On Tue, Jun 16, 2020 at 02:11:21PM -0400, Daniel Ouellet wrote: > > > On 6/16/20 1:35 PM, Patrick Wildt wrote: > > On Tue, Jun 16, 2020 at 01:09:32PM -0400, Daniel Ouellet wrote: > >> Hi Tobias, > >> > >> I put below the full configuration and the flows as well with the 6.6 > >> binary and switch to the 6.7 binary without any other changes as well as > >> the full config. > >> > >> The config may be a bit weird at first as I tunnel routable IP's over > >> the iked over a Verizon Fios line. You can't get routable IP's from Fios > >> and I have needs for it. So that was my way around it for years now. > >> > >> Anyway, here below: > >> > >> gateway$ doas cat /etc/ipsec.conf > >> flow esp out from ::/0 to ::/0 type deny > >> flow esp from 66.63.44.64/27 to 66.63.44.96/28 type bypass > >> flow esp from 66.63.44.96/28 to 66.63.44.64/27 type bypass > >> flow esp from 66.63.44.67 to 66.63.44.97 type bypass > >> flow esp from 66.63.44.90 to 66.63.44.97 type bypass > >> > >> (This above was to allow the two local subnet to take to one an other as > >> they are in different dmz. I can delete that config and it changed > >> nothing anyway. Just wanted to write why in case you wonder.) > >> > >> gateway$ doas cat /etc/iked.conf > >> # All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in > >> Ashburn. > >> ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com > >> > >> ikev2 "Flow" active \ > >> from re1 to tunnel.realconnect.com \ > >> from re1 to stats.realconnect.com \ > >> from 66.63.44.66 to 0.0.0.0/0 \ > >> from 66.63.44.67 to 66.63.0.0/18 \ > >> from home.ouellet.us to 0.0.0.0/0 \ > >> from 66.63.44.96/28 to 0.0.0.0/0 \ > >> from 66.63.44.79 to 43.229.64.0/22 \ > >> from 66.63.44.79 to 45.7.36.0/22 \ > >> from 66.63.44.79 to 103.240.224.0/22 \ > >> from 66.63.44.79 to 104.160.128.0/19 \ > >> from 66.63.44.79 to 162.249.72.0/21 \ > >> from 66.63.44.79 to 185.40.64.0/22 \ > >> from 66.63.44.79 to 192.64.168.0/21 \ > >> peer tunnel.realconnect.com > >> > >> (Here above for the 66.63.44.79, again a weird stuff, that's only for my > >> older son. When he play LoL over Fios it suck! But when I tunnel it to > >> my tunnel and then directly to Equinix where Riot is and I peer at, all > >> is great and hard to believe I am sure, but latency is much lower. Again > >> not relevant, just in case you wonder. I know, it's stupid, but I do a > >> lots of work from home and I need to keep the family happy too. (;) > >> > >> On 6/16/20 6:09 AM, Tobias Heider wrote: > >>> Hi Daniel, > >>> > >>> On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote: > >>>>> Probably related to the following change documented in > >>>>> https://www.openbsd.org/faq/upgrade67.html: > >>>>> > >>>>> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by > >>>>> iked(8) or > >>>>> isakmpd(8) was changed from "use" to "require". This means unencrypted > >>>>> traffic > >>>>> matching the flows will no longer be accepted. Flows of type "use" can > >>>>> still be > >>>>> set up manually in ipsec.conf(5). > >>>> > >>>> I have what appear to be similar problem. I used iked form 5.6 all the > >>>> way to 6.6 no problem, wel some, but I worked it out. All in archive. > >>>> > >>>> But going from 6.6 to 6.7 I can't get it to work anymore. Nothing > >>>> changed, same configuration, just a sysupgrade and that's it. > >>>> > >>>> I read this and I can understand the words, but may be I am think, but I > >>>> don't understand what to do with it. > >>> > >>> The default behavior if IPsec flows was changed to not accept unencrypted > >>> packets matching a registered flow. > >>> You can list your flows with 'ipsecctl -sf'. > >> > >> gateway$ doas ipsecctl -sf > >> flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 162.249.72.0/21 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 185.40.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 192.64.168.0/21 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 43.229.64.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 45.7.36.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 103.240.224.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 104.160.128.0/19 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 162.249.72.0/21 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 185.40.64.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 192.64.168.0/21 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 72.83.103.147 to 66.63.5.250 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from ::/0 to ::/0 type deny > >> > >>>> > >>>> I see the require type modifier in ipsec.conf man page, not into > >>>> iked.conf man page. > >>>> > >>>> Do you mean what ever rules we had in iked.conf needs to be in > >>>> ipsec.conf now? > >>> > >>> No, that won't work. > >>> > >>>> > >>>> I am really sorry if I don't follow the meaning or what you tried to > >>>> say, but how can this be fix, or changed? > >>>> > >>> > >>> To help you I will need to know a bit more about your setup. > >>> In particular the architecture of your network, your iked.conf and > >>> the output of 'ipsecctl -sa' would be helpful. > >>> A more detailed description of what exactly does not work would also help. > >> > >> gateway$ doas ipsecctl -sa > >> FLOWS: > >> flow esp in from 0.0.0.0/0 to 66.63.44.66 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 0.0.0.0/0 to 66.63.44.90 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 0.0.0.0/0 to 66.63.44.96/28 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 43.229.