Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road
warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN
Gateway (A.B.C.0/23).
Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the
connection (809 Error). It does not matter if they are behind NAT or not, tried
different ISP - the same.
Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23
I do not know what I am doing wrong.
Can anyone please help me with solving this problem?
Thank you.
This is a fresh 6.3/i386 install:
# syspatch -l
001_perl
002_libtls
003_arp
004_gif
005_httpd
006_ipseclen
007_libcrypto
008_ipsecout
009_libcrypto
011_perl
012_execsize
013_ipsecexpire
014_amdlfence
015_ioport
WAN:
# cat /etc/hostname.vr0
inet A.B.C.77 255.255.254.0
LAN:
# cat /etc/hostname.vr3
inet 172.16.0.254 255.255.255.0 NONE
group lan
# cat /etc/hostname.enc0
inet 10.0.1.1 255.255.255.0 10.0.1.255
up
# cat /etc/iked.conf
ikev2 "test" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid A.B.C.77 \
config address 10.0.1.0/24 \
config name-server 8.8.8.8 \
tag "IKED"
# cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)
match out on egress from lan:network to any nat-to egress
match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
# ikectl show ca vpn certificates
subject= /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
SHA1 Fingerprint=37:2F:33:EA:C4:9C:45:0A:80:38:EC:0E:A6:F8:8B:EA:10:84:71:CB
notBefore=Oct 25 12:23:53 2018 GMT
notAfter=Oct 25 12:23:53 2019 GMT
subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
SHA1 Fingerprint=4C:AE:A5:C6:E3:71:81:09:C0:73:BF:03:5F:E2:02:CE:48:BF:03:78
notBefore=Oct 25 12:27:35 2018 GMT
notAfter=Oct 25 12:27:35 2019 GMT
subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=win7/emailAddress=t...@123.com
SHA1 Fingerprint=E2:C1:96:F3:26:0F:CA:CD:49:0A:33:65:58:0E:07:B7:A7:90:D4:18
notBefore=Oct 25 12:32:31 2018 GMT
notAfter=Oct 25 12:32:31 2019 GMT
subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=w520/emailAddress=w...@123.com
SHA1 Fingerprint=00:ED:49:7B:CE:AF:46:25:BE:39:B6:51:AD:3E:06:91:99:58:50:C9
notBefore=Oct 27 08:54:14 2018 GMT
notAfter=Oct 27 08:54:14 2019 GMT
# iked -vvd
ikev2 "test" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local A.B.C.77 peer
any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid A.B.C.77 lifetime
10800 bytes 536870912 signature config address 10.0.1.0 config name-server
8.8.8.8 tag "IKED"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1193
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
ca_reload: loaded ca file ca.crt
config_getsocket: received socket fd 7
config_getmobike: mobike
ca_reload: loaded crl file ca.crl
ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file A.B.C.77.crt
ca_validate_cert:
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_recv: IKE_SA_INIT request from initiator 1.2.3.119:500 to A.B.C.77:500
policy 'test' id 0, 528 bytes
ikev2_recv: ispi 0x683d59d10fbe4a9e rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/A.B.C.77 length 8
ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x683d59d10fbe4a9e 0x0000000000000000
1.2.3.119:500
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x683d59d10fbe4a9e 0x0000000000000000
A.B.C.77:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
ikev2_sa_negotiate: score 12
ikev2_sa_negotiate: score 17
ikev2_sa_negotiate: score 8
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 0
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: DHSECRET with 128 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x683d59d10fbe4a9e 0x4698e736ae5196ac
A.B.C.77:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x683d59d10fbe4a9e 0x4698e736ae5196ac
1.2.3.119:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x4698e736ae5196ac
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 329
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.C.77:500 to 1.2.3.119:500 msgid
0, 329 bytes
config_free_proposals: free 0x7fcc4880
config_free_proposals: free 0x85753900
config_free_proposals: free 0x7fcc03c0
config_free_proposals: free 0x7fcc4080
config_free_proposals: free 0x7fcc4580
config_free_proposals: free 0x825a0a00
Then I get 809 Error.
On Wed, 7 Feb 2018 22:01:16 +0100
Radek <alee...@gmail.com> wrote:
> Hi again,
>
> I'm still trying to make it work for roadwarriors.
> VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.
