> > > If that doesn't help you could share the output of 'ipsecctl -sa' to find > > > out if the IPsec SAs or flows are the problem. > > > > That may be the problem, there is nothing between 192.168.1.109 and > > 192.168.9.101 : > > (192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to, > > 192.168.9.101 is what the vpn client is trying to communicate with) > > > > # ipsecctl -sa > > FLOWS: > > No flows > > > > SAD: > > esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 > > enc aes-256 > > esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 > > enc aes-256
> Ok, so this seems to be the cause. From your log snippet i can see that > there must have been SAs at some point because it shows an > "ikev2_childsa_enable" line. > Try running iked with -vv. Maybe the verbose log contains an error message > that helps us find out what's wrong. The SAs seem to be only the first "from" clause (from 192.168.8.2 to 192.168.1.109), which are the VPN endpoints, not the second one, which covers the network behind the OpenBSD machine, and the IP assigned to the Windows machine in this same subnet (arp-proxied). Here is the verbose log : # iked -Tdvv create_ike: using rsa for peer 192.168.1.109 ikev2 "windows" passive tunnel esp inet from 192.168.8.2 to 192.168.1.109 from 192.168.9.0/24 to 192.168.9.208 local 192.168.8.2 peer 192.168.1.109 ikesa enc aes-128-gcm enc aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 192.168.8.2 lifetime 10800 bytes 536870912 rsa config address 192.168.9.208 config netmask 255.255.255.0 config name-server 192.168.1.222 config netbios-server 192.168.1.222 /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 config_getpolicy: received policy ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: no mobike config_getstatic: nattport 4500 config_getstatic: no stickyaddress ca_reload: loaded ca file ca.crt ca_reload: loaded crl file ca.crl ca_reload: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN CA/[email protected] ca_reload: loaded 1 ca certificate ca_reload: loaded cert file 192.168.8.2.crt ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.8.2/[email protected] ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 policy_lookup: setting policy 'windows' spi=0xd5f403b2c665646e: recv IKE_SA_INIT req 0 peer 192.168.1.109:500 local 192.168.8.2:500, 528 bytes, policy 'windows' ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x0000000000000000 ikev2_policy2id: srcid IPV4/192.168.8.2 length 8 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xd5f403b2c665646e 0x0000000000000000 192.168.1.109:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xd5f403b2c665646e 0x0000000000000000 192.168.8.2:500 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 41 proposals_negotiate: score 32 proposals_negotiate: score 29 proposals_negotiate: score 20 proposals_negotiate: score 33 proposals_negotiate: score 24 policy_lookup: setting policy 'windows' spi=0xd5f403b2c665646e: sa_state: INIT -> SA_INIT proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 41 proposals_negotiate: score 32 proposals_negotiate: score 29 proposals_negotiate: score 20 proposals_negotiate: score 33 proposals_negotiate: score 24 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) spi=0xd5f403b2c665646e: ikev2_sa_keys: DHSECRET with 128 bytes ikev2_sa_keys: SKEYSEED with 32 bytes spi=0xd5f403b2c665646e: ikev2_sa_keys: S with 96 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload CERTREQ ikev2_add_certreq: type X509_CERT length 21 ikev2_next_payload: length 25 nextpayload CERTREQ ikev2_add_certreq: type RSA_KEY length 1 ikev2_next_payload: length 5 nextpayload NONE ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 278 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload CERTREQ critical 0x00 length 36 ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5 ikev2_pld_certreq: type RSA_KEY length 0 spi=0xd5f403b2c665646e: send IKE_SA_INIT res 0 peer 192.168.1.109:500 local 192.168.8.2:500, 278 bytes config_free_proposals: free 0x212b5bf4c80 config_free_proposals: free 0x212b5bd0700 config_free_proposals: free 0x212b5c0bb00 config_free_proposals: free 0x212b5bf3f80 config_free_proposals: free 0x212b5bf3d00 config_free_proposals: free 0x212b5bd0380 spi=0xd5f403b2c665646e: recv IKE_AUTH req 1 peer 192.168.1.109:500 local 192.168.8.2:500, 7440 bytes, policy 'windows' ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.8.2:500 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 7440 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 7412 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 7376 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 7376/7376 padding 10 ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 199 ikev2_pld_id: id ASN1_DN//C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/[email protected] length 195 ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1097 ikev2_pld_cert: type