I am testing an extremely simple lab environment with iked(8) and
failing to establish flows and SAs on one of two platforms.
I'm sure its somthing extremely simple, but I'm at a loss to
figure it out on my own. A cluestick would be appreciated.
--------
The entire network only has two systems:
a.lab, 10.0.0.1/24
b.lab, 10.0.0.2/24
These names are in /etc/myname and /etc/hosts. /etc/resolv.conf contains:
lookup file
iked.conf for a.lab:
ikev2 a2b from a.lab to b.lab psk test
iked.conf for b.lab:
ikev2 b2a active from b.lab to a.lab psk test
--------
Flows and SAs are established on a.lab, which is passive:
# ipsecctl -sa
FLOWS:
flow esp in from 10.0.0.2 to 10.0.0.1 peer 10.0.0.2 srcid FQDN/a.lab dstid
FQDN/b.lab type use
flow esp out from 10.0.0.1 to 10.0.0.2 peer 10.0.0.2 srcid FQDN/a.lab dstid
FQDN/b.lab type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from 10.0.0.2 to 10.0.0.1 spi 0x4e79e0b2 auth hmac-sha2-256 enc
aes-256
esp tunnel from 10.0.0.1 to 10.0.0.2 spi 0xf2f84086 auth hmac-sha2-256 enc
aes-256
#
Flows and SAs are not established on b.lab, which is active:
# ipsecctl -sa
FLOWS:
flow esp out from ::/0 to ::/0 type deny
SAD:
No entries
#
--------
The only thing I see in iked -vvd output that catches my eye is:
sa_state: cannot switch: AUTH_SUCCESS -> VALID
The two iked -vvd logs follow, and then a dmesg. I'm testing
in QEMU virtual machines,
--------
a.lab iked log:
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
/etc/iked.conf: loaded 1 configuration rules
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2 "a2b" passive esp inet from 10.0.0.1 to 10.0.0.2 local 10.0.0.1 peer
10.0.0.2 ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128
auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x74657374
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 7
config_getsocket: received socket fd 8
ikev2_recv: IKE_SA_INIT request from initiator 10.0.0.2:500 to 10.0.0.1:500
policy 'a2b' id 0, 520 bytes
ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/a.lab length 9
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 520
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136
ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0
xforms 14 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xf071110c5e30f9dd 0x0000000000000000
10.0.0.2:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xf071110c5e30f9dd 0x0000000000000000
10.0.0.1:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 -> 0x10 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac
10.0.0.1:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac
10.0.0.2:500
ikev2_next_payload: length 28 nextpayload NONE
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_msg_send: IKE_SA_INIT response from 10.0.0.1:500 to 10.0.0.2:500 msgid 0,
432 bytes
config_free_proposals: free 0x7f5dfd40
ikev2_recv: IKE_SA_INIT request from initiator 10.0.0.2:500 to 10.0.0.1:500
policy 'a2b' id 0, 520 bytes
ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x0000000000000000
ikev2_recv: updated SA to peer 10.0.0.2:500 local 10.0.0.1:500
ikev2_resp_recv: SA already exists
ikev2_recv: IKE_SA_INIT request from initiator 10.0.0.2:500 to 10.0.0.1:500
policy 'a2b' id 0, 520 bytes
ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x0000000000000000
ikev2_recv: IKE_AUTH request from initiator 10.0.0.2:500 to 10.0.0.1:500 policy
'a2b' id 1, 256 bytes
ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
ikev2_recv: updated SA to peer 10.0.0.2:500 local 10.0.0.1:500
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 6
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length
13
ikev2_pld_id: id FQDN/b.lab length 9
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0xf2f84086
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1
sa_stateok: SA_INIT flags 0x00, require 0x00
policy_lookup: peerid 'b.lab'
ikev2_msg_auth: responder auth data length 496
ikev2_msg_auth: initiator auth data length 584
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x14 -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa)
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
ikev2_sa_negotiate: score 3
sa_stateflags: 0x1c -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa)
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x4e79e0b2
pfkey_sa_init: new spi 0x4e79e0b2
sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa
ikev2_next_payload: length 13 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 145
ikev2_msg_encrypt: padded length 160
ikev2_msg_encrypt: length 146, padding 14, output length 192
ikev2_next_payload: length 196 nextpayload IDr
ikev2_msg_integr: message length 224
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 14
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
13
ikev2_pld_id: id FQDN/a.lab length 9
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x4e79e0b2
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1
ikev2_msg_send: IKE_AUTH response from 10.0.0.1:500 to 10.0.0.2:500 msgid 1,
224 bytes
pfkey_sa_add: update spi 0x4e79e0b2
ikev2_childsa_enable: loaded CHILD SA spi 0x4e79e0b2
pfkey_sa_add: add spi 0xf2f84086
ikev2_childsa_enable: loaded CHILD SA spi 0xf2f84086
ikev2_childsa_enable: loaded flow 0x7c408800
ikev2_childsa_enable: loaded flow 0x7c408000
sa_state: VALID -> ESTABLISHED from 10.0.0.2:500 to 10.0.0.1:500 policy 'a2b'
config_free_proposals: free 0x82e19a40
