Hi, On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote: > I have a small raspberry pi device that I'd like to connect to a 7.4 > machine with iked(8) and PSK auth, to start. The rpi device is going > to be on a mobile network and behind a small NAT device. > > I haven't had any problem with the following configurations between > two OpenBSD devices, but the rpi fails to connect with a similar config. > > Has anyone gotten a rpi connected to a 7.4 (or whatever other version > running iked(8)) with the available OpenIKED package? > > Thanks for any help in advance.
Can you add verbose server logs too? I don't see any obvious incompatibility. - Tobias > > > Server configuration > > $ uname -a > OpenBSD openbsd-server 7.4 GENERIC#1336 amd64 > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \ > from 10.88.0.0/22 to 10.88.12.0/24 \ > from 203.0.113.92 to 10.88.12.0/24 \ > peer any local openbsd-server.example.com \ > ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > srcid openbsd-server.example.com dstid linux-client.example.com \ > ikelifetime 4h \ > psk "123123123" \ > tag "$name-$id" > > Client configuration > > # uname -a > Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar 2 11:02:03 GMT 2023 armv7l > GNU/Linux > > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \ > from 10.88.12.0/24 to 10.88.0.0/22 \ > from 10.88.12.0/24 to 203.0.113.92 \ > peer 203.0.113.92 \ > ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > srcid openbsd-server.example.com dstid linux-client.example.com \ > ikelifetime 4h \ > psk "123123123" \ > tag "$name-$id" > > > Server logs > > openbsd-server# tail /var/log/daemon > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv > IKE_SA_INIT req 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes, > policy 'LINUX-CLIENT_INET4_LAN' > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send > IKE_SA_INIT res 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv IKE_AUTH > req 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 320 bytes, policy > 'LINUX-CLIENT_INET4_LAN' > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: > ikev2_ike_auth_recv: no compatible policy found > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: > ikev2_send_auth_failed: authentication failed for > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send IKE_AUTH > res 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 96 bytes, NAT-T > Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: sa_free: > authentication failed > > Client logs > > linux-client# iked -ddvv > create_ike: using unknown for peer linux-client.example.com > ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 > to 10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer > 203.0.113.92 ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group > ecp521 childsa enc aes-256 auth hmac-sha2-512 group ecp521 noesn srcid > openbsd-server.example.com dstid linux-client.example.com ikelifetime 14400 > lifetime 10800 bytes 4294967296 psk > 0x746869732d69732d612d6c6f6e672d746573742d70772d39 tag "$name-$id" > /etc/iked.conf: loaded 1 configuration rules > ca_privkey_serialize: type ECDSA length 121 > ca_pubkey_serialize: type ECDSA length 91 > config_getpolicy: received policy > config_getpfkey: received pfkey fd 3 > ca_privkey_to_method: type ECDSA method ECDSA_256 > ca_getkey: received private key type ECDSA length 121 > ca_getkey: received public key type ECDSA length 91 > ca_dispatch_parent: config reset > ca_reload: local cert type ECDSA > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0 > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 60 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > config_getstatic: no stickyaddress > ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS" > ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23 > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 140 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload VENDOR > ikev2_next_payload: length 16 nextpayload NOTIFY > ikev2_nat_detection: local source 0x55dc1e4f08b3ac60 0x0000000000000000 > 0.0.0.0:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0x55dc1e4f08b3ac60 0x0000000000000000 > 203.0.113.92:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_next_payload: length 14 nextpayload NONE > ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 338 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > ikev2_pld_ke: dh group ECP_521 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > spi=0x55dc1e4f08b3ac60: send IKE_SA_INIT req 0 peer 203.0.113.92:500 local > 0.0.0.0:500, 338 bytes > spi=0x55dc1e4f08b3ac60: sa_state: INIT -> SA_INIT > spi=0x55dc1e4f08b3ac60: recv IKE_SA_INIT res 0 peer 203.0.113.92:500 local > 172.20.10.7:500, 338 bytes, policy 'OPENBSD-SERVER_INET4_NETS' > ikev2_recv: ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 > ikev2_recv: updated SA to peer 203.0.113.92:500 local 172.20.10.7:500 > ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23 > ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > 338 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 > xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > ikev2_pld_ke: dh group ECP_521 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0x55dc1e4f08b3ac60 0x848659094e6d0d63 > 203.0.113.92:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0x55dc1e4f08b3ac60 0x848659094e6d0d63 > 172.20.10.7:500 > ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > ikev2_pld_notify: signature hash SHA2_256 (2) > ikev2_pld_notify: signature hash SHA2_384 (3) > ikev2_pld_notify: signature hash SHA2_512 (4) > ikev2_enable_natt: detected NAT, enabling UDP encapsulation, updated SA to > peer 203.0.113.92:4500 local 172.20.10.7:4500 > proposals_negotiate: score 4 > sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth > spi=0x55dc1e4f08b3ac60: ikev2_sa_keys: DHSECRET with 66 bytes > ikev2_sa_keys: SKEYSEED with 64 bytes > spi=0x55dc1e4f08b3ac60: ikev2_sa_keys: S with 80 bytes > ikev2_prfplus: T1 with 64 bytes > ikev2_prfplus: T2 with 64 bytes > ikev2_prfplus: T3 with 64 bytes > ikev2_prfplus: T4 with 64 bytes > ikev2_prfplus: T5 with 64 bytes > ikev2_prfplus: T6 with 64 bytes > ikev2_prfplus: Tn with 384 bytes > ikev2_sa_keys: SK_d with 64 bytes > ikev2_sa_keys: SK_ai with 64 bytes > ikev2_sa_keys: SK_ar with 64 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 64 bytes > ikev2_sa_keys: SK_pr with 64 bytes > ikev2_msg_auth: initiator auth data length 434 > sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth > ikev2_policy2id: dstid FQDN/linux-client.example.com length 27 > ikev2_next_payload: length 27 nextpayload IDr > ikev2_next_payload: length 31 nextpayload AUTH > spi=0x55dc1e4f08b3ac60: ikev2_cp_request_configured: no > ikev2_next_payload: length 72 nextpayload SA > pfkey_sa_getspi: spi 0x160ad210 > pfkey_sa_init: new spi 0x160ad210 > ikev2_add_proposals: length 40 > ikev2_next_payload: length 44 nextpayload TSi > ikev2_next_payload: length 24 nextpayload TSr > ikev2_next_payload: length 40 nextpayload NONE > ikev2_next_payload: length 292 nextpayload IDi > ikev2_msg_encrypt: decrypted length 238 > ikev2_msg_encrypt: padded length 240 > ikev2_msg_encrypt: length 239, padding 1, output length 288 > ikev2_msg_integr: message length 320 > ikev2_msg_integr: integrity checksum length 32 > ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 320 > response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 292 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 240 > ikev2_msg_decrypt: integrity checksum length 32 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 240/240 padding 1 > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > length 27 > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > length 31 > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > length 72 > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length > 44 > ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 > xforms 3 spi 0x160ad210 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 24 > ikev2_pld_tss: count 1 length 16 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > length 40 > ikev2_pld_tss: count 2 length 32 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 > spi=0x55dc1e4f08b3ac60: send IKE_AUTH req 1 peer 203.0.113.92:4500 local > 172.20.10.7:4500, 320 bytes, NAT-T > config_free_proposals: free 0xc2e8b0 > spi=0x55dc1e4f08b3ac60: recv IKE_AUTH res 1 peer 203.0.113.92:4500 local > 172.20.10.7:4500, 96 bytes, policy 'OPENBSD-SERVER_INET4_NETS' > ikev2_recv: ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 > ikev2_recv: updated SA to peer 203.0.113.92:4500 local 172.20.10.7:4500 > ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x848659094e6d0d63 > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 96 > response 1 > ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length 68 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 16 > ikev2_msg_decrypt: integrity checksum length 32 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 16/16 padding 7 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 > length 8 > ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED > ikev2_init_recv: AUTHENTICATION_FAILED, closing SA > spi=0x55dc1e4f08b3ac60: sa_state: SA_INIT -> CLOSED from 203.0.113.92:4500 to > 172.20.10.7:4500 policy 'OPENBSD-SERVER_INET4_NETS' > ikev2_recv: closing SA > spi=0x55dc1e4f08b3ac60: sa_free: authentication failed notification from peer > config_free_proposals: free 0xc2a1c8 > ^Cconfig_doreset: flushing policies > config_free_proposals: free 0xbd6668 > config_free_proposals: free 0xbd37b0 > config_free_flows: free 0xbd3a30 > config_free_flows: free 0xbd3c20 > config_doreset: flushing SAs > config_doreset: flushing users > ca exiting, pid 2098 > ikev2 exiting, pid 2100 > control exiting, pid 2099 > parent terminating > >