Re: IPv6 - Using 4G Wan

[Antonino Sidoti]

Thank you Stuart. I did actually have ICMP6 allowed in the firewall, though 
turning it off made the IPv6 connection come alive. I will troubleshoot 
firewall further.

Thanks 

Antonino Sidoti



> On 9 Feb 2021, at 9:15 am, Stuart Henderson  wrote:
> 
> On 2021-02-08, Antonino Sidoti  wrote:
>> Hello,
>> 
>> Can anyone confirm if they have a working IPv6 connection with a 4G service? 
>> I cannot get my connection to work with IPv6. Happy to provide more 
>> information if what I have provided below is not enough. I would like to get 
>> a working IPv6 connection with network interface em0 only.
> 
> Your ndp output shows that the MAC address of the gateway has not
> been resolved.
> 
> Try disabling PF (pfctl -d) for a test. If that works then check
> you haven't blocked the ICMPv6 messages needed for address resolution
> (unlike v4 where this is done by ARP which is always permitted, with
> v6 it is done by ICMPv6 neighbour discovery messages).
> 
> 

Re: IPv6 - Using 4G Wan

[Stuart Henderson]

On 2021-02-08, Antonino Sidoti  wrote:
> Hello,
>
> Can anyone confirm if they have a working IPv6 connection with a 4G service? 
> I cannot get my connection to work with IPv6. Happy to provide more 
> information if what I have provided below is not enough. I would like to get 
> a working IPv6 connection with network interface em0 only.

Your ndp output shows that the MAC address of the gateway has not
been resolved.

Try disabling PF (pfctl -d) for a test. If that works then check
you haven't blocked the ICMPv6 messages needed for address resolution
(unlike v4 where this is done by ARP which is always permitted, with
v6 it is done by ICMPv6 neighbour discovery messages).

Re: IPv6 - Using 4G Wan

[Antonino Sidoti]

Hello,

Can anyone confirm if they have a working IPv6 connection with a 4G service? I 
cannot get my connection to work with IPv6. Happy to provide more information 
if what I have provided below is not enough. I would like to get a working IPv6 
connection with network interface em0 only.

