iked/IKEv2 issue with 6.1

Thu, 20 Apr 2017 14:21:48 -0700 

Hello everyone,

OpenIKED just doesn't seem to like me much.

I managed to get it working around 5.8 but from upgrade to upgrade I
encountered different issues.

I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA
auth.

They were working fine on 6.0. However the same configuration now fails
with 6.1 - iked refuses to start.

Config follows below:

---------------------

local_ip = "my_ext_ip"
local_net = "172.16.0.0/20"

ikev2 "KBweb" \
        active ipcomp esp \
        from $local_net to 10.33.33.0/27 \
        local $local_ip \
        peer A.B.C.D \
        ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid $local_ip \
        dstid a.dns.addr \
        psk "some psk"


ikev2 "KBDB" \
        active ipcomp esp \
        from $local_net to 10.34.34.0/27 \
        local $local_ip \
        peer E.F.G.H \
        ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid $local_ip \
        dstid e.dns.addr \
        psk "some psk"


ikev2 "PU" \
        active ipcomp esp \
        from $local_net to net1/mask1 \
        from $local_net to net2/mask2 \
        from $local_net to 10.6.0.0/16 \
        local $local_ip \
        peer I.J.K.L \
        ikesa auth hmac-sha2-256 enc aes-192 group modp2048 \
        childsa auth hmac-sha2-256 enc aes-256 group modp2048 \
        srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some
dept/CN=some_cn_fqdn" \
        dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some
dept2/CN=some_cn_fqdn2"

------------------


root@HomatEsh2 (1 jobs) /usr/src # iked -6 -d -vvvv
local_ip = "my_ext_ip"

local_net = "172.16.0.0/20"

set_policy: found pubkey for /etc/iked/pubkeys/fqdn/a.dns.addr
ikev2 "KBweb" active esp inet from 172.16.0.0/20 to 10.33.33.0/27 local
my_ext_ip peer A.B.C.D ikesa enc aes-192 prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 srcid my_ext_ip dstid A.B.C.D lifetime 10800 bytes
536870912 psk 0xlong_hex_num
set_policy: found pubkey for /etc/iked/pubkeys/fqdn/e.dns.addr
ikev2 "KBDB" active esp inet from 172.16.0.0/20 to 10.34.34.0/27 local
my_ext_ip peer E.F.G.H ikesa enc aes-192 prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256
group modp2048 srcid my_ext_ip dstid E.F.G.H lifetime 10800 bytes
536870912 psk 0xlong_hex_num
set_policy: unknown type = 9
create_ike: set_policy failed
/etc/iked.conf: 39: create_ike failed
/etc/iked.conf: loaded 2 configuration rules
ca exiting, pid 5607
ikev2 exiting, pid 80211
control exiting, pid 62559

So it seems to fail on parsing or using the x50? cert notation, which
still works on my primary 6.0 machine.


Thank you for any help,

- Igor

Reply via email to