I updated to the most recent snapshot (OpenBSD 6.1 GENERIC.MP#103 amd64).
Unfortunately, while an OpenBSD to OpenBSD ikev2 tunnel works as expected,
attempts to establish a tunnel from ios to OpenBSD fail.
However, the OpenBSD machine appears to believe that the tunnel is up and fine
("sa_state: VALID -> ESTABLISHED"), while the iOS device indicates that no VPN
is up.
There appears to be no change from the snapshot from a couple of days ago, and
this had been working flawlessly through several snapshots over the last year.
Does anyone have any advice on this, and what might have changed?
I see nothing obvious that I need to change in the iked.conf based on the my
reading of the current manpage.
Thank you
Ted
-----Original Message-----
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
Theodore Wynnychenko
Sent: Sunday, June 04, 2017 8:14 PM
To: misc@openbsd.org
Subject: Unable to estable ikev2 vpn with ios after update to current
Hello
I have been a bit remiss, and have not updated my system in a couple of months.
I have been following current for a year or two, in general, without incident.
Anyway, after updating last night, I am unable to establish a ikev2 vpn with an
ios 10.3.2 device. A OBSD6.1<->OBSD6.1 ikev2 vpn is working fine.
I am hoping that someone could shove me in a direction.
I have been using iked with iOS for about a year without a problem.
However, after the update, I noticed that all iOS vpn attempts were failing.
Running # iked -dvvv and trying to connect showed:
...
ca_setauth: auth length 510
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_resp_recv: failed to send auth response
sa_state: AUTH_REQUEST -> CLOSED from xxx.yyy.1.254:64252 to xxx.yyy.1.20:4500
policy 'ios_vpn'
ikev2_recv: closing SA
sa_free: ispi 0xcd95648ffb47ac65 rspi 0x86e6b00a7646172e
config_free_proposals: free 0x13f816f06500
config_free_proposals: free 0x13f8e4f63580
ca_setauth: auth length 528
ca_validate_pubkey: could not open public key pubkeys/fqdn/ios.ikev2.myfqdn.com
ca_x509_subjectaltname: FQDN/ios.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois... ok
ikev2_getimsgdata: imsg 24 rspi 0x86e6b00a7646172e ispi 0xcd95648ffb47ac65
initiator 0 sa invalid type 14 data length 528
ikev2_dispatch_cert: invalid auth reply
I found a suggestion that placing an RSA public certificate on the local OBSD
machine could help.
So, I used:
# openssl rsa -in private.key -pubout >
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
Now, running # iked -dvvv shows:
set_policy_auth_method: using rsa for peer
/etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
set_policy: found pubkey for /etc/iked/pubkeys/fqdn/ios.ikev2.myfqdn.com
ikev2 "ios_vpn" passive esp inet from 0.0.0.0/0 to xxx.yyy.15.0/24 local
xxx.yyy.1.20 peer any ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth
hmac-sha2-256,hmac-sha1 srcid ikesync.myfqdn.com dstid ios.ikev2.myfqdn.com
ikelifetime 1800 lifetime 1800 bytes 536870912 rsa config address xxx.yyy.15.131
config netmask 255.255.255.0 config name-server xxx.yyy.1.128 config name-server
xxx.yyy.1.129 config netbios-server xxx.yyy.2.99
ca_privkey_serialize: type RSA_KEY length 2349
ca_pubkey_serialize: type RSA_KEY length 526
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 2349
ca_getkey: received public key type RSA_KEY length 526
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: /C=US/ST=Illinois...
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file local.myfqdn.com.crt
ca_reload: loaded cert file ikesync.myfqdn.com.crt
ca_validate_cert: /C=US/ST=Illinois... ok
ca_validate_cert: /C=US/ST=Illinois... ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator xxx.yyy.1.254:55008 to
xxx.yyy.1.20:500 policy 'jacqueline_iphone_vpn' id 0, 432 bytes
ikev2_recv: ispi 0xd14315b81593285a rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 432
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xd14315b81593285a 0x0000000000000000
xxx.yyy.1.254:55008
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xd14315b81593285a 0x0000000000000000
xxx.yyy.1.20:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 64 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xd14315b81593285a 0x9f30f9d2ed8dfd11
xxx.yyy.1.20:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xd14315b81593285a 0x9f30f9d2ed8dfd11
xxx.yyy.1.254:55008
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload CERTREQ
ikev2_add_certreq: type RSA_KEY length 1
ikev2_next_payload: length 5 nextpayload NONE
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 462
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
ikev2_pld_certreq: type RSA_KEY length 0
ikev2_msg_send: IKE_SA_INIT response from xxx.yyy.1.20:500 to
xxx.yyy.1.254:55008 msgid 0, 462 bytes
config_free_proposals: free 0x1529d4096700
ikev2_recv: IKE_AUTH request from initiator xxx.yyy.1.254:52833 to
xxx.yyy.1.20:4500 policy 'jacqueline_iphone_vpn' id 1, 2928 bytes
ikev2_recv: ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
ikev2_recv: updated SA to peer xxx.yyy.1.254:52833 local xxx.yyy.1.20:4500
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2928
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2900
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 2864
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 2864/2864 padding 14
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical 0x00
length 40
ikev2_pld_id: id FQDN/ios.ikev2.myfqdn.com length 36
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_id: unexpected id payload