>
> I generated certs:
>
> # hostname
> serv73
>
> # ikectl ca vpn create (CN = serv73)
> # ikectl ca vpn install
>
> # ikectl ca vpn certificate A.B.9.73 create
> # ikectl ca vpn certificate A.B.9.73 install
>
> # ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
> # ikectl ca vpn certificate A.B.9.76 export
>
> After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP
> address that is in range A.B.9.0/23.
>
> I can't connect from IP that is NOT from A.B.9.0/23.
> I tried to connect from many IPs (public and behind NAT) but every time I got
> "809 error".
>
> Can anyone please help me with solving that problem?
>
> # cat /etc/iked.conf
> [snip]
> ikev2 "roadWarrior" passive esp \
> from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
> srcid A.B.9.73 \
> config address 10.0.70.128 \
> tag "$name-$id"
>
> # iked -n
> configuration OK
>
> # cat /etc.pf.conf
> ext_if = "vr0"
> lan_if = "vr1" # vr1
> lan_local = $lan_if:network # 10.0.73.0/24
> ext_ip = "A.B.9.73"
> bud = "A.B.9.0/25"
> rdkhome_wy = "YY.YY.YY.YY"
> rdkhome_mon = "XX.XX.XX.XX"
> ssh_port = "1071"
> icmp_types = "{ echoreq, unreach }"
> table <vpn_peers> const { A.B.9.74, A.B.C.75 }
> set skip on { lo, enc0 }
> block return on $ext_if # block stateless traffic
>
> match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
>
> pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to
> $ext_if port $ssh_port \
> set prio (1, 6) keep state
>
> pass out quick on egress proto esp from (egress:0) to <vpn_peers>
> keep state
> pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500,
> 4500} keep state
> pass in quick on egress proto esp from <vpn_peers> to (egress:0)
> keep state
> pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500,
> 4500} keep state
> pass out quick on trust received-on enc0 keep state
> pass out log proto tcp set prio (1, 6) keep state
> pass log proto udp set prio (1, 6) keep state
>
> pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
> pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep
> state
>
> block return in on ! lo0 proto tcp to port 6000:6010
>
>
>
> # iked -dvv
> ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500
> policy 'roadWarrior' id 0, 528 bytes
> ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x0000000000000000
> ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
> ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 528 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
> ikev2_pld_sa: more than one proposal specified
> ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group MODP_1024 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x35e2e7f614678913 0x0000000000000000
> E.F.G.H:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x0000000000000000
> A.B.9.73:500
> sa_state: INIT -> SA_INIT
> ikev2_sa_negotiate: score 21
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> ikev2_sa_keys: SKEYSEED with 20 bytes
> ikev2_sa_keys: S with 96 bytes
> ikev2_prfplus: T1 with 20 bytes
> ikev2_prfplus: T2 with 20 bytes
> ikev2_prfplus: T3 with 20 bytes
> ikev2_prfplus: T4 with 20 bytes
> ikev2_prfplus: T5 with 20 bytes
> ikev2_prfplus: T6 with 20 bytes
> ikev2_prfplus: T7 with 20 bytes
> ikev2_prfplus: T8 with 20 bytes
> ikev2_prfplus: Tn with 160 bytes
> ikev2_sa_keys: SK_d with 20 bytes
> ikev2_sa_keys: SK_ai with 20 bytes
> ikev2_sa_keys: SK_ar with 20 bytes
> ikev2_sa_keys: SK_ei with 24 bytes
> ikev2_sa_keys: SK_er with 24 bytes
> ikev2_sa_keys: SK_pi with 20 bytes
> ikev2_sa_keys: SK_pr with 20 bytes
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload KE
> ikev2_next_payload: length 136 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f
> A.B.9.73:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f
> E.F.G.H:500
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NONE
> ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
> 325 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0
> xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group MODP_1024 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid
> 0, 325 bytes
> config_free_proposals: free 0x8134e000
>
> Generating and installing certificate for E.F.G.H doesn't make any change.
>
>
> On Sat, 27 Jan 2018 19:55:46 +0100
> Radek <alee...@gmail.com> wrote:
>
> > Hello,
> >
> > I have configured OpenIKED Site-to-Site VPN between two gateways:
> > serv73 - OBSD6.1, IP A.B.C.73,
> > serv75 - OBSD6.2, IP A.B.C.75.
> > I seems to work fine.
> >
> > I'm trying to set up VPN for a few road warriors in one of these gateways.