b.lab iked log:
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: local cert type RSA_KEY
/etc/iked.conf: loaded 1 configuration rules
config_getocsp: ocsp_url none
config_getpolicy: received policy
ikev2 "b2a" active esp inet from 10.0.0.2 to 10.0.0.1 local 10.0.0.2 peer
10.0.0.1 ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128
auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x74657374
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 7
config_getsocket: received socket fd 8
ikev2_init_ike_sa: initiating "b2a"
ikev2_policy2id: srcid FQDN/b.lab length 9
ikev2_add_proposals: length 132
ikev2_next_payload: length 136 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xf071110c5e30f9dd 0x0000000000000000
10.0.0.2:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xf071110c5e30f9dd 0x0000000000000000
10.0.0.1:500
ikev2_next_payload: length 28 nextpayload NONE
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 520
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136
ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0
xforms 14 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_msg_send: IKE_SA_INIT request from 10.0.0.2:500 to 10.0.0.1:500 msgid 0,
520 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT response from responder 10.0.0.1:500 to 10.0.0.2:500
policy 'b2a' id 0, 432 bytes
ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
ikev2_recv: updated SA to peer 10.0.0.1:500 local 10.0.0.2:500
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac
10.0.0.1:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac
10.0.0.2:500
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x00, require 0x04 auth
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 584
sa_stateok: SA_INIT flags 0x04, require 0x04 auth
ikev2_next_payload: length 13 nextpayload AUTH
ikev2_next_payload: length 40 nextpayload SA
pfkey_sa_getspi: spi 0xf2f84086
pfkey_sa_init: new spi 0xf2f84086
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 185
ikev2_msg_encrypt: padded length 192
ikev2_msg_encrypt: length 186, padding 6, output length 224
ikev2_next_payload: length 228 nextpayload IDi
ikev2_msg_integr: message length 256
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 6
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length
13
ikev2_pld_id: id FQDN/b.lab length 9
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0xf2f84086
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1
ikev2_msg_send: IKE_AUTH request from 10.0.0.2:500 to 10.0.0.1:500 msgid 1, 256
bytes
config_free_proposals: free 0x87d2a100
ikev2_recv: IKE_AUTH response from responder 10.0.0.1:500 to 10.0.0.2:500
policy 'b2a' id 1, 224 bytes
ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
ikev2_recv: updated SA to peer 10.0.0.1:500 local 10.0.0.2:500
ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 160
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 160/160 padding 14
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
13
ikev2_pld_id: id FQDN/a.lab length 9
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
40
ikev2_pld_auth: method SHARED_KEY_MIC length 32
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x4e79e0b2
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1
ikev2_msg_auth: responder auth data length 496
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x04 -> 0x0c auth,authvalid (required 0x18 authvalid,sa)
sa_stateok: VALID flags 0x08, require 0x18 authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_sa_negotiate: score 3
sa_stateflags: 0x0c -> 0x1c auth,authvalid,sa (required 0x18 authvalid,sa)
config_free_proposals: free 0x878e6f40
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
ikev2_init_ike_sa: "b2a" is already active
dmesg:
OpenBSD 5.6-current (GENERIC) #411: Tue Oct 21 16:03:23 MDT 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: QEMU Virtual CPU version 2.1.2 ("GenuineIntel" 686-class) 1.61 GHz
cpu0:
FPU,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,PGE,CMOV,MMX,FXSR,SSE,SSE2,SSE3,POPCNT,PERF
real mem = 66482176 (63MB)
avail mem = 53157888 (50MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfd4be, SMBIOS
rev. 2.8 @ 0xf0cf0 (9 entries)
bios0: vendor SeaBIOS version
"rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 999MHz
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
bios0: ROM list: 0xc0000/0x9200 0xc9800/0xa00 0xca800/0x2400! 0xeb800/0x4800!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.1.> ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x03: apic 0 int 11, address
52:54:00:12:34:56
virtio0 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio
Block Device
vioblk0 at virtio0
scsibus2 at vioblk0: 2 targets
sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed
sd0: 1024MB, 512 bytes/sector, 2097152 sectors
virtio0: apic 0 int 11
virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio
Block Device
vioblk1 at virtio1
scsibus3 at vioblk1: 2 targets
sd1 at scsibus3 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed
sd1: 20MB, 512 bytes/sector, 40960 sectors
virtio1: apic 0 int 10
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 1: density unknown
nvram: invalid checksum
vscsi0 at root
scsibus4 at vscsi0: 256 targets
softraid0 at root
scsibus5 at softraid0: 256 targets
root on sd0a (050623a115c4fafe.a) swap on sd0b dump on sd0b
clock: unknown CMOS layout