X509_CERT length 1092 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 5645 ikev2_pld_certreq: type X509_CERT length 5640 ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264 ikev2_pld_auth: method RSA_SIG length 256 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 24 ikev2_pld_cp: type REQUEST length 16 ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0 ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 80 ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x1436a680 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_sa: more 0 reserved 0 length 36 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x1436a680 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_tss: count 1 length 16 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_tss: count 1 length 16 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 sa_stateok: SA_INIT flags 0x0000, require 0x0000 spi=0xd5f403b2c665646e: sa_state: SA_INIT -> AUTH_REQUEST policy_lookup: peerid '/C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/[email protected]' proposals_negotiate: score 0 proposals_negotiate: score 20 policy_lookup: setting policy 'windows' ikev2_policy2id: srcid IPV4/192.168.8.2 length 8 sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_msg_auth: responder auth data length 358 ca_setauth: auth length 358 proposals_negotiate: score 0 proposals_negotiate: score 0 proposals_negotiate: score 13 proposals_negotiate: score 0 sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa) config_free_proposals: free 0x212b5c0b680 config_free_proposals: free 0x212b5c0b700 ca_getreq: found CA /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN CA/[email protected] ca_getreq: found local certificate /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.8.2/[email protected] ca_setauth: auth length 256 ikev2_getimsgdata: imsg 23 rspi 0x1c65b0250699bcd2 ispi 0xd5f403b2c665646e initiator 0 sa valid type 4 data length 1090 ikev2_dispatch_cert: cert type X509_CERT length 1090, ok sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_getimsgdata: imsg 34 rspi 0x1c65b0250699bcd2 ispi 0xd5f403b2c665646e initiator 0 sa valid type 1 data length 256 ikev2_dispatch_cert: AUTH type 1 len 256 sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ca_validate_pubkey: unsupported public key type ASN1_DN ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/[email protected] ok ikev2_getimsgdata: imsg 24 rspi 0x1c65b0250699bcd2 ispi 0xd5f403b2c665646e initiator 0 sa valid type 4 data length 1092 ikev2_msg_auth: initiator auth data length 592 ikev2_msg_authverify: method RSA_SIG keylen 1092 type X509_CERT ikev2_msg_authverify: authentication successful spi=0xd5f403b2c665646e: sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_dispatch_cert: peer certificate is valid sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa spi=0xd5f403b2c665646e: sa_state: AUTH_SUCCESS -> VALID sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 1 ikev2_childsa_negotiate: key material length 104 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_getspi: spi 0x6cab2e28 pfkey_sa_init: new spi 0x6cab2e28 ikev2_next_payload: length 12 nextpayload CERT ikev2_next_payload: length 1095 nextpayload AUTH ikev2_next_payload: length 264 nextpayload CP ikev2_next_payload: length 40 nextpayload SA ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload TSi ikev2_next_payload: length 40 nextpayload TSr ikev2_next_payload: length 40 nextpayload NONE ikev2_next_payload: length 1572 nextpayload IDr ikev2_msg_encrypt: decrypted length 1535 ikev2_msg_encrypt: padded length 1536 ikev2_msg_encrypt: length 1536, padding 0, output length 1568 ikev2_msg_integr: message length 1600 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1600 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1572 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 1536 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 1536/1536 padding 0 ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12 ikev2_pld_id: id IPV4/192.168.8.2 length 8 ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1095 ikev2_pld_cert: type X509_CERT length 1090 ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 264 ikev2_pld_auth: method RSA_SIG length 256 ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 40 ikev2_pld_cp: type REPLY length 32 ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4 ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4 ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4 ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 4 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x6cab2e28 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 40 ikev2_pld_tss: count 2 length 32 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.1.109 end 192.168.1.109 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.9.208 end 192.168.9.208 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 40 