Thanks,

Antonino Sidoti



> On 4 Feb 2021, at 11:49 am, Antonino Sidoti  wrote:
> 
> Hello,
> 
> I have a 4G Wan Service which is IPv6 enabled. I get an IPv6 address and it 
> will populate the route table automatically, though I am unable to connect to 
> sites using IPv6, "test-ipv6.com" will say I have no IPv6 address. Also, I 
> cannot ping the IPv6 default gateway address or any IPv6 sites, e.g. 
> google.com. I am using “ping6”.
> 
> I know the 4G connection is working as I can connect my MacBook directly to 
> the 4G Modem (configured in Bridge Mode) and my MacBook gets an IPv6 address 
> and I a have working Internet connection with no issues.
> 
> I have provided some information below regarding my setup. I am using openbsd 
> 6.8 (release) with latest patches installed. Any hints will be appreciated.
> 
> /etc/hostname.em0
> dhcp
> inet6 autoconf
> 
> Ifconfig
> ofw$ ifconfig  
> lo0: flags=8049 mtu 32768
>   index 4 priority 0 llprio 3
>   groups: lo
>   inet6 ::1 prefixlen 128
>   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>   inet 127.0.0.1 netmask 0xff00
> em0: flags=a08843 
> mtu 1500
>   lladdr 00:e0:67:15:e7:82
>   index 1 priority 0 llprio 3
>   groups: egress
>   media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
>   status: active
>   inet6 fe80::2e0:67ff:fe15:e782%em0 prefixlen 64 scopeid 0x1
>   inet 22.208.0.133 netmask 0xff00 broadcast 22.208.0.255
>   inet6 2001:8004:1420:58d8:72b0:a75d:c8db:22f5 prefixlen 64 autoconf
>   inet6 2001:8004:1420:58d8:7705:d6c3:8775:babe prefixlen 64 autoconf 
> autoconfprivacy pltime 84436 vltime 171336
> em1: flags=8843 mtu 1500
>   lladdr 00:e0:67:15:e7:83
>   index 2 priority 0 llprio 3
>   media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
>   status: active
>   inet 10.99.1.1 netmask 0xff00 broadcast 10.99.1.255
> enc0: flags=0<>
>   index 3 priority 0 llprio 3
>   groups: enc
>   status: active
> pflog0: flags=141 mtu 33136
>   index 5 priority 0 llprio 3
>   groups: pflog
> 
> Ndp output
> ofw$ ndp -a
> Neighbor Linklayer Address   Netif ExpireS 
> Flags
> 2001:8004:1420:58d8:72b0:a75d:c8db:22f5 00:e0:67:15:e7:82  em0 permanent R l
> 2001:8004:1420:58d8:7705:d6c3:8775:babe 00:e0:67:15:e7:82  em0 permanent R l
> fe80::2e0:67ff:fe15:e782%em0 00:e0:67:15:e7:82 em0 permanent R l
> fe80::54b0:dcff:fe43:f656%em082:63:9c:36:23:a2 em0 23h35m6s  S R
> fe80::81f8:3655:c614:449c%em0(incomplete)  em0 expired   I R
> 
> Route Table
> 
> Internet:
> DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
> default22.208.0.1 UGS5 9360 - 8 em0  
> base-address.mcast localhost  URS00 32768 8 lo0  
> 10.99.1/24 ofwUCn10 - 4 em1  
> ofw00:e0:67:15:e7:83  UHLl   0  440 - 1 em1  
> 10.99.1.10320:c9:d0:2c:09:22  UHLc   2 9374 - 3 em1  
> 10.99.1.255ofwUHb0   22 - 1 em1  
> 22.208.0/2422.208.0.133   UCn10 - 4 em0  
> 22.208.0.1 82:63:9c:36:23:a2  UHLch  1  277 - 3 em0  
> 22.208.0.133   00:e0:67:15:e7:82  UHLl   0  419 - 1 em0  
> 22.208.0.255   22.208.0.133   UHb00 - 1 em0  
> 127/8  localhost  UGRS   00 32768 8 lo0  
> localhost  localhost  UHhl   12 32768 1 lo0  
> 
> Internet6:
> DestinationGatewayFlags   
> Refs  Use   Mtu  Prio Iface
> defaultfe80::81f8:3655:c614:449c%em0  UGS
> 0   14 - 8 em0  
> ::/96  localhost  UGRS   
> 00 32768 8 lo0  
> localhost  localhost  UHhl  
> 10   20 32768 1 lo0  
> :::0.0.0.0/96  localhost  UGRS   
> 00 32768 8 lo0  
> 2001:8004:1420:58d8::/64   2001:8004:1420:58d8:72b0:a75d: UCPn   
> 01 - 4 em0  
> 2001:8004:1420:58d8::/64   2001:8004:1420:58d8:7705:d6c3: UCPn   
> 00 - 4 em0  
> 2001:8004:1420:58d8:72b0:a75d:c8db 00:e0:67:15:e7:82  UHLl   
> 02 - 1 em0  
> 2001:8004:1420:58d8:7705:d6c3:8775 00:e0:67:15:e7:82  UHLl   
> 0   17 - 1 em0 

Re: Help with ssh(1) between OpenBSD and iSH/Alpine on iOS

[Stefan Hagen]

Erling Westenvik wrote:
> On Sun, Feb 07, 2021 at 11:18:31AM +0100, Stefan Hagen wrote:
>> Christian Weisgerber wrote:
>>> Erling Westenvik:
 I can ssh FROM any OpenBSD box INTO iSH on my iPhone, and once
 authenticated I can ssh back from there to the OpenBSD box or
 to any other OpenBSD or Linux box, but! -- From iSH itself (ie.
 "directly" from my iPhone) I can only successfully ssh to Linux
 boxes; if I ssh from the phone itself to any OpenBSD box I'm
 getting authenticated and receive a full shell prompt
>>>
>>> I don't think it's anything obvious. Smells like an interop problem
>>> at a level above SSH to me.
>>
>> I tried iSH and I can successfully ssh to my OpenBSD-current box and
>> do stuff there without a disconnect.
>
> Thank you Stefan. I tried your suggestion but to no avail. However, I
> started elaborating on your assumption that it may be shell related
> and when trying:
>
> ---
> iPhone:~# ssh erling@12.34.56.78 ksh -i
> ksh: No controlling tty (open /dev/tty: Device not configured)
> ksh: Can't find tty file descriptor
> ksh: Warning: won't have full job control
> OpenBSD$ ls
>...
> OpenBSD$ █
> ---

This is normal. SSH doesn't allocate a terminal when a command is given
directly. Try `ssh -t erling@12.34.56.78 ksh -i`.

Best Regards,
Stefan

Re: home printer

[ropers]

On 08/02/2021, Pierre-Philipp Braun  wrote:
>> Same here.  Currently, a Kyocera P2135dn is sitting on the desk here,
>> but i can't say whether it is good because i'm printing so little.
>
> Seems Kyocera is a nice hint indeed.  Otherwise I would go for Xerox.
> Even their low-end printers do support raw TCP/IP printing, LPD and
> PostScript.  I am also referencing the compatible cartridges here, as
> anyone who prints a lot knows this is what matter more (in terms of
> pricing per page): the cheapest printer is usually not really the cheapest.

