Re: IKED and encapsulated peers
On Mon, Oct 05, 2015 at 07:52:28PM BST, Jason Tubnor wrote: > On 5 October 2015 at 22:00, Jason Tubnorwrote: > > > > > Solved! > > > > > > I have attached a man 5 iked.conf patch that clears up an example used in > > the man page. > > > > The gz diff was stripped by demime, here is the flat text patch file. > > Cheers, > > Jason. > > [demime 1.01d removed an attachment of type application/octet-stream which > had a name of iked.conf.5.patch] > Jason, The only OpenBSD mailing list which permits attachments is ports@[0]. On all the other ones demime strips *any* kind of attachments from emails sent there. It is customary to include patches or config files in-line. Regards, Raf [0] http://www.openbsd.org/mail.html
Re: IKED and encapsulated peers
On 5 October 2015 at 22:00, Jason Tubnorwrote: > > Solved! > > > I have attached a man 5 iked.conf patch that clears up an example used in > the man page. > The gz diff was stripped by demime, here is the flat text patch file. Cheers, Jason. [demime 1.01d removed an attachment of type application/octet-stream which had a name of iked.conf.5.patch]
Re: IKED and encapsulated peers
On 3 October 2015 at 14:40, Jason Tubnorwrote: > Hi, > > Based on man 5 iked.conf the following should setup technically 4 flows > (reversing and setting active on the corresponding peer): > > > Solved! Main gateway: # cat /etc/iked.conf ikev2 esp from 192.168.232.128 to 192.168.232.129 \ from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 psk "HelloWorld" # ipsecctl -sa FLOWS: flow esp in from 192.168.232.129 to 192.168.232.128 peer 192.168.232.129 srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use flow esp out from 192.168.232.128 to 192.168.232.129 peer 192.168.232.129 srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129 srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth hmac-sha2-256 enc aes-256 Remote gateway (that initiates connection): # cat /etc/iked.conf ikev2 active esp from 192.168.232.129 to 192.168.232.128 \ from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128 psk "HelloWorld" # ipsecctl -sa FLOWS: flow esp in from 192.168.232.128 to 192.168.232.129 peer 192.168.232.128 srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use flow esp out from 192.168.232.129 to 192.168.232.128 peer 192.168.232.128 srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require flow esp in from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.128 srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use flow esp out from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128 srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth hmac-sha2-256 enc aes-256 -- I have attached a man 5 iked.conf patch that clears up an example used in the man page. Cheers, Jason. [demime 1.01d removed an attachment of type application/x-gzip which had a name of iked.conf.5.patch.gz]
Re: IKED and encapsulated peers
On 3 October 2015 at 14:40, Jason Tubnorwrote: > Hi, > > > Here is the ipsecctl flows: > > > Sorry, I copied in the flows from the wrong server (testing all different ways trying to get things to work). Here is the ipsecctl to match the iked.conf listed: # ipsecctl -sa FLOWS: flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129 srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0x1d3ef308 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x22b8b189 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xb8b060e1 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0xbda3e596 auth hmac-sha2-256 enc aes-256 Cheers, Jason