On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote: > On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote: > [..] > >$ uname -a > >OpenBSD openbsd-server 7.4 GENERIC#1336 amd64 > > > >ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \ > > from 10.88.0.0/22 to 10.88.12.0/24 \ > > from 203.0.113.92 to 10.88.12.0/24 \ > > peer any local openbsd-server.example.com \ > > ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > srcid openbsd-server.example.com dstid linux-client.example.com \ > > ikelifetime 4h \ > > psk "123123123" \ > > tag "$name-$id" > > > >Client configuration > > > ># uname -a > >Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar 2 11:02:03 GMT 2023 armv7l > >GNU/Linux > > > >ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \ > > from 10.88.12.0/24 to 10.88.0.0/22 \ > > from 10.88.12.0/24 to 203.0.113.92 \ > > peer 203.0.113.92 \ > > ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \ > > srcid openbsd-server.example.com dstid linux-client.example.com \ > > ikelifetime 4h \ > > psk "123123123" \ > > tag "$name-$id"
One thing that is clearly wrong are the IDs. The client should probably use: srcid linux-client.example.com dstid openbsd-server.example.com \ > > > So some of these were a bit backwards. I fixed the configurations but am > now seeing the following on the server side: > > Oct 24 15:22:10 openbsd-server iked[12052]: spi=0x84023eb6ab6a9d33: > ikev2_resp_recv: failed to parse message > > Updated server configuration > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \ > from 10.88.0.0/22 to 10.88.12.0/24 \ > from 203.0.113.92 to 10.88.12.0/24 \ > peer any local 203.0.113.92 \ > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ > srcid openbsd-server.example.com dstid linux-client.example.com \ > lifetime 3600 bytes 1G \ > psk "123123123" \ > tag "$name-$id" > > Updated client configuration > > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \ > from 10.88.12.0/24 to 10.88.0.0/22 \ > from 10.88.12.0/24 to 203.0.113.92 \ > peer openbsd-server.example.com \ > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ > srcid linux-client.example.com dstid openbsd-server.example.com \ > lifetime 3600 bytes 1G \ > psk "123123123" \ > tag "$name-$id" > > > Full logs are below > > Server Logs > > # iked -dvv > policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' > spi=0xb825bd62181aa707: recv IKE_SA_INIT req 0 peer 192.0.51.245:23804 > local 203.0.113.92:500, 330 bytes, policy 'LINUX-CLIENT_INET4_LAN' > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0x0000000000000000 > ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23 > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 330 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > xforms 3 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > ikev2_pld_ke: dh group ECP_521 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xb825bd62181aa707 0x0000000000000000 > 192.0.51.245:23804 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xb825bd62181aa707 0x0000000000000000 > 203.0.113.92:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > ikev2_pld_notify: signature hash SHA2_256 (2) > ikev2_pld_notify: signature hash SHA2_384 (3) > ikev2_pld_notify: signature hash SHA2_512 (4) > proposals_negotiate: score 3 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 3 > policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' > spi=0xb825bd62181aa707: sa_state: INIT -> SA_INIT > proposals_negotiate: score 3 > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > spi=0xb825bd62181aa707: ikev2_sa_keys: DHSECRET with 66 bytes > ikev2_sa_keys: SKEYSEED with 64 bytes > spi=0xb825bd62181aa707: ikev2_sa_keys: S with 80 bytes > ikev2_prfplus: T1 with 64 bytes > ikev2_prfplus: T2 with 64 bytes > ikev2_prfplus: T3 with 64 bytes > ikev2_prfplus: T4 with 64 bytes > ikev2_prfplus: T5 with 64 bytes > ikev2_prfplus: Tn with 320 bytes > ikev2_sa_keys: SK_d with 64 bytes > ikev2_sa_keys: SK_ei with 36 bytes > ikev2_sa_keys: SK_er with 36 bytes > ikev2_sa_keys: SK_pi with 64 bytes > ikev2_sa_keys: SK_pr with 64 bytes > ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation > ikev2_add_proposals: length 36 > ikev2_next_payload: length 40 nextpayload KE > ikev2_next_payload: length 140 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload VENDOR > ikev2_next_payload: length 16 nextpayload NOTIFY > ikev2_nat_detection: local source 0xb825bd62181aa707 0xe5481ced5de262ea > 203.0.113.92:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xb825bd62181aa707 0xe5481ced5de262ea > 192.0.51.245:23804 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_next_payload: length 14 nextpayload NONE > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > 330 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > xforms 3 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > ikev2_pld_ke: dh group ECP_521 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > spi=0xb825bd62181aa707: send IKE_SA_INIT res 0 peer 192.0.51.245:23804 > local 203.0.113.92:500, 330 bytes > config_free_proposals: free 0x292d636b0f0 > spi=0xb825bd62181aa707: recv IKE_AUTH req 1 peer 192.0.51.245:3916 local > 203.0.113.92:4500, 251 bytes, policy 'LINUX-CLIENT_INET4_LAN' > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > ikev2_recv: updated SA to peer 