ikev2_pld_tss: count 2 length 32 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.8.2 end 192.168.8.2 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.9.0 end 192.168.9.255 spi=0xd5f403b2c665646e: send IKE_AUTH res 1 peer 192.168.1.109:500 local 192.168.8.2:500, 1600 bytes pfkey_sa_add: update spi 0x6cab2e28 ikev2_childsa_enable: loaded CHILD SA spi 0x6cab2e28 pfkey_sa_add: add spi 0x1436a680 ikev2_childsa_enable: loaded CHILD SA spi 0x1436a680 ikev2_childsa_enable: remember SA peer 192.168.1.109:500 spi=0xd5f403b2c665646e: ikev2_childsa_enable: loaded SPIs: 0x6cab2e28, 0x1436a680 (enc aes-256 auth hmac-sha1) spi=0xd5f403b2c665646e: sa_state: VALID -> ESTABLISHED from 192.168.1.109:500 to 192.168.8.2:500 policy 'windows' spi=0xd5f403b2c665646e: established peer 192.168.1.109:500[ASN1_DN//C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/[email protected]] local 192.168.8.2:500[IPV4/192.168.8.2] policy 'windows' as responder (enc aes-256 auth hmac-sha2-256 group modp1024 prf hmac-sha2-256) pfkey_sa_lookup: last_used 1622470299 ikev2_ike_sa_alive: incoming CHILD SA spi 0x6cab2e28 last used 43 second(s) ago spi=0xd5f403b2c665646e: recv INFORMATIONAL req 2 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes, policy 'windows' ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.8.2:500 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 3 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12 ikev2_pld_delete: proto ESP spisize 4 nspi 1 ikev2_handle_delete: spi 0x1436a680 spi=0xd5f403b2c665646e: ikev2_childsa_delete: deleted CHILD SA spi 0x6cab2e28 spi=0xd5f403b2c665646e: ikev2_childsa_delete: deleted CHILD SA spi 0x1436a680 spi=0xd5f403b2c665646e: deleted 1 SPI: 0x1436a680 ikev2_next_payload: length 12 nextpayload NONE ikev2_next_payload: length 52 nextpayload DELETE ikev2_msg_encrypt: decrypted length 12 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 13, padding 3, output length 48 ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 2 length 80 response 1 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 3 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12 ikev2_pld_delete: proto ESP spisize 4 nspi 1 spi=0xd5f403b2c665646e: send INFORMATIONAL res 2 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes spi=0xd5f403b2c665646e: recv INFORMATIONAL req 2 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes, policy 'windows' ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 spi=0xd5f403b2c665646e: retransmit INFORMATIONAL res 2 local 192.168.8.2:500 peer 192.168.1.109:500 spi=0xd5f403b2c665646e: recv INFORMATIONAL req 3 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes, policy 'windows' ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.8.2:500 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 3 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 7 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 8 ikev2_pld_delete: proto IKE spisize 0 nspi 0 spi=0xd5f403b2c665646e: ikev2_ikesa_recv_delete: received delete spi=0xd5f403b2c665646e: sa_state: ESTABLISHED -> CLOSED from 192.168.1.109:500 to 192.168.8.2:500 policy 'windows' ikev2_next_payload: length 52 nextpayload NONE ikev2_msg_encrypt: decrypted length 0 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 1, padding 15, output length 48 ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 3 length 80 response 1 ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 15 spi=0xd5f403b2c665646e: send INFORMATIONAL res 3 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes ikev2_recv: closing SA spi=0xd5f403b2c665646e: sa_free: received delete config_free_proposals: free 0x212b5bd0c00 config_free_proposals: free 0x212b5bf4300 ^Cparent_sig_handler: stopping iked config_getreset: flushing policies ca_dispatch_parent: config reset config_free_proposals: free 0x212b5bd0f80 config_free_proposals: free 0x212b5c0b080 config_free_proposals: free 0x212b5bf3f00 config_free_proposals: free 0x212b5bf4b80 config_free_flows: free 0x212b5c06000 config_free_flows: free 0x212b5c04000 config_getreset: flushing SAs config_getreset: flushing users ca_reload: loaded ca file ca.crt ikev2 exiting, pid 39542 control exiting, pid 10641 ca_reload: loaded crl file ca.crl ca_reload: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN CA/[email protected] ca_reload: loaded 1 ca certificate ca_reload: loaded cert file 192.168.8.2.crt ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.8.2/[email protected] ok ca_reload: local cert type X509_CERT ca exiting, pid 41593 parent terminating While the VPN was connected on the Windows machine : $ doas ipsecctl -sa FLOWS: No flows SAD: esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x1436a680 auth hmac-sha1 enc aes-256 esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6cab2e28 auth hmac-sha1 enc aes-256 And after it was disconnected : tp-fw-epu-01$ doas ipsecctl -sa FLOWS: No flows SAD: No entries
