Re: Unable to create IKEv2 VPN using strongSwan to iked
Hmm, I tried your configuration and I get the same behaviour with strongswan. I don't have an iPhone to test. I tried playing around with the settings switching from x509 to PSK, changing strongswan knobs, always with the same result. I can connect to other strongswan responders using this same client. Do you have other special settings in other strongswan config files? Do you have any special pf rules? I run with pf disabled for these tests. I don't think running pf is required to establish a tunnel. Best regards, Jona On Apr 20, 2020, 16:02, at 16:02, R0me0 *** wrote: >Ajust as your necessity * > >( Don't forget to adjust your pf rules accordingly ) * > > > >OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) > >ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ > local egress peer any \ > ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ > childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ > dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32 > > > >Iphone = just disable certificates and set psk > > >Interoperability with StrongSwan > > ># cat /etc/ipsec.conf > > ipsec.conf – strongSwan IPsec configuration file ># basic configuration > >config setup > >conn %default >ikelifetime=60m >keylife=20m >rekeymargin=3m >keyingtries=1 >keyexchange=ikev2 >authby=secret >ike=aes256-sha256-modp2048! >esp=aes256-sha256-modp2048! > >conn strongswan >left=%any >leftfirewall=yes >leftsourceip=%config >right=REMOTE_PEER_IP >rightid=puffymagic.ikedvpn.com >rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on >other side ) ( behind magic puffer fish ) >auto=add > > > ># cat /etc/ipsec.secrets > ># ipsec.secrets – strongSwan IPsec secrets file >: PSK “strongopeniked” > > > >PS: Magic Puffer Fish Rock! > >Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim >escreveu: > >> Hi, >> >> I am trying to connect to iked running on OpenBSD 6.6 from a >strongSwan >> 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am >> using x509 certificates generated by ikectl. >> >> The tunnel cannot be established. It is hard for me to see what's >going >> on. strongswan seems to be sending the same IKE_AUTH packet again and >> again and iked does not seem to respond even though it receives the >> packet and does not show an error. The only thing fishy I see in iked >> output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure >why >> it "cannot switch". >> >> Does anybody have a working setup between iked and strongSwan or any >> insights? Config files and logs below. >> >> Thanks, >> >> Jona >> >> >> iked.conf: >> >> ikev2 passive esp \ >> from 0.0.0.0/0 to 10.201.201.0/24 \ >> from 192.168.0.0/16 to 10.244.244.0/24 \ >> from 10.244.244.0/24 to 192.168.0.0/16 \ >> local 1.2.3.4 peer any \ >> srcid vpn.example.com \ >> config address 10.201.201.0/24 \ >> config name-server 10.201.201.1 \ >> tag "IKED" >> >> >> ipsec.conf (strongSwan): >> >> config setup >> # strictcrlpolicy=yes >> # uniqueids = no >> >> conn puffvpn >> keyexchange=ikev2 >> dpddelay=5s >> dpdtimeout=60s >> dpdaction=restart >> >> left=%defaultroute >> leftcert=wookie.crt >> leftsubnet=192.168.0.0/16 >> leftfirewall=yes >> leftid="wookie" >> >> right=vpn.example.com >> rightsubnet=10.201.201.0/24 >> rightid="vpn.example.com" >> >> auto=start >> >> strongswan log: >> >> # ipsec up puffvpn >> initiating IKE_SA puffvpn[5] to 1.2.3.4 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes) >> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes) >> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] >> peer didn't accept DH group ECP_256, it requested MODP_2048 >> initiating IKE_SA puffvpn[5] to 1.2.3.4 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> retransmit 1 of request with message ID 0 >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> retransmit 2 of request with message ID 0 >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes) >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> CERTREQ N(HASH_ALG) ] >> selected proposal: >> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >> local host is behind NAT, sending keep alives >> received 1 cert requests for an unknown ca >> sending cert request for "CN=35.180.187.116" >> sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD, >> OU=iked, CN=VPN CA, E=j...@joachim.cc" >> authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 >successful >> sending end entity cert "C=FR,
Re: Unable to create IKEv2 VPN using strongSwan to iked
Ajust as your necessity *
( Don't forget to adjust your pf rules accordingly ) *
OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN )
ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \
local egress peer any \
ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \
childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32
Iphone = just disable certificates and set psk
Interoperability with StrongSwan
# cat /etc/ipsec.conf
ipsec.conf – strongSwan IPsec configuration file
# basic configuration
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
conn strongswan
left=%any
leftfirewall=yes
leftsourceip=%config
right=REMOTE_PEER_IP
rightid=puffymagic.ikedvpn.com
rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on
other side ) ( behind magic puffer fish )
auto=add
# cat /etc/ipsec.secrets
# ipsec.secrets – strongSwan IPsec secrets file
: PSK “strongopeniked”
PS: Magic Puffer Fish Rock!
Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim
escreveu:
> Hi,
>
> I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan
> 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am
> using x509 certificates generated by ikectl.
