Tobias Heider <[email protected]> writes:
> On October 3, 2023 1:32:39 AM GMT+02:00, "Robert B. Carleton"
> <[email protected]> wrote:
>>I'm trying to setup host-to-host encryption using iked with the
>>following configuration:
>>
>>On 10.2.2.10:
>>
>>ikev2 passive esp from 10.2.2.10 to 10.2.1.11 srcid 10.2.2.10
>>
>>On 10.2.1.11:
>>
>>ikev2 active esp from 10.2.1.11 to 10.2.2.10 srcid 10.2.1.11
>>
>>I exchanged the /etc/iked/local.pub files into /etc/iked/pubkeys/ipv4/
>>on each host using the respective IPs as the file names.
>>
>>When I start iked, it responds agreeably:
>>
>>On 10.2.2.10:
>>
>># iked -dv
>>ikev2 "policy1" passive tunnel esp inet from 10.2.2.10 to 10.2.1.11 local
>>10.2.2.10 peer 10.2.1.11 ikesa enc aes-128-gcm enc aes-256-gcm prf
>>hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
>>curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
>>modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
>>aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
>>hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
>>hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group
>>ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group
>>modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa
>>enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384
>>auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 10.2.2.10
>>lifetime 10800 bytes 4294967296 signature
>>spi=0xe0fd27448726d995: recv IKE_SA_INIT req 0 peer 10.2.1.11:500 local
>>10.2.2.10:500, 518 bytes, policy 'policy1'
>>spi=0xe0fd27448726d995: send IKE_SA_INIT res 0 peer 10.2.1.11:500 local
>>10.2.2.10:500, 235 bytes
>>spi=0xe0fd27448726d995: recv IKE_AUTH req 1 peer 10.2.1.11:500 local
>>10.2.2.10:500, 463 bytes, policy 'policy1'
>>spi=0xe0fd27448726d995: send IKE_AUTH res 1 peer 10.2.1.11:500 local
>>10.2.2.10:500, 342 bytes
>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208,
>>0xd94b3836 (enc aes-128-gcm esn)
>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows:
>>ESP-10.2.2.10/32=10.2.1.11/32(0)
>>spi=0xe0fd27448726d995: established peer 10.2.1.11:500[IPV4/10.2.1.11] local
>>10.2.2.10:500[IPV4/10.2.2.10] policy 'policy1' as responder (enc aes-128-gcm
>>group curve25519 prf hmac-sha2-256)
>>
>>On 10.2.1.11:
>>
>># iked -dv
>>ikev2 "policy1" active tunnel esp inet from 10.2.1.11 to 10.2.2.10 local
>>10.2.1.11 peer 10.2.2.10 ikesa enc aes-128-gcm enc aes-256-gcm prf
>>hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group
>>curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group
>>modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc
>>aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf
>>hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth
>>hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group
>>ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group
>>modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa
>>enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384
>>auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 10.2.1.11
>>lifetime 10800 bytes 4294967296 signature
>>ikev2_init_ike_sa: initiating "policy1"
>>spi=0xe0fd27448726d995: send IKE_SA_INIT req 0 peer 10.2.2.10:500 local
>>10.2.1.11:500, 518 bytes
>>spi=0xe0fd27448726d995: recv IKE_SA_INIT res 0 peer 10.2.2.10:500 local
>>10.2.1.11:500, 235 bytes, policy 'policy1'
>>spi=0xe0fd27448726d995: send IKE_AUTH req 1 peer 10.2.2.10:500 local
>>10.2.1.11:500, 463 bytes
>>spi=0xe0fd27448726d995: recv IKE_AUTH res 1 peer 10.2.2.10:500 local
>>10.2.1.11:500, 342 bytes, policy 'policy1'
>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded SPIs: 0xa7015208,
>>0xd94b3836 (enc aes-128-gcm esn)
>>spi=0xe0fd27448726d995: ikev2_childsa_enable: loaded flows:
>>ESP-10.2.1.11/32=10.2.2.10/32(0)
>>spi=0xe0fd27448726d995: established peer 10.2.2.10:500[IPV4/10.2.2.10] local
>>10.2.1.11:500[IPV4/10.2.1.11] policy 'policy1' as initiator (enc aes-128-gcm
>>group curve25519 prf hmac-sha2-256)
>>
>>Here's the output from ipsecctl -sa:
>>
>>On 10.2.2.10:
>>
>>FLOWS:
>>flow esp in from 10.2.1.11 to 10.2.2.10 peer 10.2.1.11 srcid IPV4/10.2.2.10
>>dstid IPV4/10.2.1.11 type require
>>flow esp out from 10.2.2.10 to 10.2.1.11 peer 10.2.1.11 srcid IPV4/10.2.2.10
>>dstid IPV4/10.2.1.11 type require
>>
>>SAD:
>>esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
>>esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm
>>
>>On 10.2.1.11:
>>
>>FLOWS:
>>flow esp in from 10.2.2.10 to 10.2.1.11 peer 10.2.2.10 srcid IPV4/10.2.1.11
>>dstid IPV4/10.2.2.10 type require
>>flow esp out from 10.2.1.11 to 10.2.2.10 peer 10.2.2.10 srcid IPV4/10.2.1.11
>>dstid IPV4/10.2.2.10 type require
>>
>>SAD:
>>esp tunnel from 10.2.2.10 to 10.2.1.11 spi 0x0135c999 enc aes-128-gcm
>>esp tunnel from 10.2.1.11 to 10.2.2.10 spi 0x8a858058 enc aes-128-gcm
>>
>>Once I try pinging between the hosts, I can still see ICMP traffic on
>>the subject interface (vio1), and no traffic on enc0. I've been digging
>>around, trying to figure out what I missed, but I haven't found the
>>magic rabbit hole. I'm running a fully patched version of OpenBSD 7.3.
>>
>>Additionally, the hosts have a stock /etc/pf.conf, so there aren't any
>>firewall rules to speak of between the hosts. The kernel states for
>>net.inet.esp.enable, and net.inet.ah.enable are set to 1.
>>
>>Any suggestions?
>
> Can you show me the output of route get $peer-id on
> the host you ping from? does it match the flow?
>
> I don't see anything obviously wrong in the ipsecctl and iked outputs.
> ipsecctl -sa -v might also help to see the per sa counters.
>
>>
>>TIA,
>>
>> --Bruce
>>
I think this is what you meant. On: 10.2.2.10
# route -n get 10.2.1.11
route to: 10.2.1.11
destination: 0.0.0.0
mask: 0.0.0.0
gateway: 10.1.2.1
interface: vio0
if address: 10.1.2.10
priority: 8 (static)
flags: <UP,GATEWAY,DONE,STATIC>
use mtu expire
49 0 0
There are multiple interfaces. Maybe that's causing a problem.