I cannot in good conscience recommend Xerox.  Maybe I'm just too dumb to fix
my problems, but my Xerox Phaser 6130N colour laser printer has issues with:

* Page alignment -- I've not gotten a page perfectly centred yet.  This can
  get especially annoying with duplex printing for crafting purposes.
* Toner fusing -- Apparently both original and generic toner isn't always
  fused very well, i.e. large boxes of black or colour toner tend to eventually
  see some toner flake off in places.
* Colour reproduction -- Colours tend to be over-saturated and pictures
  tend to be too dark if not brightened in software beforehand.  This could
  be related to the fusing issue, i.e. maybe it slathers on too much toner?
* DRM -- There's an unwanted chip on every toner cartridge.  Its only function
  is to try and ensure vendor lock-in, to nickel and dime you more.
* Printer steganography -- which I've positively confirmed is indeed there,
  and which I neither asked for, nor was at any time told anything about by
  Xerox, especially not pre-purchase.  Sneaking that in was probably illegal
  in my jurisdiction, and maybe in yours (unreasonable searches and seizures,
  secrecy of correspondence...), but I've not had the time, money, mental
  fortitude and patience to take them to court.  If anyone knows about any
  class-action suits though, I'm all ears.  Of course, the national security
  establishment would also be invested in Xerox and others winning any legal
  challenges to this clearly deceptive, anti-consumer and speech-chilling
  practice designed to uniquely identify every printer in the land that would
  ever send any letter to any recipient that scans your letters with any
  software that looks for those dots, with or without the knowledge of the
  recipient operating the scanner.  How pervasive this is I don't know.  I know
  it potentially enables possible mass surveillance of printed correspondence
  metadata, like a distributed pen register for snail mail, and unless you
  never send any letters to any institution that could scan your mail with
  software looking for steganographic dots, this can also potentially
  deanonymise all of your correspondence, past and future.  On a related note:

Geoff Steckel wrote:
> Whatever you get be -sure- to configure pf
> so it can't call home! Turn off wireless as
> well if you don't need it.
> Big security holes.

Good point.

Anyway, I don't suppose any of you know whether any of your
recommended devices have printer steganography built in?

I suppose it would be foolish and futile to ask if anyone feels
confident their recommended printer does NOT come with any of that?

I sadly don't have a positive recommendation myself and don't know if
others are better than Xerox, only that I'm wary of Xerox.  Perhaps
the only sensible security recommendation is that if people can build
their own 3-D printers and control logic, maybe they can roll their
own laser printer firmware or even PCB.  If someone seriously smart
were to dig deep and were to take things pretty far in bootstrapping
their own printing tech from scrap and from scratch, they could
probably mitigate the above risks fairly well.  Sadly, I'm not smart
enough for that.

--Ian

libreoffice and iridium/chromium crash on openbsd6.8, unless devhelp manually installed

[Luke A. Call]

Hi all. The short version is: the package "devhelp" seems required for
libreoffice and irid/chromium, but removing/reinstalling those doesn't
seem to install devhelp, and the package system doesn't complain
when devhelp is removed manually.  The programs crash saying
things like this, especially the 2nd paragraph that follows:

(iridium:82290): Gtk-CRITICAL **: 12:54:02.946: Unable to create user
data directory '/home/lacall-secnet2/.local/share' for storing the
recently used files list: No such file or directory

(iridium:82290): GLib-GIO-ERROR **: 12:54:03.224: No GSettings schemas
are installed on the system
Trace/BPT trap

So should I just submit a bug report, or is it likely my mistake?


Details:
After upgrading to 6.8, I found many packages that I didn't seem to
require any more, and removed them with pkg_delete.  Later I found that
iridium and chromium crashed whenever I press Ctrl-S to save a file
locally or Ctrl-P to print (or save to a .pdf).  Also LibreOffice would
not allow me to do Ctrl-P, nor Ctrl-O to open a file.

Going back now to the packages I removed, I have found that the
absence of the "devhelp" package causes these crashes,
and when it is present, they do not occur.  Its presence also
seems to solve a problem where libreoffice would not launch under the
name "libreoffice ", but I had to type "soffice "
instead, but I haven't really investigated that part further.

Installing the binary patches (now through 12) didn't seem to matter,
nor running  pkg_add -u  various times over the weeks.