192.0.51.245:3916 local 203.0.113.92:4500 > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 251 > response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 223 > ikev2_msg_decrypt: IV length 8 > ikev2_msg_decrypt: encrypted payload length 199 > ikev2_msg_decrypt: integrity checksum length 12 > ikev2_msg_decrypt: AAD length 32 > ikev2_msg_decrypt: decrypted payload length 199/199 padding 0 > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > length 31 > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > length 27 > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > length 72 > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 4 > ikev2_validate_sa: malformed payload: too short for header (0 < 8) > spi=0xb825bd62181aa707: ikev2_resp_recv: failed to parse message > spi=0xb825bd62181aa707: recv IKE_AUTH req 1 peer 192.0.51.245:3916 local > 203.0.113.92:4500, 251 bytes, policy 'LINUX-CLIENT_INET4_LAN' > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > ikev2_recv: updated SA to peer 192.0.51.245:3916 local 203.0.113.92:4500 > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 251 > response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 223 > ikev2_msg_decrypt: IV length 8 > ikev2_msg_decrypt: encrypted payload length 199 > ikev2_msg_decrypt: integrity checksum length 12 > ikev2_msg_decrypt: AAD length 32 > ikev2_msg_decrypt: decrypted payload length 199/199 padding 0 > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > length 31 > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > length 27 > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > length 72 > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 4 > ikev2_validate_sa: malformed payload: too short for header (0 < 8) > spi=0xb825bd62181aa707: ikev2_resp_recv: failed to parse message > ^Ccontrol exiting, pid 6682 > ca exiting, pid 23273 > config_doreset: flushing policies > config_free_proposals: free 0x292d6376c80 > config_free_proposals: free 0x292d6376910 > config_free_flows: free 0x292d638f400 > config_free_flows: free 0x292d638f800 > config_free_flows: free 0x292d6361c00 > config_free_flows: free 0x292d6361000 > config_free_proposals: free 0x292d6395000 > config_free_proposals: free 0x292d6395d20 > config_free_proposals: free 0x292d6395870 > config_free_proposals: free 0x292d6384f00 > config_free_flows: free 0x292d6383000 > config_free_proposals: free 0x292d636bc80 > config_free_proposals: free 0x292d6395730 > config_free_proposals: free 0x292d6376b90 > config_free_proposals: free 0x292d636b500 > config_free_flows: free 0x292d6361800 > config_free_proposals: free 0x292d6376cd0 > config_free_proposals: free 0x292d6384410 > config_free_proposals: free 0x292d636b460 > config_free_proposals: free 0x292d6384d70 > config_free_flows: free 0x292d6383c00 > config_doreset: flushing SAs > config_free_proposals: free 0x292d63958c0 > config_free_proposals: free 0x292d636bd70 > config_free_childsas: free 0x292d636c840 > config_free_childsas: free 0x292d6366540 > sa_free_flows: free 0x292d635c800 > sa_free_flows: free 0x292d638f000 > sa_free_flows: free 0x29390660400 > sa_free_flows: free 0x292d635c400 > sa_free_flows: free 0x292d6383400 > sa_free_flows: free 0x292d635c000 > sa_free_flows: free 0x29390655800 > sa_free_flows: free 0x292d6389800 > config_free_proposals: free 0x292d6376f00 > config_free_proposals: free 0x292d6376f50 > config_free_flows: free 0x292d6361400 > config_free_flows: free 0x292d6383800 > config_free_flows: free 0x292d6389c00 > config_free_flows: free 0x292d637fc00 > config_free_proposals: free 0x292d6384730 > config_free_proposals: free 0x292d63954b0 > config_free_proposals: free 0x292d6376960 > config_free_flows: free 0x292d6389000 > config_free_flows: free 0x292d6389400 > config_doreset: flushing users > ikev2 exiting, pid 47679 > parent terminating > > > Client Logs > > # iked -dvv > create_ike: using unknown for peer openbsd-server.example.com > ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 to > 10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer 203.0.113.92 > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 srcid > linux-client.example.com dstid openbsd-server.example.com lifetime 3600 bytes > 1073741824 psk 0x746869732d69732d612d6c6f6e672d746573742d70772d39 tag > "$name-$id" > /etc/iked.conf: loaded 1 configuration rules > ca_privkey_serialize: type ECDSA length 121 > ca_pubkey_serialize: type ECDSA length 91 > config_getpolicy: received policy > config_getpfkey: received pfkey fd 3 > ca_privkey_to_method: type ECDSA method ECDSA_256 > ca_getkey: received private key type ECDSA length 121 > ca_getkey: received public key type ECDSA length 91 > ca_dispatch_parent: config reset > ca_reload: local cert type ECDSA > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0 > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 60 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > config_getstatic: no stickyaddress > ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS" > ikev2_policy2id: srcid FQDN/linux-client.example.com length 27 > ikev2_add_proposals: length 36 > ikev2_next_payload: length 40 nextpayload KE > ikev2_next_payload: length 140 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload VENDOR > ikev2_next_payload: length 16 nextpayload NOTIFY > ikev2_nat_detection: local source 