Hi, this doesn't look like an IKE problem if the handshake succeeds. Try comparing the kernel SAs and flows (ipsecctl -sa on OpenBSD). I think strongswan for some errors deletes child SAs right after the handshake, maybe the charon log contains more information.
- Tobias On Wed, Jul 29, 2020 at 11:17:22PM +0200, Stephan Mending wrote: > Hi *, > > I've been trying to a longer time now to setup a connection between a > strongswan server and an openbsd client. Which as > turns out isn't as straightforward as I thought. Doesn't matter how I setup > the strongswan config I'm running into the > same problem. > > The connection is successfully established. When pinging the endpoint behinde > the strongswan router I see icmp packets > entering enc0. When listening for packets exiting the tunnel on the > strongswan side it seems like there aren't any. And > I don't see a trace of what could have happend to these packets. Neither in > the firewall logs nor in the IPS logfiles. > It's driving me nuts. > > I've put you in CC tobias@ because I know you're successfully running such a > setup. > > My configs: > > $ cat /etc/iked.conf > set fragmentation > ikev2 'randomID' active esp \ > from 0.0.0.0/0 to 10.0.3.100/32 \ > local <local-public-addr> peer > <public-ip-of-strongswan-router> \ > ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 > group curve25519 \ > childsa enc aes-256-gcm prf hmac-sha2-512 group > curve25519 \ > srcid <id-of-local-endpoint> dstid <id-of-strongswan> \ > ikelifetime 7200 lifetime 3600 > > $ cat ipsec.conf > conn randomID > left=%defaultroute > leftsubnet=10.0.3.100/32 > leftfirewall=yes > lefthostaccess=yes > right=185.165.169.190 > leftcert=/var/storage/certs/hostcert.pem > rightcert=/var/storage/certs/<iked-endpoint>.pem > leftid="<id-of-strongswan>" > rightid="<id-of-iked>"" > type=tunnel > > ike=chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-sha2_512-curve25519,aes256gcm128-sha2_512-curve448,aes256gcm128-sha2_512-modp4096,aes256gcm128-sha2_512-modp3072,aes256gcm128-sha2_512-modp2048,aes256gcm128-sha2_256-curve25519,aes256gcm128-sha2_256-curve448,aes256gcm128-sha2_256-modp4096,aes256gcm128-sha2_256-modp3072,aes256gcm128-sha2_256-modp2048,aes256gcm96-sha2_512-curve25519,aes256gcm96-sha2_512-curve448,aes256gcm96-sha2_512-modp4096,aes256gcm96-sha2_512-modp3072,aes256gcm96-sha2_512-modp2048,aes256gcm96-sha2_256-curve25519,aes256gcm96-sha2_256-curve448,aes256gcm96-sha2_256-modp4096,aes256gcm96-sha2_256-modp3072,aes256gcm96-sha2_256-modp2048,aes256gcm64-sha2_512-curve25519,aes256gcm64-sha2_512-curve448,aes256gcm64-sha2_512-modp4096,aes256gcm64-sha2_512-modp3072,aes256gcm64-sha2_512-modp2048,aes256gcm64-sha2_256-curve25519,aes256gcm64-sha2_256-curve448,aes256gcm64-sha2_256-modp4096,aes256gcm64-sha2_256-modp3072,aes256gcm64-sha2_256-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-sha2_512-curve25519,aes192gcm128-sha2_512-curve448,aes192gcm128-sha2_512-modp4096,aes192gcm128-sha2_512-modp3072,aes192gcm128-sha2_512-modp2048,aes192gcm128-sha2_256-curve25519,aes192gcm128-sha2_256-curve448,aes192gcm128-sha2_256-modp4096,aes192