Hi,

On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> I have a small raspberry pi device that I'd like to connect to a 7.4
> machine with iked(8) and PSK auth, to start. The rpi device is going 
> to be on a mobile network and behind a small NAT device. 
> 
> I haven't had any problem with the following configurations between 
> two OpenBSD devices, but the rpi fails to connect with a similar config.
> 
> Has anyone gotten a rpi connected to a 7.4 (or whatever other version 
> running iked(8)) with the available OpenIKED package?
> 
> Thanks for any help in advance.

Can you add verbose server logs too? I don't see any obvious incompatibility.

- Tobias

> 
> 
> Server configuration
> 
> $ uname -a
> OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
> 
> ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
>   from 10.88.0.0/22 to 10.88.12.0/24 \
>   from 203.0.113.92 to 10.88.12.0/24 \
>   peer any local openbsd-server.example.com \
>   ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>    childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>   srcid openbsd-server.example.com dstid linux-client.example.com \
>   ikelifetime 4h \
>   psk "123123123" \
>   tag "$name-$id"
> 
> Client configuration
> 
> # uname -a
> Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar  2 11:02:03 GMT 2023 armv7l 
> GNU/Linux
> 
> ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
>   from 10.88.12.0/24 to 10.88.0.0/22 \
>   from 10.88.12.0/24 to 203.0.113.92 \
>   peer 203.0.113.92 \
>   ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>    childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>   srcid openbsd-server.example.com dstid linux-client.example.com \
>   ikelifetime 4h \
>   psk "123123123" \
>   tag "$name-$id"
> 
> 
> Server logs
> 
> openbsd-server# tail /var/log/daemon
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv 
> IKE_SA_INIT req 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes, 
> policy 'LINUX-CLIENT_INET4_LAN'
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send 
> IKE_SA_INIT res 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv IKE_AUTH 
> req 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 320 bytes, policy 
> 'LINUX-CLIENT_INET4_LAN'
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: 
> ikev2_ike_auth_recv: no compatible policy found
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: 
> ikev2_send_auth_failed: authentication failed for
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send IKE_AUTH 
> res 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 96 bytes, NAT-T
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: sa_free: 
> authentication failed
> 
> Client logs
> 
> linux-client# iked -ddvv
> create_ike: using unknown for peer linux-client.example.com
> ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 
> to 10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer 
> 203.0.113.92 ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group 
> ecp521 childsa enc aes-256 auth hmac-sha2-512 group ecp521 noesn srcid 
> openbsd-server.example.com dstid linux-client.example.com ikelifetime 14400 
> lifetime 10800 bytes 4294967296 psk 
> 0x746869732d69732d612d6c6f6e672d746573742d70772d39 tag "$name-$id"
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type ECDSA length 121
> ca_pubkey_serialize: type ECDSA length 91
> config_getpolicy: received policy
> config_getpfkey: received pfkey fd 3
> ca_privkey_to_method: type ECDSA method ECDSA_256
> ca_getkey: received private key type ECDSA length 121
> ca_getkey: received public key type ECDSA length 91
> ca_dispatch_parent: config reset
> ca_reload: local cert type ECDSA
> config_getocsp: ocsp_url none tolerate 0 maxage -1
> ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getstatic: dpd_check_interval 60
> config_getstatic: no enforcesingleikesa
> config_getstatic: no fragmentation
> config_getstatic: mobike
> config_getstatic: nattport 4500
> config_getstatic: no stickyaddress
> ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS"
> ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 140 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload VENDOR
> ikev2_next_payload: length 16 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x55dc1e4f08b3ac60 0x0000000000000000 
> 0.0.0.0:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x55dc1e4f08b3ac60 0x0000000000000000 
> 203.0.113.92:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x0000000000000000 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 
> 338 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
> ikev2_pld_ke: dh group ECP_521 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36
> ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x55dc1e4f08b3ac60: send IKE_SA_INIT req 0 peer 203.0.113.92:500 local 
> 0.0.0.0:500, 338 bytes
> spi=0x55dc1e4f08b3ac60: sa_state: INIT -> SA_INIT
> spi=0x55dc1e4f08b3ac60: recv IKE_SA_INIT res 0 peer 203.0.113.92:500 local 
> 172.20.10.7:500, 338 bytes, policy 'OPENBSD-SERVER_INET4_NETS'