0xb825bd62181aa707 0x0000000000000000 > 0.0.0.0:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xb825bd62181aa707 0x0000000000000000 > 203.0.113.92:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_next_payload: length 14 nextpayload NONE > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length > 330 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > xforms 3 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > ikev2_pld_ke: dh group ECP_521 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > spi=0xb825bd62181aa707: send IKE_SA_INIT req 0 peer 203.0.113.92:500 local > 0.0.0.0:500, 330 bytes > spi=0xb825bd62181aa707: sa_state: INIT -> SA_INIT > spi=0xb825bd62181aa707: recv IKE_SA_INIT res 0 peer 203.0.113.92:500 local > 172.20.10.7:500, 330 bytes, policy 'OPENBSD-SERVER_INET4_NETS' > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > ikev2_recv: updated SA to peer 203.0.113.92:500 local 172.20.10.7:500 > ikev2_policy2id: srcid FQDN/linux-client.example.com length 27 > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length > 330 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 > xforms 3 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 > ikev2_pld_ke: dh group ECP_521 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length > 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xb825bd62181aa707 0xe5481ced5de262ea > 203.0.113.92:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length > 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xb825bd62181aa707 0xe5481ced5de262ea > 172.20.10.7:500 > ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 > ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS > ikev2_pld_notify: signature hash SHA2_256 (2) > ikev2_pld_notify: signature hash SHA2_384 (3) > ikev2_pld_notify: signature hash SHA2_512 (4) > ikev2_enable_natt: detected NAT, enabling UDP encapsulation, updated SA to > peer 203.0.113.92:4500 local 172.20.10.7:4500 > proposals_negotiate: score 3 > sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth > spi=0xb825bd62181aa707: ikev2_sa_keys: DHSECRET with 66 bytes > ikev2_sa_keys: SKEYSEED with 64 bytes > spi=0xb825bd62181aa707: ikev2_sa_keys: S with 80 bytes > ikev2_prfplus: T1 with 64 bytes > ikev2_prfplus: T2 with 64 bytes > ikev2_prfplus: T3 with 64 bytes > ikev2_prfplus: T4 with 64 bytes > ikev2_prfplus: T5 with 64 bytes > ikev2_prfplus: Tn with 320 bytes > ikev2_sa_keys: SK_d with 64 bytes > ikev2_sa_keys: SK_ei with 36 bytes > ikev2_sa_keys: SK_er with 36 bytes > ikev2_sa_keys: SK_pi with 64 bytes > ikev2_sa_keys: SK_pr with 64 bytes > ikev2_msg_auth: initiator auth data length 426 > sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth > ikev2_policy2id: dstid FQDN/openbsd-server.example.com length 23 > ikev2_next_payload: length 31 nextpayload IDr > ikev2_next_payload: length 27 nextpayload AUTH > spi=0xb825bd62181aa707: ikev2_cp_request_configured: no > ikev2_next_payload: length 72 nextpayload SA > ikev2_add_proposals: length 0 > ikev2_next_payload: length 4 nextpayload TSi > ikev2_next_payload: length 24 nextpayload TSr > ikev2_next_payload: length 40 nextpayload NONE > ikev2_next_payload: length 223 nextpayload IDi > ikev2_msg_encrypt: decrypted length 198 > ikev2_msg_encrypt: padded length 199 > ikev2_msg_encrypt: length 199, padding 0, output length 219 > ikev2_msg_integr: message length 251 > ikev2_msg_integr: integrity checksum length 12 > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0xe5481ced5de262ea > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 251 > response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 223 > ikev2_msg_decrypt: IV length 8 > ikev2_msg_decrypt: encrypted payload length 199 > ikev2_msg_decrypt: integrity checksum length 12 > ikev2_msg_decrypt: AAD length 32 > ikev2_msg_decrypt: decrypted payload length 199/199 padding 0 > ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 > length 31 > ikev2_pld_id: id FQDN/linux-client.example.com length 27 > ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 > length 27 > ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 > ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 > length 72 > ikev2_pld_auth: method SHARED_KEY_MIC length 64 > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 4 > ikev2_validate_sa: malformed payload: too short for header (0 < 8) > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 24 > ikev2_pld_tss: count 1 length 16 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 > ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 > length 40 > ikev2_pld_tss: count 2 length 32 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport > 65535 > ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 > spi=0xb825bd62181aa707: send IKE_AUTH req 1 peer 203.0.113.92:4500 local > 172.20.10.7:4500, 251 bytes, NAT-T > config_free_proposals: free 0x1cfd618 > spi=0xb825bd62181aa707: retransmit 1 IKE_AUTH req 1 peer 203.0.113.92:4500 > local 172.20.10.7:4500 > ^Cconfig_doreset: flushing policies > config_doreset: flushing SAs > config_free_proposals: free 0x1cf8e10 > config_free_proposals: free 0x1ca5678 > config_free_flows: free 0x1ca29b8 > config_free_flows: free 0x1ca2ba8 > ca exiting, pid 3414 > config_doreset: flushing users > control exiting, pid 3415 > ikev2 exiting, pid 3416 > parent terminating >
