On Tue, Oct 24, 2023 at 10:56:40PM +0200, Tobias Heider wrote: >> > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \ >> > > from 10.88.0.0/22 to 10.88.12.0/24 \ >> > > from 203.0.113.92 to 10.88.12.0/24 \ >> > > peer any local 203.0.113.92 \ >> > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ >> > > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ >> > > srcid openbsd-server.example.com dstid linux-client.example.com \ >> > > lifetime 3600 bytes 1G \ >> > > psk "123123123" \ >> > > tag "$name-$id" >> > > >> > > Updated client configuration >> > > >> > > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \ >> > > from 10.88.12.0/24 to 10.88.0.0/22 \ >> > > from 10.88.12.0/24 to 203.0.113.92 \ >> > > peer openbsd-server.example.com \ >> > > ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \ >> > > childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \ >> > > srcid linux-client.example.com dstid openbsd-server.example.com \ >> > > lifetime 3600 bytes 1G \ >> > > psk "123123123" \ >> > > tag "$name-$id" >> >> Does it work if you remove the second "from ... to" line? It looks like the >> SA >> payload is malformed, so the flows are the most likely cause. > >No that is probably not it. > >> > > ikev2_next_payload: length 72 nextpayload SA >> > > ikev2_add_proposals: length 0 > >This suggests that it might be the "childsa" option . What happens if you >use the default for that on both machines? >
Hi Tobias, It looks like that fixed the issue; here are flows and logs from both sides of the connection. Thanks! SERVER FLOWS # ipsecctl -sa FLOWS: flow esp in from 10.88.12.0/24 to 10.88.0.0/22 peer 192.0.51.56 srcid FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require flow esp in from 10.88.12.0/24 to 203.0.113.92 peer 192.0.51.56 srcid FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require flow esp out from 10.88.0.0/22 to 10.88.12.0/24 peer 192.0.51.56 srcid FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require flow esp out from 203.0.113.92 to 10.88.12.0/24 peer 192.0.51.56 srcid FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require SAD: esp tunnel from 203.0.113.92 to 192.0.51.56 spi 0xbafd01bf auth hmac-sha2-384 enc aes-256 esp tunnel from 192.0.51.56 to 203.0.113.92 spi 0xe1da3202 auth hmac-sha2-384 enc aes-256 CLIENT FLOWS # ikectl show sa iked_sas: 0x8ca860 rspi 0xe78e9293b9763424 ispi 0x0836db2645d57812 172.20.10.7:4500->203.0.113.92:4500<FQDN/openbsd-server.example.com>[] ESTABLISHED i natt udpecap nexti (nil) pol 0x8cbf48 sa_childsas: 0x8f3650 ESP 0xe1da3202 out 172.20.10.7:4500 -> 203.0.113.92:4500 (L) B=(nil) P=0x8f36c0 @0x8ca860 sa_childsas: 0x8f36c0 ESP 0xbafd01bf in 203.0.113.92:4500 -> 172.20.10.7:4500 (LA) B=(nil) P=0x8f3650 @0x8ca860 sa_flows: 0x8f2e90 ESP out 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 sa_flows: 0x8f2ab0 ESP out 10.88.12.0/24 -> 10.88.0.0/22 [0]@-1 (L) @0x8ca860 sa_flows: 0x8f2ca0 ESP in 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 sa_flows: 0x8f3460 ESP out 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 sa_flows: 0x8f3080 ESP out 10.88.12.0/24 -> 203.0.113.92/32 [0]@-1 (L) @0x8ca860 sa_flows: 0x8f3270 ESP in 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 iked_activesas: 0x8f36c0 ESP 0xbafd01bf in 203.0.113.92:4500 -> 172.20.10.7:4500 (LA) B=(nil) P=0x8f3650 @0x8ca860 iked_activesas: 0x8f3650 ESP 0xe1da3202 out 172.20.10.7:4500 -> 203.0.113.92:4500 (L) B=(nil) P=0x8f36c0 @0x8ca860 iked_flows: 0x8f2ca0 ESP in 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 iked_flows: 0x8f3270 ESP in 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 iked_flows: 0x8f2ab0 ESP out 10.88.12.0/24 -> 10.88.0.0/22 [0]@-1 (L) @0x8ca860 iked_flows: 0x8f3080 ESP out 10.88.12.0/24 -> 203.0.113.92/32 [0]@-1 (L) @0x8ca860 iked_flows: 0x8f2e90 ESP out 