>
> The tunnel cannot be established. It is hard for me to see what's going
> on. strongswan seems to be sending the same IKE_AUTH packet again and
> again and iked does not seem to respond even though it receives the
> packet and does not show an error. The only thing fishy I see in iked
> output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why
> it "cannot switch".
>
> Does anybody have a working setup between iked and strongSwan or any
> insights? Config files and logs below.
>
> Thanks,
>
> Jona
>
>
> iked.conf:
>
> ikev2 passive esp \
> from 0.0.0.0/0 to 10.201.201.0/24 \
> from 192.168.0.0/16 to 10.244.244.0/24 \
> from 10.244.244.0/24 to 192.168.0.0/16 \
> local 1.2.3.4 peer any \
> srcid vpn.example.com \
> config address 10.201.201.0/24 \
> config name-server 10.201.201.1 \
> tag "IKED"
>
>
> ipsec.conf (strongSwan):
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
>
> conn puffvpn
> keyexchange=ikev2
> dpddelay=5s
> dpdtimeout=60s
> dpdaction=restart
>
> left=%defaultroute
> leftcert=wookie.crt
> leftsubnet=192.168.0.0/16
> leftfirewall=yes
> leftid="wookie"
>
> right=vpn.example.com
> rightsubnet=10.201.201.0/24
> rightid="vpn.example.com"
>
> auto=start
>
> strongswan log:
>
> # ipsec up puffvpn
> initiating IKE_SA puffvpn[5] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes)
> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group ECP_256, it requested MODP_2048
> initiating IKE_SA puffvpn[5] to 1.2.3.4
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> retransmit 1 of request with message ID 0
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> retransmit 2 of request with message ID 0
> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(HASH_ALG) ]
> selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
> local host is behind NAT, sending keep alives
> received 1 cert requests for an unknown ca
> sending cert request for "CN=35.180.187.116"
> sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD,
> OU=iked, CN=VPN CA, E=j...@joachim.cc"
> authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
> sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn,
> OU=iked, CN=wookie, E=j...@joachim.cc"
> establishing CHILD_SA puffvpn{7}
> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
> AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 1 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 2 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> retransmit 3 of request with message ID 1
> sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
> sending keep alive to 1.2.3.4[4500]
> retransmit 4
Unable to create IKEv2 VPN using strongSwan to iked
Hi,
I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan
5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am
using x509 certificates generated by ikectl.
The tunnel cannot be established. It is hard for me to see what's going
on. strongswan seems to be sending the same IKE_AUTH packet again and
again and iked does not seem to respond even though it receives the
packet and does not show an error. The only thing fishy I see in iked
output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why
it "cannot switch".
Does anybody have a working setup between iked and strongSwan or any
insights? Config files and logs below.
Thanks,
Jona
iked.conf:
ikev2 passive esp \
from 0.0.0.0/0 to 10.201.201.0/24 \
from 192.168.0.0/16 to 10.244.244.0/24 \
from 10.244.244.0/24 to 192.168.0.0/16 \
local 1.2.3.4 peer any \
srcid vpn.example.com \
config address 10.201.201.0/24 \
config name-server 10.201.201.1 \
tag "IKED"
ipsec.conf (strongSwan):
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn puffvpn
keyexchange=ikev2
dpddelay=5s
dpdtimeout=60s
dpdaction=restart
left=%defaultroute
leftcert=wookie.crt
leftsubnet=192.168.0.0/16
leftfirewall=yes
leftid="wookie"
right=vpn.example.com
rightsubnet=10.201.201.0/24
rightid="vpn.example.com"
auto=start
strongswan log:
# ipsec up puffvpn
initiating IKE_SA puffvpn[5] to 1.2.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes)
received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA puffvpn[5] to 1.2.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
retransmit 1 of request with message ID 0
sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
retransmit 2 of request with message ID 0
sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes)
received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HASH_ALG) ]
selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
sending cert request for "CN=35.180.187.116"
sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD,
OU=iked, CN=VPN CA, E=j...@joachim.cc"
authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn,
OU=iked, CN=wookie, E=j...@joachim.cc"
establishing CHILD_SA puffvpn{7}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
sending keep alive to 1.2.3.4[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
sending keep alive to 1.2.3.4[4500]
sending keep alive to 1.2.3.4[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes)
sending keep alive to 1.2.3.4[4500]
sending keep alive to 1.2.3.4[4500]
sending keep alive to 1.2.3.4[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
establishing connection 'puffvpn' failed
iked log:
# iked -dvv
ikev2 "policy1" passive esp inet from 10.244.244.0/24 to 192.168.0.0/16
from 0.0.0.0/0 to 10.201.201.0/24 from 192.168.0.0/16 to 10.244.244.0/24 loc
al 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
modp2048,modp1536,modp
1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
srcid vpn.example.com lifetime 10800 bytes 536870912 signature config
address 1
0.201.201.0 config name-server 10.201.201.1 tag "IKED"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1192
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded
