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in
>> Ashburn.
>> ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com
>>
>> ikev2 "Flow" active \
>> from re1 to tunnel.realconnect.com \
>> from re1 to stats.realconnect.com \
>> from 66.63.44.66 to 0.0.0.0/0 \
>> from 66.63.44.67 to 66.63.0.0/18 \
>> from home.ouellet.us to 0.0.0.0/0 \
>> from 66.63.44.96/28 to 0.0.0.0/0 \
>> from 66.63.44.79 to 43.229.64.0/22 \
>> from 66.63.44.79 to 45.7.36.0/22 \
>> from 66.63.44.79 to 103.240.224.0/22 \
>> from 66.63.44.79 to 104.160.128.0/19 \
>> from 66.63.44.79 to 162.249.72.0/21 \
>> from 66.63.44.79 to 185.40.64.0/22 \
>> from 66.63.44.79 to 192.64.168.0/21 \
>> peer tunnel.realconnect.com
>>
>> (Here above for the 66.63.44.79, again a weird stuff, that's only for my
>> older son. When he play LoL over Fios it suck! But when I tunnel it to
>> my tunnel and then directly to Equinix where Riot is and I peer at, all
>> is great and hard to believe I am sure, but latency is much lower. Again
>> not relevant, just in case you wonder. I know, it's stupid, but I do a
>> lots of work from home and I need to keep the family happy too. (;)
>>
>> On 6/16/20 6:09 AM, Tobias Heider wrote:
>>> Hi Daniel,
>>>
>>> On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote:
>>>>> Probably related to the following change documented in
>>>>> https://www.openbsd.org/faq/upgrade67.html:
>>>>>
>>>>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by
>>>>> iked(8) or
>>>>> isakmpd(8) was changed from "use" to "require". This means unencrypted
>>>>> traffic
>>>>> matching the flows will no longer be accepted. Flows of type "use" can
>>>>> still be
>>>>> set up manually in ipsec.conf(5).
>>>>
>>>> I have what appear to be similar problem. I used iked form 5.6 all the
>>>> way to 6.6 no problem, wel some, but I worked it out. All in archive.
>>>>
>>>> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing
>>>> changed, same configuration, just a sysupgrade and that's it.
>>>>
>>>> I read this and I can understand the words, but may be I am think, but I
>>>> don't understand what to do with it.
>>>
>>> The default behavior if IPsec flows was changed to not accept unencrypted
>>> packets matching a registered flow.
>>> You can list your flows with 'ipsecctl -sf'.
>>
>> gateway$ doas ipsecctl -sf
>> flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 162.249.72.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 185.40.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 192.64.168.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 43.229.64.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 45.7.36.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 103.240.224.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 104.160.128.0/19 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 162.249.72.0/21 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 185.40.64.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 192.64.168.0/21 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 72.83.103.147 to 66.63.5.250 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from ::/0 to ::/0 type deny
>>
>>>>
>>>> I see the require type modifier in ipsec.conf man page, not into
>>>> iked.conf man page.
>>>>
>>>> Do you mean what ever rules we had in iked.conf needs to be in
>>>> ipsec.conf now?
>>>
>>> No, that won't work.
>>>
>>>>
>>>> I am really sorry if I don't follow the meaning or what you tried to
>>>> say, but how can this be fix, or changed?
>>>>
>>>
>>> To help you I will need to know a bit more about your setup.
>>> In particular the architecture of your network, your iked.conf and
>>> the output of 'ipsecctl -sa' would be helpful.
>>> A more detailed description of what exactly does not work would also help.
>>
>> gateway$ doas ipsecctl -sa
>> FLOWS:
>> flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 162.249.72.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 185.40.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp in from 192.64.168.0/21 to 66.63.44.79 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use
>> flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 43.229.64.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 45.7.36.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 103.240.224.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 104.160.128.0/19 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 162.249.72.0/21 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 185.40.64.0/22 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.79 to 192.64.168.0/21 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from 72.83.103.147 to 66.63.5.250 peer 66.63.5.250 srcid
>> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require
>> flow esp out from ::/0 to ::/0 type deny
>>
>> SAD:
>> esp tunnel from 66.63.5.250 to 72.83.103.147 spi 0x9f629698 auth
>> hmac-sha2-256 enc aes-256
>> esp tunnel from 72.83.103.147 to 66.63.5.250 spi 0xba228cb0 auth
>> hmac-sha2-256 enc aes-256
>> esp tunnel from 66.63.5.250 to 72.83.103.147 spi 0xc44b9bb8 auth
>> hmac-sha2-256 enc aes-256
>> esp tunnel from 72.83.103.147 to 66.63.5.250 spi 0xc5d5aa26 auth
>> hmac-sha2-256 enc aes-256
>>
>> ============================
>>
>> Now if I put the iked 6.7 binary instead, I see the traffic going out,
>> enter the remote tunnel, getting out of the tunnel to come back, but
>> never coming in the gateway unit.
>>
>> Nothing changed, just the binary 6.7 replacing the binary 6.6
>>
>> See full display of step by step with proof of binary in use and all.
>>
>> Cut and paste from the terminal as is. I can't never get a flow going on
>> 6.7 with the exact same configuration as 6.6. Just using 6.6 works as
>> is. So I obviously do something wrong, just can't say what and I have to
>> say, it's most likely really stupid, but I can't see it.