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 iked_flows: 0x8f3460 ESP out 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860 iked_dstid_sas: 0x8ca860 rspi 0xe78e9293b9763424 ispi 0x0836db2645d57812 172.20.10.7:4500->203.0.113.92:4500<FQDN/openbsd-server.example.com>[] ESTABLISHED i natt udpecap nexti (nil) pol 0x8cbf48 SERVER iked log # iked -dvv create_ike: using unknown for peer linux-client.example.com ikev2 "LINUX-CLIENT_INET4_LAN" passive tunnel esp inet from 10.88.0.0/22 to 10.88.12.0/24 from 203.0.113.92 to 10.88.12.0/24 local 203.0.113.92 peer any ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid openbsd-server.example.com dstid linux-client.example.com lifetime 3600 bytes 1073741824 psk 0x313233313233313233 tag "$name-$id" /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 config_getpolicy: received policy config_getpfkey: received pfkey fd 7 config_getcompile: compilation done config_getsocket: received socket fd 8 config_getsocket: received socket fd 9 config_getsocket: received socket fd 10 config_getsocket: received socket fd 11 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 config_getstatic: no stickyaddress policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' spi=0x0836db2645d57812: recv IKE_SA_INIT req 0 peer 192.0.51.56:19878 local 203.0.113.92:500, 330 bytes, policy 'LINUX-CLIENT_INET4_LAN' ikev2_recv: ispi 0x0836db2645d57812 rspi 0x0000000000000000 ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23 ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 330 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 ikev2_pld_ke: dh group ECP_521 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x0836db2645d57812 0x0000000000000000 192.0.51.56:19878 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x0836db2645d57812 0x0000000000000000 203.0.113.92:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) proposals_negotiate: score 3 policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' spi=0x0836db2645d57812: sa_state: INIT -> SA_INIT proposals_negotiate: score 3 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) spi=0x0836db2645d57812: ikev2_sa_keys: DHSECRET with 66 bytes ikev2_sa_keys: SKEYSEED with 64 bytes spi=0x0836db2645d57812: ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 64 bytes ikev2_prfplus: T2 with 64 bytes ikev2_prfplus: T3 with 64 bytes ikev2_prfplus: T4 with 64 bytes ikev2_prfplus: T5 with 64 bytes ikev2_prfplus: Tn with 320 bytes ikev2_sa_keys: SK_d with 64 bytes ikev2_sa_keys: SK_ei with 36 bytes ikev2_sa_keys: SK_er with 36 bytes ikev2_sa_keys: SK_pi with 64 bytes ikev2_sa_keys: SK_pr with 64 bytes ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation ikev2_add_proposals: length 36 ikev2_next_payload: length 40 nextpayload KE ikev2_next_payload: length 140 nextpayload NONCE ikev2_next_payload: length 36 nextpayload VENDOR ikev2_next_payload: length 16 nextpayload NOTIFY ikev2_nat_detection: local source 0x0836db2645d57812 0xe78e9293b9763424 203.0.113.92:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x0836db2645d57812 0xe78e9293b9763424 192.0.51.56:19878 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 330 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 ikev2_pld_ke: dh group ECP_521 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS spi=0x0836db2645d57812: send IKE_SA_INIT res 0 peer 192.0.51.56:19878 local 203.0.113.92:500, 330 bytes config_free_proposals: free 0x3ec2e170f0 spi=0x0836db2645d57812: recv IKE_AUTH req 1 peer 192.0.51.56:43281 local 203.0.113.92:4500, 331 bytes, policy 'LINUX-CLIENT_INET4_LAN' ikev2_recv: ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 ikev2_recv: updated SA to peer 192.0.51.56:43281 local 203.0.113.92:4500 ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 331 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 