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 45.7.36.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.0.0/18 to 66.63.44.67 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.5.245 to 66.63.44.65 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.5.250 to 66.63.44.65 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 66.63.5.250 to 72.83.103.147 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 103.240.224.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 104.160.128.0/19 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 162.249.72.0/21 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 185.40.64.0/22 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp in from 192.64.168.0/21 to 66.63.44.79 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use > >> flow esp out from 66.63.44.65 to 66.63.5.245 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.65 to 66.63.5.250 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.66 to 0.0.0.0/0 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.67 to 66.63.0.0/18 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 43.229.64.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 45.7.36.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 103.240.224.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 104.160.128.0/19 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 162.249.72.0/21 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 185.40.64.0/22 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.79 to 192.64.168.0/21 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.90 to 0.0.0.0/0 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 66.63.44.96/28 to 0.0.0.0/0 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from 72.83.103.147 to 66.63.5.250 peer 66.63.5.250 srcid > >> FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require > >> flow esp out from ::/0 to ::/0 type deny > >> > >> SAD: > >> esp tunnel from 66.63.5.250 to 72.83.103.147 spi 0x9f629698 auth > >> hmac-sha2-256 enc aes-256 > >> esp tunnel from 72.83.103.147 to 66.63.5.250 spi 0xba228cb0 auth > >> hmac-sha2-256 enc aes-256 > >> esp tunnel from 66.63.5.250 to 72.83.103.147 spi 0xc44b9bb8 auth > >> hmac-sha2-256 enc aes-256 > >> esp tunnel from 72.83.103.147 to 66.63.5.250 spi 0xc5d5aa26 auth > >> hmac-sha2-256 enc aes-256 > >> > >> ============================ > >> > >> Now if I put the iked 6.7 binary instead, I see the traffic going out, > >> enter the remote tunnel, getting out of the tunnel to come back, but > >> never coming in the gateway unit. > >> > >> Nothing changed, just the binary 6.7 replacing the binary 6.6 > >> > >> See full display of step by step with proof of binary in use and all. > >> > >> Cut and paste from the terminal as is. I can't never get a flow going on > >> 6.7 with the exact same configuration as 6.6. Just using 6.6 works as > >> is. So I obviously do something wrong, just can't say what and I have to > >> say, it's most likely really stupid, but I can't see it. > >> > >> gateway$ ls -l /sbin/iked* > >> -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked > >> -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked.66 > >> -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.67 > >> gateway$ date > >> Tue Jun 16 12:51:13 EDT 2020 > >> gateway$ doas /etc/rc.d/iked stop > >> iked(ok) > >> gateway$ doas cp -p /sbin/iked.67 /sbin/iked > >> gateway$ doas /etc/rc.d/iked start > >> iked(ok) > >> gateway$ doas ipsecctl -sa > >> FLOWS: > >> No flows > >> > >> SAD: > >> No entries > >> gateway$ date > >> Tue Jun 16 12:51:54 EDT 2020 > >> gateway$ ls -l /sbin/iked* > >> -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked > >> -r-xr-xr-x 1 root bin 436584 Jun 15 20:42 /sbin/iked.66 > >> -r-xr-xr-x 1 root bin 448744 May 7 12:52 /sbin/iked.67 > >> > >> > >>>> My guess is that it is simple and I don't think about it properly, but I > >>>> am hitting a road block trying to figure it out. > >>>> > >>>> I am a bit at a lost and any clue stick would be greatly appreciated. > >>>> > >>>> Thanks > >>>> > >>>> Daniel > >>>> > >>> > >>> - Tobias > >>> > >> > > > > Hi, > > > > thanks for the detailed input. But there's one thing missing: The > > log output of the daemon. It'll probably end up somewhere in /var/log/ > > daemon or /var/log/messages or so. > > Here you go. and you will see 3 parts here. > > The running as is with 6.6, then I stop and put the 6.7 and restart. You > see 5 times trying to connect and then I stop it and put 6.6 back, come > up right away. > > Was rinning 6.6 and did live display of daemonas you see below. > > Jun 16 14:05:13 restarted with 6.7 > > and at Jun 16 14:06:28 I restarted 6.6 > > > gateway$ tail -f /var/log/daemon > Jun 16 14:03:39 gateway iked[27523]: spi=0x9632ba418d466a4e: recv > IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes, > policy 'VPN' > Jun 16 14:03:39 gateway iked[27523]: spi=0x8d09e33663ef2175: recv > IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes, > policy 'Flow' > Jun 16 14:03:39 gateway iked[27523]: spi=0x9632ba418d466a4e: sa_state: > VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'VPN' > Jun 16 14:03:39 gateway iked[27523]: spi=0x8d09e33663ef2175: sa_state: > VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'Flow' > Jun 16 14:03:54 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:24 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:26 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:26 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:30 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:38 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:54 gateway iked[27523]: spi=0x083fea7a6461a494: recv > INFORMATIONAL req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:04:59 gateway iked[12930]: ca exiting, pid 12930 > Jun 16 14:04:59 gateway iked[95486]: control exiting, pid 95486 > Jun 16 14:04:59 gateway iked[27523]: ikev2 exiting, pid 27523 > Jun 16 14:04:59 gateway iked[69349]: parent terminating > Jun 16 14:05:13 gateway iked[9507]: ikev2_init_ike_sa: initiating "VPN" > Jun 16 14:05:13 gateway iked[9507]: spi=0x0d4ab5726d8bec79: send > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 278 bytes > Jun 16 14:05:13 gateway iked[9507]: ikev2_init_ike_sa: initiating "Flow" > Jun 16 14:05:13 gateway iked[9507]: spi=0x4066f22b5428a795: send > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500, 278 bytes > Jun 16 14:05:15 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 1 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 > Jun 16 14:05:15 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 1 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 > Jun 16 14:05:19 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 2 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 > Jun 16 14:05:19 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 2 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500
The retransmits tell us that the peer doesn't answer. Or, to be more precise, it doesn't receive *any* message from the peer. Can you have a look at the peer's logs? Does the peer see these packets but chooses not to reply? Is the peer also an OpenBSD? 6.6? 6.7? If you can't look at the looks, you could tcpdump on both sides port 500 and check if a) the packet arrives at the peer b) the peer tries to respond. So yeah, maybe the peer doesn't want to respond due to some changes. This is a different problem to what the other people have, since you cannot even get an answer to your IKE_SA_INIT message. Patrick > Jun 16 14:05:27 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 3 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 > Jun 16 14:05:27 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 3 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 > Jun 16 14:05:43 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 4 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 > Jun 16 14:05:43 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 4 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 > Jun 16 14:06:15 gateway iked[9507]: spi=0x4066f22b5428a795: retransmit 5 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500 > Jun 16 14:06:15 gateway iked[9507]: spi=0x0d4ab5726d8bec79: retransmit 5 > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500 > Jun 16 14:06:17 gateway iked[69231]: control exiting, pid 69231 > Jun 16 14:06:17 gateway iked[9507]: ikev2 exiting, pid 9507 > Jun 16 14:06:17 gateway iked[47099]: ca exiting, pid 47099 > Jun 16 14:06:17 gateway iked[30794]: parent terminating > Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: send > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 454 bytes > Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: send > IKE_SA_INIT req 0 peer 66.63.5.250:500 local 0.0.0.0:500, 454 bytes > Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: recv > IKE_SA_INIT res 0 peer 66.63.5.250:500 local 72.83.103.147:500, 395 > bytes, policy 'VPN' > Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: recv > IKE_SA_INIT res 0 peer 66.63.5.250:500 local 72.83.103.147:500, 395 > bytes, policy 'Flow' > Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: send > IKE_AUTH req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 784 bytes > Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: send > IKE_AUTH req 1 peer 66.63.5.250:500 local 72.83.103.147:500, 1168 bytes > Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: recv > IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes, > policy 'VPN' > Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: recv > IKE_AUTH res 1 peer 66.63.5.250:500 local 72.83.103.147:500, 752 bytes, > policy 'Flow' > Jun 16 14:06:28 gateway iked[9316]: spi=0x09a42697d863649c: sa_state: > VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'VPN' > Jun 16 14:06:28 gateway iked[9316]: spi=0x731358d2dfd55719: sa_state: > VALID -> ESTABLISHED from 66.63.5.250:500 to 72.83.103.147:500 policy 'Flow' > Jun 16 14:06:39 gateway iked[9316]: spi=0x8d09e33663ef2175: recv > INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:06:41 gateway iked[9316]: spi=0x8d09e33663ef2175: recv > INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > Jun 16 14:06:45 gateway iked[9316]: spi=0x8d09e33663ef2175: recv > INFORMATIONAL req 0 peer 66.63.5.250:500 local 72.83.103.147:500, 80 > bytes, policy 'Flow' > ^C > gateway$ > > > Since you see no SA or Flow at all, iked maybe hasn't successfully > > created them at all, and for that we need to see what iked complains > > about, which it probably did in the log files. > > > > Best regards, > > Patrick > > >