>>
>> gateway$ ls -l /sbin/iked*
>> -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked
>> -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked.66
>> -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.67
>> gateway$ date
>> Tue Jun 16 12:51:13 EDT 2020
>> gateway$ doas /etc/rc.d/iked stop
>> iked(ok)
>> gateway$ doas cp -p /sbin/iked.67 /sbin/iked
>> gateway$ doas /etc/rc.d/iked start
>> iked(ok)
>> gateway$ doas ipsecctl -sa
>> FLOWS:
>> No flows
>>
>> SAD:
>> No entries
>> gateway$ date
>> Tue Jun 16 12:51:54 EDT 2020
>> gateway$ ls -l /sbin/iked*
>> -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked
>> -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked.66
>> -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.67
>>
>>
>>>> My guess is that it is simple and I don't think about it properly, but I
>>>> am hitting a road block trying to figure it out.
>>>>
>>>> I am a bit at a lost and any clue stick would be greatly appreciated.
>>>>
>>>> Thanks
>>>>
>>>> Daniel
>>>>
>>>
>>> - Tobias
>>>
>>
>
> Hi,
>
> thanks for the detailed input. But there's one thing missing: The
> log output of the daemon. It'll probably end up somewhere in /var/log/
> daemon or /var/log/messages or so.
Here you go. and you will see 3 parts here.
The running as is with 6.6, then I stop and put the 6.7 and restart. You
see 5 times trying to connect and then I stop it and put 6.6 back, come
up right away.
Was rinning 6.6 and did live display of daemonas you see below.
Jun 16 14:05:13 restarted with 6.7
and at Jun 16 14:06:28 I restarted 6.6
gateway$ tail -f /var/log/daemon
Jun 16 14:03:39 gateway iked[27523]: spi=0x9632ba418d466a4e: recv
IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes,
policy 'VPN'
Jun 16 14:03:39 gateway iked[27523]: spi=0x8d09e33663ef2175: recv
IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes,
policy 'Flow'
Jun 16 14:03:39 gateway iked[27523]: spi=0x9632ba418d466a4e: sa_state:
VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'VPN'
Jun 16 14:03:39 gateway iked[27523]: spi=0x8d09e33663ef2175: sa_state:
VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'Flow'
Jun 16 14:03:54 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:24 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:26 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:26 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:30 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:38 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:54 gateway iked[27523]: spi=0x083fea7a6461a494: recv
INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:04:59 gateway iked[12930]: ca exiting, pid 12930
Jun 16 14:04:59 gateway iked[95486]: control exiting, pid 95486
Jun 16 14:04:59 gateway iked[27523]: ikev2 exiting, pid 27523
Jun 16 14:04:59 gateway iked[69349]: parent terminating
Jun 16 14:05:13 gateway iked[9507]: ikev2_init_ike_sa: initiating "VPN"
Jun 16 14:05:13 gateway iked[9507]: spi=0x0d4ab5726d8bec79: send
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 278 bytes
Jun 16 14:05:13 gateway iked[9507]: ikev2_init_ike_sa: initiating "Flow"
Jun 16 14:05:13 gateway iked[9507]: spi=0x4066f22b5428a795: send
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500, 278 bytes
Jun 16 14:05:15 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 1
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500
Jun 16 14:05:15 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 1
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500
Jun 16 14:05:19 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 2
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500
Jun 16 14:05:19 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 2
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500
Jun 16 14:05:27 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 3
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500
Jun 16 14:05:27 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 3
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500
Jun 16 14:05:43 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 4
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500
Jun 16 14:05:43 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 4
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500
Jun 16 14:06:15 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 5
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500
Jun 16 14:06:15 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 5
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500
Jun 16 14:06:17 gateway iked[69231]: control exiting, pid 69231
Jun 16 14:06:17 gateway iked[9507]: ikev2 exiting, pid 9507
Jun 16 14:06:17 gateway iked[47099]: ca exiting, pid 47099
Jun 16 14:06:17 gateway iked[30794]: parent terminating
Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: send
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 454 bytes
Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: send
IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500, 454 bytes
Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: recv
IKE_SA_INIT res 0 peer 66.63.5.250:500 local 72.83.103.147:500, 395
bytes, policy 'VPN'
Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: recv
IKE_SA_INIT res 0 peer 66.63.5.250:500 local 72.83.103.147:500, 395
bytes, policy 'Flow'
Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: send
IKE_AUTH req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 784 bytes
Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: send
IKE_AUTH req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 1168 bytes
Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: recv
IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes,
policy 'VPN'
Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: recv
IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes,
policy 'Flow'
Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: sa_state:
VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'VPN'
Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: sa_state:
VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'Flow'
Jun 16 14:06:39 gateway iked[9316]: spi=0x8d09e33663ef2175: recv
INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:06:41 gateway iked[9316]: spi=0x8d09e33663ef2175: recv
INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
Jun 16 14:06:45 gateway iked[9316]: spi=0x8d09e33663ef2175: recv
INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80
bytes, policy 'Flow'
^C
gateway$
> Since you see no SA or Flow at all, iked maybe hasn't successfully
> created them at all, and for that we need to see what iked complains
> about, which it probably did in the log files.
>
> Best regards,
> Patrick
>
