Re: IKEv2 certificates?

; > Server 1 config: > This server is connected to a Laptop server/roadwarrior. > > ikev2 'agroena.org.pub' passive esp \ > from 10.0.1.0/24 to 10.0.2.0/24 \ > local 66.135.5.128 peer 24.80.177.18 \ > srcid agroena.org > > ikev2 'agroena.o

IKEv2 certificates?

a Laptop server/roadwarrior. ikev2 'agroena.org.pub' passive esp \ from 10.0.1.0/24 to 10.0.2.0/24 \ local 66.135.5.128 peer 24.80.177.18 \ srcid agroena.org ikev2 'agroena.org.pub' passive esp \ from any to dynamic \ local 6

Re: IKEv1 and IKEv2 coexistence

On 2023-01-09, jean-yves boisiaud wrote: > Hello, > > I have an OpenBSD firewall running IPSEc with IKEv1. > > As said here https://marc.info/?l=openbsd-misc&m=163819895506660&w=2 > isakmpd cannot coexist with IKEv2. > > But I have several IPs, could I use one I

IKEv1 and IKEv2 coexistence

Hello, I have an OpenBSD firewall running IPSEc with IKEv1. As said here https://marc.info/?l=openbsd-misc&m=163819895506660&w=2 isakmpd cannot coexist with IKEv2. But I have several IPs, could I use one IP for IKEv1 and another one for IKEv2 ? I'm running OpenBSD 7.1. Thank

Re: IKEV2 two devices can connect but only one can make traffic

On 2022-04-12, Łukasz Moskała wrote: > I remember talking with network engineer at one company I used to work at. > We used fortigate firewalls, and I asked why are we using SSLVPN instead of > ipsec-based vpn, as both were supported. > > He said something along the lines of "ipsec does not work

Re: IKEV2 two devices can connect but only one can make traffic

On 12.04.22 15:26, Łukasz Moskała wrote: I remember talking with network engineer at one company I used to work at. We used fortigate firewalls, and I asked why are we using SSLVPN instead of ipsec-based vpn, as both were supported. He said something along the lines of "ipsec does not work when

Re: IKEV2 two devices can connect but only one can make traffic

Den tis 12 apr. 2022 kl 15:30 skrev Łukasz Moskała : > I remember talking with network engineer at one company I used to work at. > We used fortigate firewalls, and I asked why are we using SSLVPN instead of > ipsec-based vpn, as both were supported. > He said something along the lines of "ipsec d

Re: IKEV2 two devices can connect but only one can make traffic

Issue solved updating my linux strongswan client!!! Sorry for the trouble... Thanks to everybody 😊

Re: IKEV2 two devices can connect but only one can make traffic

On Tue, Apr 12, 2022 at 01:03:55AM +0200, Ettore Tagarelli wrote: > If I use the "dynamic keyword I get this error: "no IP address found for > dynamic" though "config address 192.168.98.1/24" is there. > Using 0.0.0.0/32 instead of 0.0.0.0/0 causes that traffic is not routed > ('cause /32 restrict

Re: IKEV2 two devices can connect but only one can make traffic

Dnia Tue, Apr 12, 2022 at 03:06:50PM +0200, Ettore Tagarelli napisał(a): > Updated to 7.0 > ...same problem 🙁 I remember talking with network engineer at one company I used to work at. We used fortigate firewalls, and I asked why are we using SSLVPN instead of ipsec-based vpn, as both were suppor

Re: IKEV2 two devices can connect but only one can make traffic

On Tue, Apr 12, 2022 at 03:06:50PM +0200, Ettore Tagarelli wrote: > Updated to 7.0 > ...same problem 🙁 What does the updated config look like? "from 0.0.0.0/0 to dynamic" should work in 7.0.

Re: IKEV2 two devices can connect but only one can make traffic

Updated to 7.0 ...same problem 🙁

Re: IKEV2 two devices can connect but only one can make traffic

On 2022-04-11, Ettore Tagarelli wrote: > If I use the "dynamic keyword I get this error: "no IP address found for > dynamic" though "config address 192.168.98.1/24" is there. > Using 0.0.0.0/32 instead of 0.0.0.0/0 causes that traffic is not routed > ('cause /32 restrict the only address possible

Fwd: IKEV2 two devices can connect but only one can make traffic

-- Forwarded message - Da: Ettore Tagarelli Date: mar 12 apr 2022 alle ore 01:03 Subject: Re: IKEV2 two devices can connect but only one can make traffic To: If I use the "dynamic keyword I get this error: "no IP address found for dynamic" though "config add

IKEV2 two devices can connect but only one can make traffic

If I use the "dynamic keyword I get this error: "no IP address found for dynamic" though "config address 192.168.98.1/24" is there. Using 0.0.0.0/32 instead of 0.0.0.0/0 causes that traffic is not routed ('cause /32 restrict the only address possible to 0.0.0.0) though connection happens correctly.