I don't see in pkg_info output for any of these package a dependency
on devhelp, or vice-versa (in my naive look at it, anyway).

I don't guess it matters, but I am currently running these apps via an
ssh -X connection to another user's desktop.  I haven't tried it when
launching X as the same user that runs the apps.

Luke Call 
http://lukecall.net - Tech,thots,peace.(Updated 2021-01-10. Cmts/sugg welcome. 
https later.)


DMESG:

OpenBSD 6.8 (GENERIC.MP) #4: Mon Jan 11 10:35:56 MST 2021

r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16033533952 (15290MB)
avail mem = 15532564480 (14813MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebf90 (49 entries)
bios0: vendor American Megatrends Inc. version "204" date 11/20/2014
bios0: ASUSTeK COMPUTER INC. X550ZA
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT ECDT MCFG MSDM HPET UEFI SSDT SSDT CRAT SSDT 
SSDT SSDT SSDT
acpi0: wakeup devices LOM_(S4) SBAZ(S4) ECIR(S4) OHC1(S4) EHC1(S4) OHC2(S4) 
EHC2(S4) OHC3(S4) EHC3(S4) OHC4(S4) XHC0(S4) XHC1(S4) ODD8(S3) GLAN(S4) 
LID_(S5) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 16 (boot processor)
cpu0: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2495.72 MHz, 15-30-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT
cpu0: 96KB 64b/line 3-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 
16-way L2 cache
cpu0: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative
cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 17 (application processor)
cpu1: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2495.35 MHz, 15-30-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT
cpu1: 96KB 64b/line 3-way I-cache, 16KB 64b/line 4-way D-cache, 2MB 64b/line 
16-way L2 cache
cpu1: ITLB 48 4KB entries fully associative, 24 4MB entries fully associative
cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 18 (application processor)
cpu2: AMD A10-7400P Radeon R6, 10 Compute Cores 4C+6G, 2495.35 MHz, 15-30-01
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,XOP,SKINIT,WDT,FMA4,TCE,NODEID,TBM,CPCTR,DBKP,PERFTSC,ITSC,FSGSBASE,BMI1,XSAVEOPT

Re: Help with ssh(1) between OpenBSD and iSH/Alpine on iOS

[Erling Westenvik]

On Sun, Feb 07, 2021 at 11:18:31AM +0100, Stefan Hagen wrote:
> Christian Weisgerber wrote:
> > Erling Westenvik:
> >> I can ssh FROM any OpenBSD box INTO iSH on my iPhone, and once
> >> authenticated I can ssh back from there to the OpenBSD box or to any
> >> other OpenBSD or Linux box, but! -- From iSH itself (ie. "directly" from
> >> my iPhone) I can only successfully ssh to Linux boxes; if I ssh from the
> >> phone itself to any OpenBSD box I'm getting authenticated and receive a
> >> full shell prompt
> >
> > Right here, I'd start ktrace(1)-ing the login shell on the OpenBSD
> > box to see...
> >
> >> but the moment I hit Enter the client drops the connection.
> >
> >... what this looks like at the OpenBSD end.
> >
> >> I guess there must be something obvious I'm missing but for the life
> >> of me I cannot figure out what. Any help is appreciated.
> >
> > I don't think it's anything obvious.  Smells like an interop problem
> > at a level above SSH to me.
> 
> I tried iSH and I can successfully ssh to my OpenBSD-current box and do 
> stuff there without a disconnect.
> 
> Instead of going through ktracing the shell, you could set your login
> shell to /bin/sh for a test and try again. If this works, you know that
> your shell is causing the trouble.

Thank you Stefan. I tried your suggestion but to no avail. However, I
started elaborating on your assumption that it may be shell related and
when trying:

---
iPhone:~# ssh erling@12.34.56.78 ksh -i
ksh: No controlling tty (open /dev/tty: Device not configured)
ksh: Can't find tty file descriptor
ksh: Warning: won't have full job control
OpenBSD$ ls
...
OpenBSD$ █
---

the client didn't disconnect as soon as I entered my first command. Not
very useful though, since the missing controlling tty won't let me do
anything useful except running ls(1) and cat(1) and such.

This is still an OpenBSD spesific issue as far as it only happens when
trying to initiate a ssh from iSH into OpenBSD boxes (five different,
ranging from current to newest release to older releases) while I can
successfully initiate a ssh from iSH to any Linux box (three different
so far).

However: Since I can successfully initiate a ssh session from OpenBSD to
the iPhone, and then successfully BACK to any OpenBSD machine, I suspect
there may be some ENV-issues? Something that is set correctly when
initiating the ssh session from OpenBSD, but not when initiating from
iSH (but which still gets accepted by Linux)?

