Hello fellow OpenBSD users,
I've run into a of couple issues with setting up and IKE IPSEC VPN with a
windows 7 native client. Now I've ran through the lists and have found a
solution to get it working somewhat how I'd like it working.
I currently have this in my iked.conf:
ikev2 passive esp \
from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \
srcid xxx.xxx.xxx.xxx \
config address 10.10.10.1 \
config name-server 192.168.200.x
And on my W7 client I have a static IP configured and using machine
certificates. I connect there with no issue and everything is kosher...kind
of.
I want to use a username and password so I have this in my iked.conf:
user "my user ID" "Wouldn't_you_like_to_know?"
ikev2 passive esp \
from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \
eap "mschap-v2" \
srcid xxx.xxx.xxx.xxx \
config address 10.10.10.1 \
config name-server 192.168.200.x \
tag "$name-$id"
When I do this I get an error:
Error Code 13803 "IKE Negotiation in progress" and it just sits there. Has
anyone gotten this to work before?
I run iked in debug mode with verbose output and receiving the following;
/etc/iked.conf: loaded 2 configuration rules
config_new_user: inserting new user my_user
user "my_user" "password"
config_getpolicy: received policy
ikev2 "win7" passive esp from 192.168.200.0/24 to 10.10.10.0/24 local any peer
any ikesa enc aes-256,aes-192,ca_reload: loaded ca file ca.crt
aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth
hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid
xxx.xxx.xxx.xxxca_reload: loaded crl file ca.crl
lifetime 10800 bytes 536870912 eap "MSCHAP_V2" config address 10.10.10.7
ca_reload:
/C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=cerberus.xxxxxxx.xxxxx/e
mailAddress=info@xxxxxxx.xxxxxx
config_getpfkey: received pfkey fd 4
ca_reload: loaded 1 ca certificate
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
ca_reload: loaded cert file xxx.xxx.xxx.xxx.crt
ca_validate_cert:
/C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd
ress=i...@xxxxxxx.com ok
ikev2_dispatch_cert: updated local CERTREQ signatures length 20
ikev2_recv: IKE_SA_INIT from initiator xxx.xxx.xxx.xxx:56506 to
xxx.xxx.xxx.xxx:500 policy 'win7', 792 bytes
ikev2_policy2id: srcid IPV4/xxx.xxx.xxx.xxx length 8
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 792
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 520
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x46459f2713e1d8d3 0x0000000000000000
xxx.xxx.xxx.xxx:56506
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x46459f2713e1d8d3 0x0000000000000000
xxx.xxx.xxx.xxx:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 23
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x08 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x46459f2713e1d8d3 0x7916745180423feb
xxx.xxx.xxx.xxx:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x46459f2713e1d8d3 0x7916745180423feb
xxx.xxx.xxx.xxx:56506
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT signatures length 20
ikev2_msg_send: IKE_SA_INIT from xxx.xxx.xxx.xxx:500 to xxx.xxx.xxx.xxx:56506,
325 bytes
config_free_proposals: free 0x204397280
ikev2_recv: IKE_AUTH from initiator xxx.xxx.xxx.xxx:64175 to
xxx.xxx.xxx.xxx:4500 policy 'win7', 988 bytes
ikev2_recv: updating msg, natt 1
ikev2_recv: updated SA peer xxx.xxx.xxx.xxx:64175 local xxx.xxx.xxx.xxx:4500
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb
nextpayload E version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 988
response 0
ikev2_pld_payloads: payload E nextpayload IDi critical 0x00 length 960
ikev2_msg_decrypt: IV length 8
ikev2_msg_decrypt: encrypted payload length 936
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 936/936 padding 2
ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 0x00
length 12
ikev2_pld_id: id IPV4/192.168.103.130 length 8
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload NOTIFY critical 0x00
length 685
ikev2_pld_certreq: type X509_CERT signatures length 680
ikev2_policy2id: dstid IPV4/xxx.xxx.xxx.xxx length 8
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length
28
ikev2_pld_cp: type REQUEST length 20
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length
152
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x4a3aea35
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_state: SA_INIT -> EAP
ikev2_msg_auth: responder auth data length 393
ca_setauth: auth length 393
ikev2_sa_negotiate: score 12
sa_stateflags: 0x08 -> 0x08 sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x08, require 0x0d cert,auth,sa
config_free_proposals: free 0x204397280
ca_getreq: found CA
/C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=cerberus.xxxxxxx.com/ema
ilAddress=i...@xxxxxxx.com
ca_x509_subjectaltname: IPV4/xxx.xxx.xxx.xxx
ca_getreq: found local certificate
/C=US/ST=xxxxxxxx/L=xxxxxxxx/O=xxxxxxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd
ress=i...@xxxxxxx.com
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 18 rspi 0x7916745180423feb ispi 0x46459f2713e1d8d3
initiator 0 sa valid type 4 data length 1045
ikev2_dispatch_cert: cert type 4 length 1045