303 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 279 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: AAD length 32 ikev2_msg_decrypt: decrypted payload length 279/279 padding 0 ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 length 31 ikev2_pld_id: id FQDN/linux-client.example.com length 27 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 27 ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 72 ikev2_pld_auth: method SHARED_KEY_MIC length 64 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 xforms 7 spi 0xbafd01bf ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_tss: count 1 length 16 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 40 ikev2_pld_tss: count 2 length 32 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 ikev2_resp_recv: NAT-T message received, updated SA sa_stateok: SA_INIT flags 0x0000, require 0x0000 spi=0x0836db2645d57812: sa_state: SA_INIT -> AUTH_REQUEST policy_lookup: peerid 'linux-client.example.com' policy_lookup: localid 'openbsd-server.example.com' proposals_negotiate: score 3 policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN' ikev2_msg_auth: responder auth data length 426 proposals_negotiate: score 0 proposals_negotiate: score 7 sa_stateflags: 0x0028 -> 0x0028 auth,sa (required 0x0038 auth,authvalid,sa) ikev2_msg_auth: initiator auth data length 426 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 64 type NONE ikev2_msg_authverify: authentication successful spi=0x0836db2645d57812: sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0038 auth,authvalid,sa) sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa spi=0x0836db2645d57812: sa_state: AUTH_SUCCESS -> VALID sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa ikev2_sa_tag: LINUX-CLIENT_INET4_LAN-FQDN/linux-client.example.com (43) ikev2_childsa_negotiate: proposal 1 ikev2_childsa_negotiate: key material length 160 ikev2_prfplus: T1 with 64 bytes ikev2_prfplus: T2 with 64 bytes ikev2_prfplus: T3 with 64 bytes ikev2_prfplus: Tn with 192 bytes pfkey_sa_getspi: spi 0xe1da3202 pfkey_sa_init: new spi 0xe1da3202 ikev2_next_payload: length 27 nextpayload AUTH ikev2_next_payload: length 72 nextpayload SA ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 40 nextpayload NONE ikev2_next_payload: length 232 nextpayload IDr ikev2_msg_encrypt: decrypted length 207 ikev2_msg_encrypt: padded length 208 ikev2_msg_encrypt: length 208, padding 0, output length 228 ikev2_msg_integr: message length 260 ikev2_msg_integr: integrity checksum length 12 ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 260 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 232 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 208 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: AAD length 32 ikev2_msg_decrypt: decrypted payload length 208/208 padding 0 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 27 ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 72 ikev2_pld_auth: method SHARED_KEY_MIC length 64 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0xe1da3202 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_tss: count 1 length 16 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 40 ikev2_pld_tss: count 2 length 32 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 spi=0x0836db2645d57812: send IKE_AUTH res 1 peer 192.0.51.56:43281 local 203.0.113.92:4500, 260 bytes, NAT-T pfkey_sa_add: update spi 0xe1da3202 pfkey_sa: udpencap port 43281 ikev2_childsa_enable: loaded CHILD SA spi 0xe1da3202 pfkey_sa_add: add spi 0xbafd01bf pfkey_sa: udpencap port 43281 ikev2_childsa_enable: loaded CHILD SA spi 0xbafd01bf ikev2_childsa_enable: loaded flow 0x3e7407d000 ikev2_childsa_enable: loaded flow 0x3ec2e40000 ikev2_childsa_enable: loaded flow 0x3ec2e1f800 ikev2_childsa_enable: loaded flow 