Erling

> Best Regards,
> Stefan

Re: home printer

[Pierre-Philipp Braun]

Same here.  Currently, a Kyocera P2135dn is sitting on the desk here,
but i can't say whether it is good because i'm printing so little.


Seems Kyocera is a nice hint indeed.  Otherwise I would go for Xerox. 
Even their low-end printers do support raw TCP/IP printing, LPD and 
PostScript.  I am also referencing the compatible cartridges here, as 
anyone who prints a lot knows this is what matter more (in terms of 
pricing per page): the cheapest printer is usually not really the cheapest.


- B210
* 106R04348
* 106R04349
- Phaser 3020 (obsolete)
* 106R02773
* 106R03048
- Phaser 3052NI
* 106R02778
- Phaser 3330
* 106R03623

--
Pierre-Philipp Braun
SMTP Health Campaign: enforce STARTTLS and verify MX certificates

Re: Fwd: ikev2 active roadwarrior with openbsd

[Stuart Henderson]

>> On 2021-02-04, Riccardo Giuntoli  wrote:
>> > A ikev2 passive server in France that got:
>> >
>> > A CA
>> > A server certificate for tls server
>> > And a client certificate for tls client
>> >
>> > I export the CA in PEM format and put it on /etc/iked/ca
>> >
>> > Next I export the private key and the certificate and put it on:
>> >
>> > /etc/iked/private/client.key
>> >
>> > And the certificate I put it on /etc/iked/pubkeys/ufqdn
>> >
>> > I also export the PEM of the server and put it on /etc/iked/certs
>> >
>> > Next on iked.conf I use src-id with the email CN that I've got
>> configured.
>> >
>> > I cannot connect to my server with openiked but with the exactly the same
>> > configuration on a strongswan client it works.
>
>
> set dpd_check_interval 15
> ikev2 'uma' active esp \
> from xxx to 172.16.17.0/24 \
> local xxx peer yyy\
> ikesa auth hmac-sha2-384 enc aes-256  group ecp384  \
> childsa auth hmac-sha2-256 enc aes-256 \
> srcid "ganesha@yyy" \
> ikelifetime 86400 lifetime 3600
>
> root@ganesha:/etc/iked# find .
> .
> ./ca
> ./ca/ca.crt
> ./certs
> ./crls
> ./export
> ./private
> ./private/local.key
> ./private/gane...@yyy.key

iked doesn't handle multiple private keys, only one in local.key

> ./pubkeys
> ./pubkeys/fqdn
> ./pubkeys/ipv4
> ./pubkeys/ipv4/yyy
> ./pubkeys/ipv6
> ./pubkeys/ufqdn
> ./pubkeys/ufqdn/ganesha@yyy
>
> root@ganesha:/etc/iked# iked -dvv
> create_ike: using signature for peer yyy
> ikev2 "uma" active tunnel esp inet from xxx to 172.16.17.0/24 local xxx
> peer yyy ikesa enc aes-256 prf
> hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-384
> group ecp384 childsa enc aes-256 auth hmac-sha2-256 esn,noesn srcid
> ganesha@xxx ikelifetime 86400 lifetime 3600 bytes 536870912 signature
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1190
> ca_pubkey_serialize: type RSA_KEY length 270
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1190
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> ca_reload: loaded ca file ca.crt
> ca_reload: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom
> Lobby/OU=VPNC/CN=fr.telecomlobby.com
> ca_reload: loaded 1 ca certificate
> ca_reload: local cert type X509_CERT
> config_getocsp: ocsp_url none tolerate 0 maxage -1
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> config_getpolicy: received policy
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getstatic: dpd_check_interval 15
> config_getstatic: no enforcesingleikesa
> config_getstatic: no fragmentation
> config_getstatic: mobike
> config_getstatic: nattport 4500
> ikev2_init_ike_sa: initiating "uma"
> ikev2_policy2id: srcid UFQDN/ganesha@xxx length 24
> ikev2_add_proposals: length 68
> ikev2_next_payload: length 72 nextpayload KE
> ikev2_next_payload: length 104 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x0ab818df87f9e190 0x
> xxx:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x0ab818df87f9e190
> 0x yyy:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x0ab818df87f9e190 rspi 0x
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 310 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 72
> ikev2_pld_sa: more 0 reserved 0 length 68 proposal #1 protoid IKE spisize 0
> xforms 7 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104
> ikev2_pld_ke: dh group ECP_384 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type