Re: ikev2 and road warriors setup

Radek Fri, 02 Nov 2018 14:17:16 -0700

Thank you for your response, 

Following your suggestion I removed IP from enc0 and changed iked.conf as below:


$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
         from 0.0.0.0/0 to 0.0.0.0/0 \
         local A.B.C.77 peer any \
         srcid 
"/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" \
         config address 10.0.1.0/24 \
         config netmask 255.255.255.0 \
         config name-server $dns1 \
         config name-server $dns2 \
         config access-server A.B.C.77 \
         config protected-subnet 0.0.0.0/0 \
         tag "$id"

It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.

I also tried another scenario: puffy_server <-> puffy_warrior 
The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works 
fine for clients from A.B.C.0/23.
Both machines are 6.3/i386.

Confs:
puffy_server (just changed /etc/iked.conf and /etc/hostname.enc0 as below, the 
rest of my previous conf is untached)

$ cat /etc/iked.conf
# puffy_server
ikev2 office passive esp \
from 172.16.0.64 to 0.0.0.0/0 \
from 172.16.0.254 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com" 
dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com"

$ cat /etc/hostname.enc0
up

puffy_warrior:

$ cat /etc/iked.conf
# puffy_warrior
ikev2 home active esp \
from egress to 172.16.0.0/24 \
local egress peer A.B.C.77 \
srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com" 
dstid  "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com"

$ pfctl -s rules
pass all flags S/SA

This is warrior log, public IP 1.2.3.119:

$ iked -dvv
set_policy_auth_method: using rfc7427 for peer
ikev2 "home" active esp inet from 1.2.3.119 to 172.16.0.0/24 local 1.2.3.119 
peer A.B.C.77 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 srcid 
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com dstid 
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com lifetime 
10800 bytes 536870912 rfc7427
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file puffy63.crt
ca_validate_cert: 
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
ikev2_init_ike_sa: initiating "home"
ca_x509_name_parse: setting 'C' to 'PL'
ca_x509_name_parse: setting 'ST' to 'ZK'
ca_x509_name_parse: setting 'L' to 'KL'
ca_x509_name_parse: setting 'O' to 'PK'
ca_x509_name_parse: setting 'OU' to 'test'
ca_x509_name_parse: setting 'CN' to 'puffy63'
ca_x509_name_parse: setting 'emailAddress' to 'puff...@123.com'
ikev2_policy2id: srcid 
ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com 
length 123
ikev2_add_proposals: length 108
ikev2_next_payload: length 112 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x64068214f68d9422 0x0000000000000000 
1.2.3.119:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x64068214f68d9422 0x0000000000000000 
A.B.C.77:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x0000000000000000 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112
ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0 
xforms 11 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT request from 1.2.3.119:500 to A.B.C.77:500 msgid 0, 
510 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT response from responder A.B.C.77:500 to 1.2.3.119:500 
policy 'home' id 0, 471 bytes
ikev2_recv: ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d
ikev2_recv: updated SA to peer A.B.C.77:500 local 1.2.3.119:500
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471 
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x64068214f68d9422 0x84af2c52dcbc294d 
A.B.C.77:500
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x64068214f68d9422 0x84af2c52dcbc294d 
1.2.3.119:500
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ca_x509_name_parse: setting 'C' to 'PL'
ca_x509_name_parse: setting 'ST' to 'ZK'
ca_x509_name_parse: setting 'L' to 'KL'
ca_x509_name_parse: setting 'O' to 'PK'
ca_x509_name_parse: setting 'OU' to 'test'
ca_x509_name_parse: setting 'CN' to 'puffy63'
ca_x509_name_parse: setting 'emailAddress' to 'puff...@123.com'
ikev2_policy2id: srcid 
ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com 
length 123
sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 574
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 574
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
config_free_proposals: free 0x79d91600
ca_getreq: found CA 
/C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=t...@123.com
ca_getreq: found local certificate 
/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com
ca_setauth: auth length 272
ikev2_getimsgdata: imsg 20 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 
initiator 1 sa valid type 4 data length 961
ikev2_dispatch_cert: cert type X509_CERT length 961, ok
sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
ikev2_getimsgdata: imsg 25 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 
initiator 1 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
ikev2_next_payload: length 127 nextpayload CERT
ikev2_next_payload: length 966 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
pfkey_sa_getspi: spi 0xda769508
pfkey_sa_init: new spi 0xda769508
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1530
ikev2_msg_encrypt: padded length 1536
ikev2_msg_encrypt: length 1531, padding 5, output length 1568
ikev2_next_payload: length 1572 nextpayload IDi
ikev2_msg_integr: message length 1600
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d 
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1600 
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1572
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1536
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1536/1536 padding 5
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 
127
ikev2_pld_id: id 
ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=puff...@123.com 
length 123
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 
length 966
ikev2_pld_cert: type X509_CERT length 961
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 
length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 
280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 
xforms 7 spi 0xda769508
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 1.2.3.119 end 1.2.3.119
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.16.0.0 end 172.16.0.255
ikev2_msg_send: IKE_AUTH request from 1.2.3.119:500 to A.B.C.77:500 msgid 1, 
1600 bytes
ikev2_init_ike_sa: "home" is already active

$ ipsecctl -sa
FLOWS:
flow esp out from ::/0 to ::/0 type deny

SAD:

I really do not know what I am doing wrong.



On Wed, 31 Oct 2018 11:50:25 +0100
Kim Zeitler <kim.zeit...@konzept-is.de> wrote:

> On 10/28/18 3:04 PM, Radek wrote:
> > Hello,
> > I really need your help.
> > I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road 
> > warriors clients (Windows).
> > The problem is that it works ONLY if clients are in the same subnet as VPN 
> > Gateway (A.B.C.0/23).
> > Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish 
> > the connection (809 Error). It does not matter if they are behind NAT or 
> > not, tried different ISP - the same.
> > 
> > Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23
> > 
> > I do not know what I am doing wrong.
> > Can anyone please help me with solving this problem?
> > Thank you.
> > 
> > This is a fresh 6.3/i386 install:
> 
> > # cat /etc/hostname.enc0
> > inet 10.0.1.1 255.255.255.0 10.0.1.255
> > up
> You don't need an IP on enc0
> 
> > 
> > # cat /etc/iked.conf
> > ikev2 "test" passive esp \
> > from 0.0.0.0/0 to 0.0.0.0/0 \
> > local A.B.C.77 peer any \
> > srcid A.B.C.77 \
> > config address 10.0.1.0/24 \
> > config name-server 8.8.8.8 \
> > tag "IKED"
> 
> Try something like this, it works for both Win7 and Win10:
> 
> /etc/iked.conf
> ---------------------------------
> ikev2 "roadWarrior" ipcomp esp \
>          from 0.0.0.0/0 to 0.0.0.0/0 \
>          peer any \
>          srcid  $srcid \
>          config address 10.0.1.0/24 \
>          config netmask 255.255.255.0 \
>          config name-server $dns1 \
>          config name-server $dns2 \
>          config access-server A.B.C.77 \
>          config protected-subnet 0.0.0.0/0 \
>          tag "$id"
> 
> 'access-server' tells Windows what gateway to use for 'protected-subnet' 
> (see iked.conf(5)).
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 


-- 
radek

Re: ikev2 and road warriors setup

Reply via email to