I've noticed that OpenIKED was ported to FreeBSD, so I wanted to try it if I can migrate from Strongswan
I generated sample ca and nessesary keys, however both tests (OpenIKED <> OpenIKED and OpenIKED <> Strongswan) failed.
1. OpenIKED - OpenIKED. I couldn't even try to connect to the server!
Log I got
Absolutely not informative error. On server side there are no packets at all.
Config is
2. The second attempt was with Strongswan on client side.
Results are better, at least Strongswan tries to do something
Here is logs from server side:
Slightly better, however not very understandable. They didn't negotiate about auth-enc-pfr-dh proto, however who is wrong ?
This proposals are from remote side (strongswan), however those 0 <-> 0 looks tricky for me.
Anyone familiar with OpenIKED ?
I generated sample ca and nessesary keys, however both tests (OpenIKED <> OpenIKED and OpenIKED <> Strongswan) failed.
1. OpenIKED - OpenIKED. I couldn't even try to connect to the server!
Log I got
Code:
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
pledge: pid 60429 promises: stdio cpath unix
ca_reload: loaded ca file vpn-ca.crt
pledge: pid 60430 promises: stdio inet recvfd
ca_reload: loaded crl file vpn-ca.crl
ca_reload: **************** root
CA/emailAddress=********
ca_reload: loaded 1 ca certificate
/usr/local/etc/iked.conf: 1 policy; 0 users
ca_reload: loaded cert file a888888888.crt
udp_bind: failed to get UDP socket: Address family not supported by protocol family
udp_bind: failed to get UDP socket: Address family not supported by protocol family
pledge: pid 60421 promises: stdio rpath proc dns inet route sendfd exec
config_setapply: action=0
ikev2 "policy1" active esp inet from 192.168.0.0/16 to 0.0.0.0/0 local any peer ****** ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid ********
lifetime 10800 bytes 536870912 rsa
config_setapply: action=2
config_free_flows: free 0x802096280
config_free_proposals: free 0x802082050
config_free_proposals: free 0x8020820a0
config_getpfkey: received pfkey fd 3
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getapply: action=0
config_getpolicy: received policy
config_getapply: action=2
ca_validate_cert: ******************** ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_policy_load_flows: "policy1": loading flow 0x802096280
pfkey_flow: flow with policy id 0x0
ikev2_policy_load_flows: flow 0x802096280 loaded
ikev2_init_ike_sa: "policy1": initiating
ikev2_policy2id: srcid FQDN/sphinx.abinet.ru length 20
ikev2_add_proposals: length 116
ikev2_next_payload: length 120 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe2a561e9d6ea90e5 0x0000000000000000 any
ikev2_init_ike_sa_peer: closing SA
sa_free: ispi 0xe2a561e9d6ea90e5 rspi 0x0000000000000000
ikev2_init_ike_sa: failed to initiate with peer 5.2.75.89
Config is
Code:
ikev2 active esp \
from 192.168.0.0/16 to 0.0.0.0/0 \
peer ******** \
srcid sphinx.abinet.ru
2. The second attempt was with Strongswan on client side.
Results are better, at least Strongswan tries to do something
Here is logs from server side:
Code:
abishai@vpn:~ % doas iked -d -vvv
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: loaded ca file vpn-ca.crt
pledge: pid 1156 promises: stdio cpath unix
ca_reload: loaded crl file vpn-ca.crl
pledge: pid 1157 promises: stdio inet recvfd
ca_reload: ******* root CA/emailAddress=********
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file vpn.*********.crt
ca_validate_cert: ****************** ok
ca_reload: local cert type X509_CERT
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
create_ike: unknown address family
/usr/local/etc/iked.conf: 1 policy; 0 users
pledge: pid 1154 promises: stdio rpath proc dns inet route sendfd exec
config_setapply: action=0
ikev2 "policy1" passive esp inet from 0.0.0.0/0 to 192.168.0.0/16 from 0.0.0.0/0 to 10.0.0.0/8 local ******** peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.******** lifetime 10800 bytes 536870912 rsa tag "IKED"
config_setapply: action=2
config_free_flows: free 0x80209e500
config_free_flows: free 0x80209e280
config_free_proposals: free 0x802081050
config_free_proposals: free 0x8020810a0
config_getocsp: ocsp_url none
config_getpfkey: received pfkey fd 3
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getapply: action=0
config_getpolicy: received policy
config_getapply: action=2
ikev2_recv: IKE_SA_INIT request from initiator 217.118.78.113:46528 to *******:500 policy 'policy1' id 0, 1156 bytes
ikev2_recv: ispi 0x2cd04a899ca4d3d5 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/vpn.******** length 17
ikev2_pld_parse: header ispi 0x2cd04a899ca4d3d5 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 1156 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 612
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 392
ikev2_pld_ke: dh group MODP_3072 reserved 0
98a76d4f 029b4ed7 2cd8f338 a7c96ce0 4674ab06 615f2d7d c93857d5 66895845
snip
33f9fe0c f86893d0 2933c70d 588b60b2 943dda80 c3e6937c 7cfe2e52 4ef67577
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
46256968 6331b31b bcc0933d f931ddd0 c602f780 3a0314ff 129334a7 04428165
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
0c93bc5f ceb21501 7d12ab12 cb01c484 3530392e
ikev2_nat_detection: peer source 0x2cd04a899ca4d3d5 0x0000000000000000 217.118.78.113:46528
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation
6fa6bac0 c12fbf9f ac35c2d4 12b7eb9f 1c004d25
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
490df9d2 7e63e0cc 12309f2c fd4da863 c0360a10
ikev2_nat_detection: peer destination 0x2cd04a899ca4d3d5 0x0000000000000000 *******:500
490df9d2 7e63e0cc 12309f2c fd4da863 c0360a10
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type <UNKNOWN:16430>
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00010002 00030004
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_match_proposals: xform 1 <-> 1 (7): ENCR AES_CBC (keylength 128 <-> 0) 128
ikev2_match_proposals: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)
ikev2_sa_negotiate: score 0
ikev2_sa_responder: no proposal chosen
ikev2_resp_recv: failed to get IKE SA keys
sa_state: SA_INIT -> CLOSED from 217.118.78.113 to ******** policy 'policy1'
config_free_proposals: free 0x8020810f0
Code:
ikev2_match_proposals: xform 1 <-> 1 (7): ENCR AES_CBC (keylength 128 <-> 0) 128
ikev2_match_proposals: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)
Anyone familiar with OpenIKED ?