> > As much as it is possible authorisation should be users's IP independent.
> > If I get it right certificate is always binded to cetrain IP so I need to
> > use login and password authentication.
> > After spending some time with playing around that I can not find the proper
> > configutarion.
> > I know the reason for that is a lack of certificate (I don't have any idea
> > what cert it is) but maybe something else that I have missed or did it
> > wrong.
> > I have read manuals but not everything is clear for me.
> >
> > On win7 I got 809 error.
> > Client is configured as below:
> > https://hide.me/en/vpnsetup/windows7/ikev2/
> >
> > Any help appreciated :)
> >
> > My configs:
> >
> > [root@@serv75/home/rdk:]iked -dv
> > ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500
> > policy 'roadwarrior' id 0, 528 bytes
> > ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid
> > 0, 325 bytes
> > ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500
> > policy 'roadwarrior' id 1, 764 bytes
> > ca_getreq: no valid local certificate found
> > ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500
> > policy 'roadwarrior' id 1, 764 bytes
> > ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500
> > policy 'roadwarrior' id 1, 764 bytes
> >
> >
> > root@@serv75/home/rdk:]cat /etc/iked.conf
> > remote_gw73 = "A.B.C.73" # serv33
> > remote_lan73 = "10.0.73.0/24"
> > local_gw = "10.0.75.254" # serv75
> > local_lan = "10.0.75.0/24"
> > dns1 = "8.8.8.8"
> >
> > ikev2 active esp from $local_gw to $remote_gw73 \
> > from $local_lan to $remote_lan73 peer $remote_gw73 \
> > psk "test123"
> >
> > user "test" "pass1234"
> > ikev2 "roadwarrior" passive esp \
> > from 0.0.0.0/0 to 10.0.75.0/24 \
> > local any peer any \
> > eap "mschap-v2" \
> > config address 10.0.75.123 \
> > config name-server 8.8.8.8 \
> > tag "$name-$id"
> >
> > [root@@serv75/home/rdk:]cat /etc/pf.conf
> > ext_if = "vr0"
> > lan_if = "vr1" # vr1
> > lan_local = $lan_if:network # 10.0.75.0/24
> > ext_ip = "A.B.C.75"
> > bud = "A.B.C.0/25"
> > rdkhome_wy = "YY.YY.YY.YY"
> > rdkhome_mon = "XX.XX.XX.XX"
> > ssh_port = "1071"
> > icmp_types = "{ echoreq, unreach }"
> > table <vpn_peers> const { A.B.C.73, A.B.C.74 }
> > set skip on { lo, enc0 }
> > block return on $ext_if # block stateless traffic
> > match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
> > pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to
> > $ext_if port $ssh_port \
> > set prio (1, 6) keep state
> > pass out quick on egress proto esp from (egress:0) to <vpn_peers>
> > keep state
> > pass out quick on egress proto udp from (egress:0) to <vpn_peers> port
> > {500, 4500} keep state
> > pass in quick on egress proto esp from <vpn_peers> to (egress:0)
> > keep state
> > pass in quick on egress proto udp from <vpn_peers> to (egress:0) port
> > {500, 4500} keep state
> > pass out quick on trust received-on enc0 keep state
> > pass out log proto tcp set prio (1, 6) keep state
> > pass log proto udp set prio (1, 6) keep state
> > pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
> > pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6)
> > keep state
> > block return in on ! lo0 proto tcp to port 6000:6010
> >
> > [root@@serv75/home/rdk:]cat /etc/hostname.vr0
> > inet A.B.C.75 255.255.254.0 NONE description "WAN75"
> > group trust
> >
> > [root@@serv75/home/rdk:]cat /etc/hostname.vr1
> > inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
> > group trust
> >
> > [root@@serv75/home/rdk:]cat /etc/hostname.enc0
> > up
> >
> > [root@@serv75/home/rdk:]cat /etc/rc.conf.local
> > iked_flags=YES
> > ntpd_flags="-s"
> > dhcpd_flags="vr1 vr2 vr3"
> >
> > [root@@serv75/home/rdk:]cat /etc/sysctl.conf
> > net.inet.ip.forwarding=1
> > net.inet.ipcomp.enable=1
> > net.inet.esp.enable=1
> >
> >
> > --
> > radek
>
>
> --
> radek
--
radek