0x3ec2e0a800 ikev2_childsa_enable: remember SA peer 192.0.51.56:43281 spi=0x0836db2645d57812: ikev2_childsa_enable: loaded SPIs: 0xe1da3202, 0xbafd01bf (enc aes-256 auth hmac-sha2-384) spi=0x0836db2645d57812: ikev2_childsa_enable: loaded flows: ESP-10.88.0.0/22=10.88.12.0/24(0), ESP-203.0.113.92/32=10.88.12.0/24(0) spi=0x0836db2645d57812: sa_state: VALID -> ESTABLISHED from 192.0.51.56:43281 to 203.0.113.92:4500 policy 'LINUX-CLIENT_INET4_LAN' spi=0x0836db2645d57812: established peer 192.0.51.56:43281[FQDN/linux-client.example.com] local 203.0.113.92:4500[FQDN/openbsd-server.example.com] policy 'LINUX-CLIENT_INET4_LAN' as responder (enc aes-256-gcm-12 group ecp521 prf hmac-sha2-512) config_free_proposals: free 0x3ec2e41e60 control exiting, pid 54050 ca exiting, pid 95865 config_doreset: flushing policies config_doreset: flushing SAs config_free_proposals: free 0x3ec2e41410 config_free_proposals: free 0x3ec2e175a0 config_free_childsas: free 0x3ec2e256c0 config_free_childsas: free 0x3e7405df00 sa_free_flows: free 0x3e7407d000 sa_free_flows: free 0x3ec2e40000 sa_free_flows: free 0x3ec2e1f800 sa_free_flows: free 0x3ec2e0a800 config_free_proposals: free 0x3ec2e0cf00 config_free_proposals: free 0x3ec2e0c140 config_free_proposals: free 0x3ec2e17cd0 config_free_flows: free 0x3ec2e40800 config_free_flows: free 0x3ec2e1f400 config_doreset: flushing users ikev2 exiting, pid 82110 parent terminating CLIENT iked(8) log create_ike: using unknown for peer openbsd-server.example.com ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 to 10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer 203.0.113.92 ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none noesn srcid linux-client.example.com dstid openbsd-server.example.com lifetime 3600 bytes 1073741824 psk 0x313233313233313233 tag "$name-$id" /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type ECDSA length 121 ca_pubkey_serialize: type ECDSA length 91 config_getpolicy: received policy config_getpfkey: received pfkey fd 3 ca_privkey_to_method: type ECDSA method ECDSA_256 ca_getkey: received private key type ECDSA length 121 ca_getkey: received public key type ECDSA length 91 ca_dispatch_parent: config reset ca_reload: local cert type ECDSA config_getocsp: ocsp_url none tolerate 0 maxage -1 ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 config_getstatic: dpd_check_interval 60 config_getstatic: no enforcesingleikesa config_getstatic: no fragmentation config_getstatic: mobike config_getstatic: nattport 4500 config_getstatic: no stickyaddress ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS" ikev2_policy2id: srcid FQDN/linux-client.example.com length 27 ikev2_add_proposals: length 36 ikev2_next_payload: length 40 nextpayload KE ikev2_next_payload: length 140 nextpayload NONCE ikev2_next_payload: length 36 nextpayload VENDOR ikev2_next_payload: length 16 nextpayload NOTIFY ikev2_nat_detection: local source 0x0836db2645d57812 0x0000000000000000 0.0.0.0:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x0836db2645d57812 0x0000000000000000 203.0.113.92:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 330 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521 ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 ikev2_pld_ke: dh group ECP_521 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS spi=0x0836db2645d57812: send IKE_SA_INIT req 0 peer 203.0.113.92:500 local 0.0.0.0:500, 330 bytes spi=0x0836db2645d57812: sa_state: INIT -> SA_INIT spi=0x0836db2645d57812: recv IKE_SA_INIT res 0 peer 203.0.113.92:500 local 172.20.10.7:500, 330 bytes, policy 'OPENBSD-SERVER_INET4_NETS' ikev2_recv: ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 ikev2_recv: updated SA to peer 203.0.113.92:500 local 172.20.10.7:500 ikev2_policy2id: srcid FQDN/linux-client.example.com length 27 ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 330 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40 ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12 ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140 ikev2_pld_ke: dh group ECP_521 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x0836db2645d57812 0xe78e9293b9763424 203.0.113.92:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x0836db2645d57812 0xe78e9293b9763424 172.20.10.7:500 ikev2_pld_notify: NAT_DETECTION_DESTINATION_IP detected NAT ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) ikev2_enable_natt: detected NAT, enabling UDP encapsulation, updated SA to peer 203.0.113.92:4500 local 172.20.10.7:4500 proposals_negotiate: score 3 sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth spi=0x0836db2645d57812: ikev2_sa_keys: DHSECRET with 66 bytes ikev2_sa_keys: SKEYSEED with 64 bytes spi=0x0836db2645d57812: ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 64 bytes ikev2_prfplus: T2 with 64 bytes ikev2_prfplus: T3 with 64 bytes ikev2_prfplus: T4 with 64 bytes ikev2_prfplus: T5 with 64 bytes ikev2_prfplus: Tn with 320 bytes ikev2_sa_keys: SK_d with 64 bytes ikev2_sa_keys: SK_ei with 36 bytes ikev2_sa_keys: SK_er with 36 bytes ikev2_sa_keys: SK_pi with 64 bytes ikev2_sa_keys: SK_pr with 64 bytes ikev2_msg_auth: initiator auth data length 426 sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth ikev2_policy2id: dstid FQDN/openbsd-server.example.com length 23 ikev2_next_payload: length 31 nextpayload IDr ikev2_next_payload: length 27 nextpayload AUTH spi=0x0836db2645d57812: ikev2_cp_request_configured: no ikev2_next_payload: length 72 nextpayload SA pfkey_sa_getspi: spi 0xbafd01bf pfkey_sa_init: new spi 0xbafd01bf ikev2_add_proposals: length 80 ikev2_next_payload: length 84 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 40 nextpayload NONE ikev2_next_payload: length 303 nextpayload IDi ikev2_msg_encrypt: decrypted length 278 ikev2_msg_encrypt: padded length 279 ikev2_msg_encrypt: length 279, padding 0, output length 299 ikev2_msg_integr: message length 331 ikev2_msg_integr: integrity checksum length 12 ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 331 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 303 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 279 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: AAD length 32 ikev2_msg_decrypt: decrypted payload length 279/279 padding 0 ikev2_pld_payloads: decrypted payload IDi nextpayload IDr critical 0x00 length 31 ikev2_pld_id: id FQDN/linux-client.example.com length 27 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 27 ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 72 ikev2_pld_auth: method SHARED_KEY_MIC length 64 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 xforms 7 spi 0xbafd01bf ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_tss: count 1 length 16 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 40 ikev2_pld_tss: count 2 length 32 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 spi=0x0836db2645d57812: send IKE_AUTH req 1 peer 203.0.113.92:4500 local 172.20.10.7:4500, 331 bytes, NAT-T config_free_proposals: free 0x8f1838 spi=0x0836db2645d57812: recv IKE_AUTH res 1 peer 203.0.113.92:4500 local 172.20.10.7:4500, 260 bytes, policy 'OPENBSD-SERVER_INET4_NETS' ikev2_recv: ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 ikev2_recv: updated SA to peer 203.0.113.92:4500 local 172.20.10.7:4500 ikev2_pld_parse: header ispi 0x0836db2645d57812 rspi 0xe78e9293b9763424 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 260 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 232 ikev2_msg_decrypt: IV length 8 ikev2_msg_decrypt: encrypted payload length 208 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: AAD length 32 ikev2_msg_decrypt: decrypted payload length 208/208 padding 0 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 27 ikev2_pld_id: id FQDN/openbsd-server.example.com length 23 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 72 ikev2_pld_auth: method SHARED_KEY_MIC length 64 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0xe1da3202 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_tss: count 1 length 16 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.12.0 end 10.88.12.