sa_stateflags: 0x08 -> 0x09 cert,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x09, require 0x0d cert,auth,sa
ikev2_getimsgdata: imsg 21 rspi 0x7916745180423feb ispi 0x46459f2713e1d8d3
initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x09 -> 0x0d cert,auth,sa (required 0x0d cert,auth,sa)
sa_stateok: EAP flags 0x0d, require 0x0d cert,auth,sa
ikev2_next_payload: length 12 nextpayload CERT
ikev2_next_payload: length 1050 nextpayload AUTH
ikev2_next_payload: length 264 nextpayload EAP
ikev2_next_payload: length 9 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1335
ikev2_msg_encrypt: padded length 1336
ikev2_msg_encrypt: length 1336, padding 0, output length 1356
ikev2_next_payload: length 1360 nextpayload IDr
ikev2_msg_integr: message length 1388
ikev2_msg_integr: integrity checksum length 12
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb
nextpayload E version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1388
response 1
ikev2_pld_payloads: payload E nextpayload IDr critical 0x00 length 1360
ikev2_msg_decrypt: IV length 8
ikev2_msg_decrypt: encrypted payload length 1336
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1336/1336 padding 0
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
length 12
ikev2_pld_id: id IPV4/xxx.xxx.xxx.xxx length 8
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
length 1050
ikev2_pld_cert: type X509_CERT length 1045
ikev2_pld_payloads: decrypted payload AUTH nextpayload EAP critical 0x00
length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00
length 9
ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
ikev2_msg_send: IKE_AUTH from xxx.xxx.xxx.xxx:4500 to xxx.xxx.xxx.xxx:64175,
1388 bytes
ikev2_recv: IKE_AUTH from initiator xxx.xxx.xxx.xxx:64175 to
xxx.xxx.xxx.xxx:4500 policy 'win7', 68 bytes
ikev2_recv: updating msg, natt 1
ikev2_recv: updated SA peer xxx.xxx.xxx.xxx:64175 local xxx.xxx.xxx.xxx:4500
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb
nextpayload E version 0x20 exchange IKE_AUTH flags 0x08 msgid 2 length 68
response 0
ikev2_pld_payloads: payload E nextpayload EAP critical 0x00 length 40
ikev2_msg_decrypt: IV length 8
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 2
ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00
length 13
ikev2_pld_eap: RESPONSE id 0 length 9 EAP-IDENTITY
eap_identity_response: identity 'my_user' length 4
ikev2_next_payload: length 35 nextpayload NONE
ikev2_msg_encrypt: decrypted length 35
ikev2_msg_encrypt: padded length 40
ikev2_msg_encrypt: length 36, padding 4, output length 60
ikev2_next_payload: length 64 nextpayload EAP
ikev2_msg_integr: message length 92
ikev2_msg_integr: integrity checksum length 12
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb
nextpayload E version 0x20 exchange IKE_AUTH flags 0x20 msgid 2 length 92
response 1
ikev2_pld_payloads: payload E nextpayload EAP critical 0x00 length 64
ikev2_msg_decrypt: IV length 8
ikev2_msg_decrypt: encrypted payload length 40
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 40/40 padding 4
ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00
length 35
ikev2_pld_eap: REQUEST id 1 length 31 EAP-MSCHAP_V2
eap_parse: MSCHAP_V2 CHALLENGE id 1 length 26 valuesize 16 name '_iked' length
5
ikev2_msg_send: IKE_AUTH from xxx.xxx.xxx.xxx:4500 to xxx.xxx.xxx.xxx:64175,
92 bytes
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateok: EAP flags 0x0d, require 0x0d cert,auth,sa
ikev2_next_payload: length 12 nextpayload CERT
ikev2_next_payload: length 1050 nextpayload AUTH
ikev2_next_payload: length 264 nextpayload EAP
ikev2_next_payload: length 9 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1335
ikev2_msg_encrypt: padded length 1336
ikev2_msg_encrypt: length 1336, padding 0, output length 1356
ikev2_next_payload: length 1360 nextpayload IDr
ikev2_msg_integr: message length 1388
ikev2_msg_integr: integrity checksum length 12
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x7916745180423feb
nextpayload E version 0x20 exchange IKE_AUTH flags 0x20 msgid 3 length 1388
response 1
ikev2_pld_payloads: payload E nextpayload IDr critical 0x00 length 1360
ikev2_msg_decrypt: IV length 8
ikev2_msg_decrypt: encrypted payload length 1336
ikev2_msg_decrypt: integrity checksum length 12
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1336/1336 padding 0
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00
length 12
ikev2_pld_id: id IPV4/xxx.xxx.xxx.xxx length 8
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
length 1050
ikev2_pld_cert: type X509_CERT length 1045
ikev2_pld_payloads: decrypted payload AUTH nextpayload EAP critical 0x00
length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload EAP nextpayload NONE critical 0x00
length 9
ikev2_pld_eap: REQUEST id 0 length 5 EAP-IDENTITY
ikev2_msg_send: IKE_AUTH from xxx.xxx.xxx.xxx:4500 to xxx.xxx.xxx.xxx:64175,
1388 bytes
^Cca exiting
ikev2 exiting
ikev1 exiting
parent terminating
Any help would be appreciated. Is there any setting or something I should
apply? I'm running windows with 7 within NAT. Like I said, certs work fine,
password and usernames do not.