gcm128-sha2_256-modp3072,aes192gcm128-sha2_256-modp2048,aes192gcm96-sha2_512-curve25519,aes192gcm96-sha2_512-curve448,aes192gcm96-sha2_512-modp4096,aes192gcm96-sha2_512-modp3072,aes192gcm96-sha2_512-modp2048,aes192gcm96-sha2_256-curve25519,aes192gcm96-sha2_256-curve448,aes192gcm96-sha2_256-modp4096,aes192gcm96-sha2_256-modp3072,aes192gcm96-sha2_256-modp2048,aes192gcm64-sha2_512-curve25519,aes192gcm64-sha2_512-curve448,aes192gcm64-sha2_512-modp4096,aes192gcm64-sha2_512-modp3072,aes192gcm64-sha2_512-modp2048,aes192gcm64-sha2_256-curve25519,aes192gcm64-sha2_256-curve448,aes192gcm64-sha2_256-modp4096,aes192gcm64-sha2_256-modp3072,aes192gcm64-sha2_256-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-sha2_512-curve25519,aes128gcm128-sha2_512-curve448,aes128gcm128-sha2_512-modp4096,aes128gcm128-sha2_512-modp3072,aes128gcm128-sha2_512-modp2048,aes128gcm128-sha2_256-curve25519,aes128gcm128-sha2_256-curve448,aes128gcm128-sha2_256-modp4096,aes128gcm128-sha2_256-modp3072,aes128gcm128-sha2_256-modp2048,aes128gcm96-sha2_512-curve25519,aes128gcm96-sha2_512-curve448,aes128gcm96-sha2_512-modp4096,aes128gcm96-sha2_512-modp3072,aes128gcm96-sha2_512-modp2048,aes128gcm96-sha2_256-curve25519,aes128gcm96-sha2_256-curve448,aes128gcm96-sha2_256-modp4096,aes128gcm96-sha2_256-modp3072,aes128gcm96-sha2_256-modp2048,aes128gcm64-sha2_512-curve25519,aes128gcm64-sha2_512-curve448,aes128gcm64-sha2_512-modp4096,aes128gcm64-sha2_512-modp3072,aes128gcm64-sha2_512-modp2048,aes128gcm64-sha2_256-curve25519,aes128gcm64-sha2_256-curve448,aes128gcm64-sha2_256-modp4096,aes128gcm64-sha2_256-modp3072,aes128gcm64-sha2_256-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048! > > esp=chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-curve25519,aes256gcm128-curve448,aes256gcm128-modp4096,aes256gcm128-modp3072,aes256gcm128-modp2048,aes256gcm96-curve25519,aes256gcm96-curve448,aes256gcm96-modp4096,aes256gcm96-modp3072,aes256gcm96-modp2048,aes256gcm64-curve25519,aes256gcm64-curve448,aes256gcm64-modp4096,aes256gcm64-modp3072,aes256gcm64-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-curve25519,aes192gcm128-curve448,aes192gcm128-modp4096,aes192gcm128-modp3072,aes192gcm128-modp2048,aes192gcm96-curve25519,aes192gcm96-curve448,aes192gcm96-modp4096,aes192gcm96-modp3072,aes192gcm96-modp2048,aes192gcm64-curve25519,aes192gcm64-curve448,aes192gcm64-modp4096,aes192gcm64-modp3072,aes192gcm64-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-curve25519,aes128gcm128-curve448,aes128gcm128-modp4096,aes128gcm128-modp3072,aes128gcm128-modp2048,aes128gcm96-curve25519,aes128gcm96-curve448,aes128gcm96-modp4096,aes128gcm96-modp3072,aes128gcm96-modp2048,aes128gcm64-curve25519,aes128gcm64-curve448,aes128gcm64-modp4096,aes128gcm64-modp3072,aes128gcm64-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048! > keyexchange=ikev2 > ikelifetime=3h > keylife=1h > dpdaction=clear > dpddelay=30 > dpdtimeout=120 > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > auto=add > rightsourceip= > fragmentation=yes > > I'd appreciate it SO MUCH if you could help me in any way. > > Best regards, > Stephan
