Re: Can't connect from StrongSWAN to OpenBSD's iked

[thebloggu]

Thank you for your help!

I’ve been meaning to use the patch but I still hadn’t the time to test it. I 
will probably do it in the future and report back with problems if I get them. 
Either way I’ll be watching out for news about this.


> On 19/06/2017, at 05:07, Tim Stewart  wrote:
> 
> theblo...@gmail.com writes:
> 
>> Hello,
>> 
>> I’ve been trying to create an IPSec VPN in my OpenBSD computer and
>> every time I connect my Android phone (running StrongSWAN) to the
>> server I get the following errors in the logs (running iked -dvvv):
>> 
>>> ikev2_sa_responder_dh: invalid dh, size 4096
>>> ikev2_resp_recv: failed to get IKE SA keys
> 
> The problem is that iked(8) does not know how to perform Diffie-Hellman
> group negotiation.  I have an incomplete fix for this issue:
> 
>  https://marc.info/?l=openbsd-tech=149499865830823
> 
> You can try the patch in that thread and see if it allows you to
> complete negotiation.  The first patch is probably better, but I think
> it breaks rekeying of child SAs.
> 
> I'm working on a better fix right now.  I hope to have something more
> correct to submit to the above thread this week.
> 
>> My iked.conf is:
>> 
>>> ikev2 "base" from any to any \
>>>  peer any \
>>>  ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \
>>>  childsa enc aes-256 auth hmac-sha2-512 group modp4096 \
>>>  config address 192.168.2.0/24 \
>>>  config name-server 192.168.1.254 \
>>>  config access-server 192.168.1.254
>> 
>> I’m using 4096 keys and modp4096 but AFAIK both the server and the
>> cliente support them. I’m not sure where to start troubleshooting the
>> problem and could use some help.
>> 
>> Thanks in advance.
> 
> I don't see anything obviously wrong here.
> 
> -TimS
> 
> --
> Tim Stewart
> ---
> Mail:   t...@stoo.org
> Matrix: @tim:stoo.org

Can't connect from StrongSWAN to OpenBSD's iked

[thebloggu]

Hello,

I’ve been trying to create an IPSec VPN in my OpenBSD computer and every time I 
connect my Android phone (running StrongSWAN) to the server I get the following 
errors in the logs (running iked -dvvv):

> ikev2_sa_responder_dh: invalid dh, size 4096
> ikev2_resp_recv: failed to get IKE SA keys

My iked.conf is:

> ikev2 "base" from any to any \
>   peer any \
>   ikesa enc aes-256 auth hmac-sha2-512 group modp4096 \
>   childsa enc aes-256 auth hmac-sha2-512 group modp4096 \
>   config address 192.168.2.0/24 \
>   config name-server 192.168.1.254 \
>   config access-server 192.168.1.254

I’m using 4096 keys and modp4096 but AFAIK both the server and the cliente 
support them. I’m not sure where to start troubleshooting the problem and could 
use some help.

Thanks in advance.

Help setting up an IKEv2 IPSec Road Warrior VPN on OpenBSD

[thebloggu]

Hello!

I’m trying to build a road warrior style ikev2 ipsec vpn for my home
network on openbsd. The idea is to learn a bit of openbsd since its
something I've been meaning to do for some time now and to setup
a vpn for me to reach my home network as securely as possible
(even if I need to compromise some compatibility, although
macOS/iOS and linux/android support is required).

I’m just starting openbsd from a linux background and I have an idea
of how ipsec works but I don’t have a deep understanding of the
protocol nor do I have a strong network background.

I’m using openiked (which I assume is the standard for ikev2 in
openbsd) and I’ve read the man pages for iked, iked.conf and ikectl.

For setting the vpn up I have some questions, as follows:

I’ve chosen ecdsa ecp256 cipher and I’ll be using either aes-256 with
hmac-sha2-512 or aes-256-gcm.

 * Do you believe these fit my requirements of currently to be believed
   to be the most secure and supporting the systems I mentioned
   earlier? What about aes + hmac vs. aes-gcm?

About the certificates used I assume I can't use ikectl ca command to
issue certificates since it doesn't seem to support ecdsa (please
correct me if I'm wrong) so I copied some issued by an easy-rsa ca as
well as keys to /etc/iked/{private,certs} and the ca to
/etc/iked/ca/ca.crt.

 * Is this enough to make it work?
 * And does the CN of the cert have to be that user's IP address in
   the network? Do they need to have some other setting?

I have the following iked.conf:

> ikev2 "base" from any to any \
>   peer any \
>   ikesa enc aes-256 auth hmac-sha2-512 group ecp256 \
>   childsa enc aes-256 auth hmac-sha2-512 group ecp256 \
>   ecdsa256 \
>   config address  \
>   config name-server  \
>   config access-server 

 * Does this seem to configure iked correctly for my requirements?

 * Do I need to set any rule in pf.conf or change some other system
   setting apart from enabling ip forwarding and esp/ah in sysctl?

 * BTW, do I need something else like MOBIKE I keep hearing about,
   since it’s a road warrior style vpn? If so, how should I configure it?

Thank you for your help.