Hello fellow OpenBSD users,
I've run into a of couple issues with setting up and IKE IPSEC VPN with a
windows 7 native client. Now I've ran through the lists and have found a
solution to get it working somewhat how I'd like it working.
I currently have this in my iked.conf:
ikev2 passive esp \
from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \
srcid xxx.xxx.xxx.xxx \
config address 10.10.10.1 \
config name-server 192.168.200.x
And on my W7 client I have a static IP configured and using machine
certificates. I connect there with no issue and everything is kosher...kind
of.
I want to use a username and password so I have this in my iked.conf:
user my user ID Wouldn't_you_like_to_know?
ikev2 passive esp \
from 192.168.200.0/24 to 10.10.10.0/24 local any peer any \
eap mschap-v2 \
srcid xxx.xxx.xxx.xxx \
config address 10.10.10.1 \
config name-server 192.168.200.x \
tag $name-$id
When I do this I get an error:
Error Code 13803 IKE Negotiation in progress and it just sits there. Has
anyone gotten this to work before?
I run iked in debug mode with verbose output and receiving the following;
/etc/iked.conf: loaded 2 configuration rules
config_new_user: inserting new user my_user
user my_user password
config_getpolicy: received policy
ikev2 win7 passive esp from 192.168.200.0/24 to 10.10.10.0/24 local any peer
any ikesa enc aes-256,aes-192,ca_reload: loaded ca file ca.crt
aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth
hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024
childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid
xxx.xxx.xxx.xxxca_reload: loaded crl file ca.crl
lifetime 10800 bytes 536870912 eap MSCHAP_V2 config address 10.10.10.7
ca_reload:
/C=US/ST=/L=/O=xxx.com/OU=VPN/CN=cerberus.xxx.x/e
mailAddress=info@xxx.xx
config_getpfkey: received pfkey fd 4
ca_reload: loaded 1 ca certificate
config_getcompile: compilation done
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 14
config_getsocket: received socket fd 20
ca_reload: loaded cert file xxx.xxx.xxx.xxx.crt
ca_validate_cert:
/C=US/ST=/L=/O=xxx.com/OU=VPN/CN=xxx.xxx.xxx.xxx/emailAdd
ress=i...@xxx.com ok
ikev2_dispatch_cert: updated local CERTREQ signatures length 20
ikev2_recv: IKE_SA_INIT from initiator xxx.xxx.xxx.xxx:56506 to
xxx.xxx.xxx.xxx:500 policy 'win7', 792 bytes
ikev2_policy2id: srcid IPV4/xxx.xxx.xxx.xxx length 8
ikev2_pld_parse: header ispi 0x46459f2713e1d8d3 rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 792
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 520
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x46459f2713e1d8d3 0x
xxx.xxx.xxx.xxx:56506
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x46459f2713e1d8d3 0x
xxx.xxx.xxx.xxx:500
sa_state: INIT - SA_INIT
ikev2_sa_negotiate: score 23
sa_stateok: SA_INIT flags 0x00, require 0x00
sa_stateflags: 0x00 - 0x08 sa (required 0x00 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x46459f2713e1d8d3 0x7916745180423feb
xxx.xxx.xxx.xxx:500
ikev2_next_payload: length 28