Hello everyone, OpenIKED just doesn't seem to like me much.
I managed to get it working around 5.8 but from upgrade to upgrade I encountered different issues. I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA auth. They were working fine on 6.0. However the same configuration now fails with 6.1 - iked refuses to start. Config follows below: --------------------- local_ip = "my_ext_ip" local_net = "172.16.0.0/20" ikev2 "KBweb" \ active ipcomp esp \ from $local_net to 10.33.33.0/27 \ local $local_ip \ peer A.B.C.D \ ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid $local_ip \ dstid a.dns.addr \ psk "some psk" ikev2 "KBDB" \ active ipcomp esp \ from $local_net to 10.34.34.0/27 \ local $local_ip \ peer E.F.G.H \ ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid $local_ip \ dstid e.dns.addr \ psk "some psk" ikev2 "PU" \ active ipcomp esp \ from $local_net to net1/mask1 \ from $local_net to net2/mask2 \ from $local_net to 10.6.0.0/16 \ local $local_ip \ peer I.J.K.L \ ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \ childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some dept/CN=some_cn_fqdn" \ dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some dept2/CN=some_cn_fqdn2" ------------------ root@HomatEsh2 (1 jobs) /usr/src # iked -6 -d -vvvv local_ip = "my_ext_ip" local_net = "172.16.0.0/20" set_policy: found pubkey for /etc/iked/pubkeys/fqdn/a.dns.addr ikev2 "KBweb" active esp inet from 172.16.0.0/20 to 10.33.33.0/27 local my_ext_ip peer A.B.C.D ikesa enc aes-192 prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 srcid my_ext_ip dstid A.B.C.D lifetime 10800 bytes 536870912 psk 0xlong_hex_num set_policy: found pubkey for /etc/iked/pubkeys/fqdn/e.dns.addr ikev2 "KBDB" active esp inet from 172.16.0.0/20 to 10.34.34.0/27 local my_ext_ip peer E.F.G.H ikesa enc aes-192 prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 srcid my_ext_ip dstid E.F.G.H lifetime 10800 bytes 536870912 psk 0xlong_hex_num set_policy: unknown type = 9 create_ike: set_policy failed /etc/iked.conf: 39: create_ike failed /etc/iked.conf: loaded 2 configuration rules ca exiting, pid 5607 ikev2 exiting, pid 80211 control exiting, pid 62559 So it seems to fail on parsing or using the x50? cert notation, which still works on my primary 6.0 machine. Thank you for any help, - Igor