[OpenIKED] Is it impossible to differentiate the policies by dstid?

Sun, 04 Nov 2018 11:59:43 -0800 

OpenIKED is so great when I use one policy for all users. However, I’m having 
trouble when I try to apply different policies to different users.
With iked.conf followed, iked seems to applies “blackjack” policy to incoming 
connections only, which keeps the users of “redheart” out.

ikev2 "blackjack" quick passive ipcomp esp \
        from 0.0.0.0/0 to 10.0.0.2 \
        local egress \
        ikesa enc aes-256 prf hmac-sha2-256 group curve25519 \
        childsa enc chacha20-poly1305 group curve25519 \
        dstid "blackjack.local" \
        psk "testpsk1" \

ikev2 "redheart" quick passive ipcomp esp \
        from 0.0.0.0/0 to 172.16.0.0/24 \
        local egress \
        dstid "redheart.local" \
        psk "testpsk2" \
        config protected-subnet 0.0.0.0/0 \
        config address 172.16.0.0/24 \
        config netmask 255.255.255.0 \
        config name-server 8.8.8.8

This is what happens when redheart.local connects to the responder. (I replaced 
the IPs to redheart.local and asgard.local)

# iked -dv 
set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local
ikev2 "blackjack" quick passive esp inet from 0.0.0.0/0 to 10.0.0.2 local 
asgard.local peer any ikesa enc aes-256 prf hmac-sha2-256 auth 
hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group 
curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk 
0x7465737470736b31
set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local
ikev2 "redheart" quick passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 local 
asgard.local peer any ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 psk 
0x7465737470736b32 config protected-subnet 0.0.0.0 config address 172.16.0.0 
config netmask 255.255.255.0 config name-server 8.8.8.8
ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to 
asgard.local:500 policy 'blackjack' id 0, 604 bytes
ikev2_sa_responder: no proposal chosen
ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to 
redheart.local:60970 msgid 0, 36 bytes
sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack'
ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to 
asgard.local:500 policy 'blackjack' id 0, 604 bytes
ikev2_sa_responder: no proposal chosen
ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to 
redheart.local:60970 msgid 0, 36 bytes
sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack'

If I remove the “quick” option of “blackjack” policy, all incoming connection 
goes to “redheart” policy, which blocks “blackjack” users.

Regarding to all the examples I saw, I guess dstid is not a condition to match 
the policies? Only “peer” matters?

Reply via email to