Re: Unable to create IKEv2 VPN using strongSwan to iked
Hmm, I tried your configuration and I get the same behaviour with strongswan. I don't have an iPhone to test. I tried playing around with the settings switching from x509 to PSK, changing strongswan knobs, always with the same result. I can connect to other strongswan responders using this same client. Do you have other special settings in other strongswan config files? Do you have any special pf rules? I run with pf disabled for these tests. I don't think running pf is required to establish a tunnel. Best regards, Jona On Apr 20, 2020, 16:02, at 16:02, R0me0 *** wrote: >Ajust as your necessity * > >( Don't forget to adjust your pf rules accordingly ) * > > > >OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) > >ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ > local egress peer any \ > ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ > childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ > dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32 > > > >Iphone = just disable certificates and set psk > > >Interoperability with StrongSwan > > ># cat /etc/ipsec.conf > > ipsec.conf – strongSwan IPsec configuration file ># basic configuration > >config setup > >conn %default >ikelifetime=60m >keylife=20m >rekeymargin=3m >keyingtries=1 >keyexchange=ikev2 >authby=secret >ike=aes256-sha256-modp2048! >esp=aes256-sha256-modp2048! > >conn strongswan >left=%any >leftfirewall=yes >leftsourceip=%config >right=REMOTE_PEER_IP >rightid=puffymagic.ikedvpn.com >rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on >other side ) ( behind magic puffer fish ) >auto=add > > > ># cat /etc/ipsec.secrets > ># ipsec.secrets – strongSwan IPsec secrets file >: PSK “strongopeniked” > > > >PS: Magic Puffer Fish Rock! > >Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim >escreveu: > >> Hi, >> >> I am trying to connect to iked running on OpenBSD 6.6 from a >strongSwan >> 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am >> using x509 certificates generated by ikectl. >> >> The tunnel cannot be established. It is hard for me to see what's >going >> on. strongswan seems to be sending the same IKE_AUTH packet again and >> again and iked does not seem to respond even though it receives the >> packet and does not show an error. The only thing fishy I see in iked >> output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure >why >> it "cannot switch". >> >> Does anybody have a working setup between iked and strongSwan or any >> insights? Config files and logs below. >> >> Thanks, >> >> Jona >> >> >> iked.conf: >> >> ikev2 passive esp \ >> from 0.0.0.0/0 to 10.201.201.0/24 \ >> from 192.168.0.0/16 to 10.244.244.0/24 \ >> from 10.244.244.0/24 to 192.168.0.0/16 \ >> local 1.2.3.4 peer any \ >> srcid vpn.example.com \ >> config address 10.201.201.0/24 \ >> config name-server 10.201.201.1 \ >> tag "IKED" >> >> >> ipsec.conf (strongSwan): >> >> config setup >> # strictcrlpolicy=yes >> # uniqueids = no >> >> conn puffvpn >> keyexchange=ikev2 >> dpddelay=5s >> dpdtimeout=60s >> dpdaction=restart >> >> left=%defaultroute >> leftcert=wookie.crt >> leftsubnet=192.168.0.0/16 >> leftfirewall=yes >> leftid="wookie" >> >> right=vpn.example.com >> rightsubnet=10.201.201.0/24 >> rightid="vpn.example.com" >> >> auto=start >> >> strongswan log: >> >> # ipsec up puffvpn >> initiating IKE_SA puffvpn[5] to 1.2.3.4 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes) >> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes) >> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] >> peer didn't accept DH group ECP_256, it requested MODP_2048 >> initiating IKE_SA puffvpn[5] to 1.2.3.4 >> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> retransmit 1 of request with message ID 0 >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> retransmit 2 of request with message ID 0 >> sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) >> received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes) >> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> CERTREQ N(HASH_ALG) ] >> selected proposal: >> IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 >> local host is behind NAT, sending keep alives >> received 1 cert requests for an unknown ca >> sending cert request for "CN=35.180.187.116" >> sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD, >> OU=iked, CN=VPN CA, E=j...@joachim.cc" >> authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 >successful >> sending end entity cert "C=FR,
Re: Unable to create IKEv2 VPN using strongSwan to iked
Ajust as your necessity * ( Don't forget to adjust your pf rules accordingly ) * OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ local egress peer any \ ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ dstid r...@openbsd.org psk "psk_passphrase" config address 10.20.30.32 Iphone = just disable certificates and set psk Interoperability with StrongSwan # cat /etc/ipsec.conf ipsec.conf – strongSwan IPsec configuration file # basic configuration config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret ike=aes256-sha256-modp2048! esp=aes256-sha256-modp2048! conn strongswan left=%any leftfirewall=yes leftsourceip=%config right=REMOTE_PEER_IP rightid=puffymagic.ikedvpn.com rightsubnet=192.168.0.0/24,172.8.50.0/24 ( networks you want access on other side ) ( behind magic puffer fish ) auto=add # cat /etc/ipsec.secrets # ipsec.secrets – strongSwan IPsec secrets file : PSK “strongopeniked” PS: Magic Puffer Fish Rock! Em seg., 20 de abr. de 2020 às 09:49, Jona Joachim escreveu: > Hi, > > I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan > 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am > using x509 certificates generated by ikectl. > > The tunnel cannot be established. It is hard for me to see what's going > on. strongswan seems to be sending the same IKE_AUTH packet again and > again and iked does not seem to respond even though it receives the > packet and does not show an error. The only thing fishy I see in iked > output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why > it "cannot switch". > > Does anybody have a working setup between iked and strongSwan or any > insights? Config files and logs below. > > Thanks, > > Jona > > > iked.conf: > > ikev2 passive esp \ > from 0.0.0.0/0 to 10.201.201.0/24 \ > from 192.168.0.0/16 to 10.244.244.0/24 \ > from 10.244.244.0/24 to 