> ikev2_recv: ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63
> ikev2_recv: updated SA to peer 203.0.113.92:500 local 172.20.10.7:500
> ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
> ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 
> 338 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
> ikev2_pld_ke: dh group ECP_521 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36
> ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x55dc1e4f08b3ac60 0x848659094e6d0d63 
> 203.0.113.92:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x55dc1e4f08b3ac60 0x848659094e6d0d63 
> 172.20.10.7:500
> ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_enable_natt: detected NAT, enabling UDP encapsulation, updated SA to 
> peer 203.0.113.92:4500 local 172.20.10.7:4500
> proposals_negotiate: score 4
> sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
> spi=0x55dc1e4f08b3ac60: ikev2_sa_keys: DHSECRET with 66 bytes
> ikev2_sa_keys: SKEYSEED with 64 bytes
> spi=0x55dc1e4f08b3ac60: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 64 bytes
> ikev2_prfplus: T2 with 64 bytes
> ikev2_prfplus: T3 with 64 bytes
> ikev2_prfplus: T4 with 64 bytes
> ikev2_prfplus: T5 with 64 bytes
> ikev2_prfplus: T6 with 64 bytes
> ikev2_prfplus: Tn with 384 bytes
> ikev2_sa_keys: SK_d with 64 bytes
> ikev2_sa_keys: SK_ai with 64 bytes
> ikev2_sa_keys: SK_ar with 64 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 64 bytes
> ikev2_sa_keys: SK_pr with 64 bytes
> ikev2_msg_auth: initiator auth data length 434
> sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
> ikev2_policy2id: dstid FQDN/linux-client.example.com length 27
> ikev2_next_payload: length 27 nextpayload IDr
> ikev2_next_payload: length 31 nextpayload AUTH
> spi=0x55dc1e4f08b3ac60: ikev2_cp_request_configured: no
> ikev2_next_payload: length 72 nextpayload SA
> pfkey_sa_getspi: spi 0x160ad210
> pfkey_sa_init: new spi 0x160ad210
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 40 nextpayload NONE
> ikev2_next_payload: length 292 nextpayload IDi
> ikev2_msg_encrypt: decrypted length 238
> ikev2_msg_encrypt: padded length 240
> ikev2_msg_encrypt: length 239, padding 1, output length 288
> ikev2_msg_integr: message length 320
> ikev2_msg_integr: integrity checksum length 32
> ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 320 
> response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 292
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 240
> ikev2_msg_decrypt: integrity checksum length 32
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 240/240 padding 1
> ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 
> length 27
> ikev2_pld_id: id FQDN/openbsd-server.example.com length 23
> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 
> length 31
> ikev2_pld_id: id FQDN/linux-client.example.com length 27
> ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 
> length 72
> ikev2_pld_auth: method SHARED_KEY_MIC length 64
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 
> 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 
> xforms 3 spi 0x160ad210
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 
> length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 
> 65535
> ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 
> length 40
> ikev2_pld_tss: count 2 length 32
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 
> 65535
> ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 
> 65535
> ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92
> spi=0x55dc1e4f08b3ac60: send IKE_AUTH req 1 peer 203.0.113.92:4500 local 
> 172.20.10.7:4500, 320 bytes, NAT-T
> config_free_proposals: free 0xc2e8b0
> spi=0x55dc1e4f08b3ac60: recv IKE_AUTH res 1 peer 203.0.113.92:4500 local 
> 172.20.10.7:4500, 96 bytes, policy 'OPENBSD-SERVER_INET4_NETS'
> ikev2_recv: ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63
> ikev2_recv: updated SA to peer 203.0.113.92:4500 local 172.20.10.7:4500
> ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 
> nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 96 
> response 1
> ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length 68
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 32
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 
> length 8
> ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED
> ikev2_init_recv: AUTHENTICATION_FAILED, closing SA
> spi=0x55dc1e4f08b3ac60: sa_state: SA_INIT -> CLOSED from 203.0.113.92:4500 to 
> 172.20.10.7:4500 policy 'OPENBSD-SERVER_INET4_NETS'
> ikev2_recv: closing SA
> spi=0x55dc1e4f08b3ac60: sa_free: authentication failed notification from peer
> config_free_proposals: free 0xc2a1c8
> ^Cconfig_doreset: flushing policies
> config_free_proposals: free 0xbd6668
> config_free_proposals: free 0xbd37b0
> config_free_flows: free 0xbd3a30
> config_free_flows: free 0xbd3c20
> config_doreset: flushing SAs
> config_doreset: flushing users
> ca exiting, pid 2098
> ikev2 exiting, pid 2100
> control exiting, pid 2099
> parent terminating
> 
> 

Reply via email to