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 40 ikev2_pld_tss: count 2 length 32 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.88.0.0 end 10.88.3.255 ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 203.0.113.92 end 203.0.113.92 spi=0x0836db2645d57812: sa_state: SA_INIT -> AUTH_REQUEST policy_lookup: peerid 'openbsd-server.example.com' proposals_negotiate: score 3 policy_lookup: setting policy 'OPENBSD-SERVER_INET4_NETS' proposals_negotiate: score 3 sa_stateflags: 0x0008 -> 0x0028 auth,sa (required 0x0030 authvalid,sa) ikev2_msg_auth: responder auth data length 426 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 64 type NONE ikev2_msg_authverify: authentication successful spi=0x0836db2645d57812: sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0030 authvalid,sa) sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa spi=0x0836db2645d57812: sa_state: AUTH_SUCCESS -> VALID sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa ikev2_sa_tag: OPENBSD-SERVER_INET4_NETS-FQDN/openbsd-server.example.com (39) ikev2_childsa_negotiate: proposal 1 ikev2_childsa_negotiate: key material length 160 ikev2_prfplus: T1 with 64 bytes ikev2_prfplus: T2 with 64 bytes ikev2_prfplus: T3 with 64 bytes ikev2_prfplus: Tn with 192 bytes pfkey_sa_add: add spi 0xe1da3202 pfkey_sa: NAT-T: type=UDP encap (2) sport=4500 dport=4500 ikev2_childsa_enable: loaded CHILD SA spi 0xe1da3202 pfkey_sa_add: update spi 0xbafd01bf pfkey_sa: NAT-T: type=UDP encap (2) sport=4500 dport=4500 ikev2_childsa_enable: loaded CHILD SA spi 0xbafd01bf ikev2_childsa_enable: loaded flow 0x8f2e90 ikev2_childsa_enable: loaded flow 0x8f2ab0 ikev2_childsa_enable: loaded flow 0x8f2ca0 ikev2_childsa_enable: loaded flow 0x8f3460 ikev2_childsa_enable: loaded flow 0x8f3080 ikev2_childsa_enable: loaded flow 0x8f3270 ikev2_childsa_enable: remember SA peer 203.0.113.92:4500 spi=0x0836db2645d57812: ikev2_childsa_enable: loaded SPIs: 0xe1da3202, 0xbafd01bf (enc aes-256 auth hmac-sha2-384) spi=0x0836db2645d57812: ikev2_childsa_enable: loaded flows: ESP-10.88.12.0/24=10.88.0.0/22(0), ESP-10.88.12.0/24=203.0.113.92/32(0) spi=0x0836db2645d57812: sa_state: VALID -> ESTABLISHED from 203.0.113.92:4500 to 172.20.10.7:4500 policy 'OPENBSD-SERVER_INET4_NETS' spi=0x0836db2645d57812: established peer 203.0.113.92:4500[FQDN/openbsd-server.example.com] local 172.20.10.7:4500[FQDN/linux-client.example.com] policy 'OPENBSD-SERVER_INET4_NETS' as initiator (enc aes-256-gcm-12 group ecp521 prf hmac-sha2-512) config_free_proposals: free 0x8ed880 ikev2_info: called ikev2_ike_sa_keepalive: peer 203.0.113.92:4500 local 172.20.10.7:4500 ikev2_info: called ikev2_ike_sa_keepalive: peer 203.0.113.92:4500 local 172.20.10.7:4500 config_doreset: flushing policies config_doreset: flushing SAs config_free_proposals: free 0x8ed030 config_free_proposals: free 0x8f27b8 config_free_childsas: free 0x8f3650 ca exiting, pid 4519 control exiting, pid 4520 config_free_childsas: free 0x8f36c0 sa_free_flows: free 0x8f2e90 sa_free_flows: free 0x8f2ab0 sa_free_flows: free 0x8f2ca0 sa_free_flows: free 0x8f3460 sa_free_flows: free 0x8f3080 sa_free_flows: free 0x8f3270 config_free_proposals: free 0x899678 config_free_proposals: free 0x899e60 config_free_flows: free 0x896a40 config_free_flows: free 0x896c30 config_doreset: flushing users ikev2 exiting, pid 4521 parent terminating