192.168.0.0/16 \ > local 1.2.3.4 peer any \ > srcid vpn.example.com \ > config address 10.201.201.0/24 \ > config name-server 10.201.201.1 \ > tag "IKED" > > > ipsec.conf (strongSwan): > > config setup > # strictcrlpolicy=yes > # uniqueids = no > > conn puffvpn > keyexchange=ikev2 > dpddelay=5s > dpdtimeout=60s > dpdaction=restart > > left=%defaultroute > leftcert=wookie.crt > leftsubnet=192.168.0.0/16 > leftfirewall=yes > leftid="wookie" > > right=vpn.example.com > rightsubnet=10.201.201.0/24 > rightid="vpn.example.com" > > auto=start > > strongswan log: > > # ipsec up puffvpn > initiating IKE_SA puffvpn[5] to 1.2.3.4 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes) > received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes) > parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > peer didn't accept DH group ECP_256, it requested MODP_2048 > initiating IKE_SA puffvpn[5] to 1.2.3.4 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) > retransmit 1 of request with message ID 0 > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) > retransmit 2 of request with message ID 0 > sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) > received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes) > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(HASH_ALG) ] > selected proposal: > IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 > local host is behind NAT, sending keep alives > received 1 cert requests for an unknown ca > sending cert request for "CN=35.180.187.116" > sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD, > OU=iked, CN=VPN CA, E=j...@joachim.cc" > authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful > sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn, > OU=iked, CN=wookie, E=j...@joachim.cc" > establishing CHILD_SA puffvpn{7} > generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr > AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > retransmit 1 of request with message ID 1 > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > retransmit 2 of request with message ID 1 > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > retransmit 3 of request with message ID 1 > sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) > sending keep alive to 1.2.3.4[4500] > retransmit 4
Unable to create IKEv2 VPN using strongSwan to iked
Hi, I am trying to connect to iked running on OpenBSD 6.6 from a strongSwan 5.7.2 initiator running on Ubuntu 19.10 (which is behind NAT). I am using x509 certificates generated by ikectl. The tunnel cannot be established. It is hard for me to see what's going on. strongswan seems to be sending the same IKE_AUTH packet again and again and iked does not seem to respond even though it receives the packet and does not show an error. The only thing fishy I see in iked output is "sa_state: cannot switch: AUTH_SUCCESS -> VALID", not sure why it "cannot switch". Does anybody have a working setup between iked and strongSwan or any insights? Config files and logs below. Thanks, Jona iked.conf: ikev2 passive esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ from 192.168.0.0/16 to 10.244.244.0/24 \ from 10.244.244.0/24 to 192.168.0.0/16 \ local 1.2.3.4 peer any \ srcid vpn.example.com \ config address 10.201.201.0/24 \ config name-server 10.201.201.1 \ tag "IKED" ipsec.conf (strongSwan): config setup # strictcrlpolicy=yes # uniqueids = no conn puffvpn keyexchange=ikev2 dpddelay=5s dpdtimeout=60s dpdaction=restart left=%defaultroute leftcert=wookie.crt leftsubnet=192.168.0.0/16 leftfirewall=yes leftid="wookie" right=vpn.example.com rightsubnet=10.201.201.0/24 rightid="vpn.example.com" auto=start strongswan log: # ipsec up puffvpn initiating IKE_SA puffvpn[5] to 1.2.3.4 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (928 bytes) received packet: from 1.2.3.4[500] to 192.168.4.103[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer didn't accept DH group ECP_256, it requested MODP_2048 initiating IKE_SA puffvpn[5] to 1.2.3.4 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) retransmit 1 of request with message ID 0 sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) retransmit 2 of request with message ID 0 sending packet: from 192.168.4.103[500] to 1.2.3.4[500] (1120 bytes) received packet: from 1.2.3.4[500] to 192.168.4.103[500] (471 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) ] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 local host is behind NAT, sending keep alives received 1 cert requests for an unknown ca sending cert request for "CN=35.180.187.116" sending cert request for "C=FR, ST=Ile-de-France, L=Paris, O=OpenBSD, OU=iked, CN=VPN CA, E=j...@joachim.cc" authentication of 'wookie' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful sending end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=puffvpn, OU=iked, CN=wookie, E=j...@joachim.cc" establishing CHILD_SA puffvpn{7} generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) retransmit 1 of request with message ID 1 sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) retransmit 2 of request with message ID 1 sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) retransmit 3 of request with message ID 1 sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) sending keep alive to 1.2.3.4[4500] retransmit 4 of request with message ID 1 sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) sending keep alive to 1.2.3.4[4500] sending keep alive to 1.2.3.4[4500] retransmit 5 of request with message ID 1 sending packet: from 192.168.4.103[4500] to 1.2.3.4[4500] (1568 bytes) sending keep alive to 1.2.3.4[4500] sending keep alive to 1.2.3.4[4500] sending keep alive to 1.2.3.4[4500] giving up after 5 retransmits peer not responding, trying again (2/3) establishing connection 'puffvpn' failed iked log: # iked -dvv ikev2 "policy1" passive esp inet from 10.244.244.0/24 to 192.168.0.0/16 from 0.0.0.0/0 to 10.201.201.0/24 from 192.168.0.0/16 to 10.244.244.0/24 loc al 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp 1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.example.com lifetime 10800 bytes 536870912 signature config address 1 0.201.201.0 config name-server 10.201.201.1 tag "IKED" /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1192 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1192 ca_getkey: received public key type RSA_KEY length 270 ca_dispatch_parent: config reset ca_reload: loaded