Hi all,I'm trying (again) to setup iked. I want to set up a site-to-site IKEv2 VPN where both sides are behind NAT with a central OpenBSD responder which handles openbsd and strongswan initiators on both sides.
But first I'm starting small and I try to create a small site-to-site VPN with 2 peers where one is behind NAT using OpenBSD iked on both sides. Both sides run OpenBSD 6.6 with all syspatches applied.
This simple configuration is working, however I'm confronted with a strange finding where the setup stops working when I add an address configuration directive on the responder side.
Now I know that the OpenBSD iked client does not support IP configuration but I expected it to ignore the directive instead of going into what seems to be a wait loop.
I could not find any information regarding this issue in documentation or forums. I want to set up the address configuration because I plan to use it for the strongswan client later on.
Here is the working configuration: Responder: ikev2 passive esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ local 1.2.3.4 peer any \ srcid vpn.example.com \ tag "IKED" Initiator: ikev2 active esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ peer 1.2.3.4 \ srcid initiator \ tag "IKED" Responder iked -dv:ikev2 "policy1" passive esp inet from 0.0.0.0/0 to 10.201.201.0/24 local 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.example.com lifetime 10800 bytes 536870912 signature tag "IKED" spi=0xc1079b808ecf48e5: recv IKE_SA_INIT req 0 peer 5.6.7.8:500 local 1.2.3.4:500, 510 bytes, policy 'policy1' spi=0xc1079b808ecf48e5: send IKE_SA_INIT res 0 peer 5.6.7.8:500 local 1.2.3.4:500, 451 bytes spi=0xc1079b808ecf48e5: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0xc1079b808ecf48e5: send IKE_AUTH res 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 720 bytes, NAT-T spi=0xc1079b808ecf48e5: sa_state: VALID -> ESTABLISHED from 5.6.7.8:4500 to 1.2.3.4:4500 policy 'policy1'
Now if I change the responder config to add address configuration without changing the initiator config:
ikev2 passive esp \ from 0.0.0.0/0 to 10.201.201.0/24 \ local 1.2.3.4 peer any \ srcid vpn.example.com \ config address 10.201.201.0/24 \ tag "IKED" Responder:ikev2 "policy1" passive esp inet from 0.0.0.0/0 to 10.201.201.0/24 local 1.2.3.4 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.example.com lifetime 10800 bytes 536870912 signature config address 10.201.201.0 tag "IKED" spi=0x9b7bbe0baad5565b: recv IKE_SA_INIT req 0 peer 5.6.7.8:500 local 1.2.3.4:500, 510 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: send IKE_SA_INIT res 0 peer 5.6.7.8:500 local 1.2.3.4:500, 451 bytes spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: recv IKE_AUTH req 1 peer 5.6.7.8:4500 local 1.2.3.4:4500, 784 bytes, policy 'policy1'
(... repeat forever) Initiator:ikev2 "policy1" active esp inet from 0.0.0.0/0 to 10.201.201.0/24 local any peer 1.2.3.4 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-25 6,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid initiator lifetime 10800 bytes 536870912 rsa tag "IKED" spi=0x9b7bbe0baad5565b: send IKE_SA_INIT req 0 peer 1.2.3.4:500 local 0.0.0.0:500, 510 bytes spi=0x9b7bbe0baad5565b: recv IKE_SA_INIT res 0 peer 1.2.3.4:500 local 192.168.5.2:500, 451 bytes, policy 'policy1' spi=0x9b7bbe0baad5565b: send IKE_AUTH req 1 peer 1.2.3.4:4500 local 192.168.5.2:4500, 784 bytes, NAT-T
(... repeat forever) Thanks for your insights. Best regards, Jona JOACHIM
smime.p7s
Description: S/MIME Cryptographic Signature