ikev2_pld_payloads: decrypted payload AUTH nextpayload CERT critical 0x00 length
520
ikev2_pld_auth: method RSA_SIG length 512
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload CERT nextpayload CP critical 0x00 length
1997
ikev2_pld_cert: type X509_CERT length 1992
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length
65
ikev2_pld_cp: type REQUEST length 57
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 0
ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP6_SUBNET 0x000f length 17
ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length
8
ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x0f9dc45e
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_resp_recv: NAT-T message received, updated SA
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'ios.ikev2.myfqdn.com'
ikev2_msg_auth: responder auth data length 510
ca_setauth: auth length 510
ikev2_msg_auth: initiator auth data length 496
ikev2_msg_authverify: method RSA_SIG keylen 1992 type X509_CERT
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0020 -> 0x0030 authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0030 -> 0x0030 authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_ike_auth: no CERTREQ, using default
ikev2_policy2id: srcid FQDN/ikesync.myfqdn.com length 27
sa_stateflags: 0x0030 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
config_free_proposals: free 0x152981361380
ca_setauth: auth length 512
ca_validate_pubkey: valid public key in file pubkeys/fqdn/ios.ikev2.myfqdn.com
ca_validate_cert: /C=US/ST=Illinois... in public key file, ok
ca_getreq: using local public key of type RSA_KEY
ikev2_getimsgdata: imsg 24 rspi 0x9f30f9d2ed8dfd11 ispi 0xd14315b81593285a
initiator 0 sa valid type 1 data length 512
ikev2_dispatch_cert: AUTH type 1 len 512
sa_stateflags: 0x0034 -> 0x003c certreq,auth,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0038, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003c -> 0x003e certvalid,certreq,auth,authvalid,sa (required
0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003a, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_getimsgdata: imsg 19 rspi 0x9f30f9d2ed8dfd11 ispi 0xd14315b81593285a
initiator 0 sa valid type 11 data length 526
ikev2_dispatch_cert: cert type RSA_KEY length 526, ok
sa_stateflags: 0x003e -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x5fb0e721
pfkey_sa_init: new spi 0x5fb0e721
ikev2_next_payload: length 31 nextpayload CERT
ikev2_next_payload: length 531 nextpayload AUTH
ikev2_next_payload: length 520 nextpayload CP
ikev2_next_payload: length 48 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1222
ikev2_msg_encrypt: padded length 1232
ikev2_msg_encrypt: length 1223, padding 9, output length 1264
ikev2_next_payload: length 1268 nextpayload IDr
ikev2_msg_integr: message length 1296
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xd14315b81593285a rspi 0x9f30f9d2ed8dfd11
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1296
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1268
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1232
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1232/1232 padding 9
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length
31
ikev2_pld_id: id FQDN/ikesync.myfqdn.com length 27
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length
531
ikev2_pld_cert: type RSA_KEY length 526
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length
520
ikev2_pld_auth: method RSA_SIG length 512
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 48
ikev2_pld_cp: type REPLY length 40
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x5fb0e721
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start xxx.yyy.15.0 end xxx.yyy.15.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_msg_send: IKE_AUTH response from xxx.yyy.1.20:4500 to xxx.yyy.1.254:52833
msgid 1, 1296 bytes, NAT-T
pfkey_sa_add: update spi 0x5fb0e721
pfkey_sa: udpencap port 52833
ikev2_childsa_enable: loaded CHILD SA spi 0x5fb0e721
pfkey_sa_add: add spi 0x0f9dc45e
pfkey_sa: udpencap port 52833
ikev2_childsa_enable: loaded CHILD SA spi 0x0f9dc45e
ikev2_childsa_enable: loaded flow 0x1529ef902400
ikev2_childsa_enable: loaded flow 0x1529ef902800
sa_state: VALID -> ESTABLISHED from xxx.yyy.1.254:52833 to xxx.yyy.1.20:4500
policy 'ios_vpn'
And, if I run as a daemon, I can see:
# ipsecctl -s all
FLOWS:
flow esp in from xxx.yyy.15.0/24 to 0.0.0.0/0 peer xxx.yyy.1.254 srcid
FQDN/ikesync.myfqdn.com dstid FQDN/ios.ikev2.myfqdn.com type use
flow esp out from 0.0.0.0/0 to xxx.yyy.15.0/24 peer xxx.yyy.1.254 srcid
FQDN/ikesync.myfqdn.com dstid FQDN/ios.ikev2.myfqdn.com type require
SAD:
esp tunnel from xxx.yyy.1.20 to xxx.yyy.1.254 spi 0x05b906be auth hmac-sha2-256
enc aes-256
esp tunnel from xxx.yyy.1.254 to xxx.yyy.1.20 spi 0xebe5b208 auth hmac-sha2-256
enc aes-256
So, according to my OBSD 6.1 the VPN tunnel is up.
But, my iphone does not indicate that a VPN tunnel exists, and it is clearly
unable to access resources that require the VPN connection to be established.
The iphone simply shows "VPN connecting" for a second, and then stops and
reverts to its default status with no VPN.
I think I can get the logs off the iphone if necessary, but that's a bit more
difficult.
I am wondering if there is anything obvious that I am missing.
I am at a loss as to why this was working before the update to current, and why
OBSD shows a "VALID -> ESTABLISHED" state for the tunnel when the iOS device
shows no tunnel has been established.
Thanks for any help.
Ted