Re: IKEV2 two devices can connect but only one can make traffic

f 0.0.0.0/0. In any case I would also advise to update to a newer version. > > > user "cash" "password1" > user "phosh" "password2" > >ikev2 passive esp \ > from 0.0.0.0/0 to 192.168.98.1/24 \ > local 192.168.99

Re: IKEV2 two devices can connect but only one can make traffic

this is my iked.conf as far as I know the "somename" Stuart wrote about is automatically added by iked. user "cash" "password1" user "phosh" "password2" ikev2 passive esp \ from 0.0.0.0/0 to 192.168.98.1/24 \ local 192.168

Re: IKEV2 two devices can connect but only one can make traffic

On 2022-04-11, Ettore Tagarelli wrote: > Hello, > I've an Openbsd 6.6 machine with IKEV2. I always used it with only one > client connected and it always worked. Trying to connect with two clients > (behind the same NAT) I found out that the connection seems established but

IKEV2 two devices can connect but only one can make traffic

Hello, I've an Openbsd 6.6 machine with IKEV2. I always used it with only one client connected and it always worked. Trying to connect with two clients (behind the same NAT) I found out that the connection seems established but only one client works. Can anybody help me? Thanks 😊

ikev2 configuration on per-user basis with different policies

Hello, I configured an Openbsd system as a VPN server with IKEV2. It works great but I'd like to use a configuration with different policies on per-user basis. The clients connect from dynamic ip. Does anybody have any hint or alternative? thanks 😊

Re: ikev2 fails with mschap-v2

On Tue, Mar 01, 2022 at 09:17:08PM -0600, Andrew Daugherity wrote: >On Wed, Feb 23, 2022 at 10:10 PM wrote: >> >> I honestly have no idea where the logs would even be stored or what >> the daemon runs as under MacOS 12.2.1 (Monterey). > >I don't have a Monterey system handy, but at least under mac

Re: ikev2 fails with mschap-v2

On Wed, Feb 23, 2022 at 10:10 PM wrote: > > I honestly have no idea where the logs would even be stored or what > the daemon runs as under MacOS 12.2.1 (Monterey). I don't have a Monterey system handy, but at least under macOS Catalina, VPN connections use setkey and racoon, similar to FreeBSD. P

Re: ikev2 fails with mschap-v2

; >> >> [..] >> >> /etc/iked.conf - fails with username/password >> >> ## >> >> user "testuser" "testpassword" >> >> ikev2 "ROAD_WARRIOR" esp \ >> >> from 0.0.0.0/0 to 10.1.255.0/24 \ >&g

Re: ikev2 fails with mschap-v2

fined in > >> /etc/iked.conf. I'm connecting from a native Mac client...is > >> mschap-v2 on MacOS broken or are my configs wrong? Thanks in advance. > >> > [..] > >> /etc/iked.conf - fails with username/password > >> ##

Re: ikev2 fails with mschap-v2

mschap-v2 on MacOS broken or are my configs wrong? Thanks in advance. >> [..] >> /etc/iked.conf - fails with username/password >> ## >> user "testuser" "testpassword" >> ikev2 "ROAD_WARRIOR"

Re: ikev2 fails with mschap-v2

. > > Working configuration and logs: > > /etc/iked.conf - works with psk > #### > ikev2 "ROAD_WARRIOR" esp \ > from 0.0.0.0/0 to 10.1.255.0/24 \ > peer any local vpn.company.com \ > srcid vpn.company.com \ >

ikev2 fails with mschap-v2

h psk ikev2 "ROAD_WARRIOR" esp \ from 0.0.0.0/0 to 10.1.255.0/24 \ peer any local vpn.company.com \ srcid vpn.company.com \ dstid mac-laptop \ psk "ASDFASDFASDFASDF" config address 10.1.255.0/24 \ config name-server 10.1.255.1 \

Re: IKEv1 and IKEv2 coexistence

Many thanks Stuart. On 30/11/2021 08:48, Stuart Henderson wrote: On 2021-11-29, Grzegorz Patola wrote: Could you tell me if it is possible to run ipsec in v1 and v2 ie. isakmpd and iked daemons on just one gateway ? It is not. -- We Revolutionise Customer Journeys. www.engagehub.com

Re: IKEv1 and IKEv2 coexistence

On 2021-11-29, Grzegorz Patola wrote: > Could you tell me if it is possible to run ipsec in v1 and v2 > > ie. isakmpd and iked daemons on just one gateway ? It is not.

IKEv1 and IKEv2 coexistence

Hi All, Could you tell me if it is possible to run ipsec in v1 and v2 ie. isakmpd and iked daemons on just one gateway ? Thanks, Greg. -- We Revolutionise Customer Journeys. www.engagehub.com  | Follow us on LinkedIn

Re: assistance request for IKEv2 VPN setup with iked

On Thu, Oct 21, 2021 at 10:23:51AM +0200, Johann Belau wrote: > Dear all, > > I am in desperate need of assistance for setting up an IKEv2 VPN tunnel to a > remote LAN with OpenBSD as my VPN gateway. > > A short outline of what I'm trying to achieve: > > 1. I h

assistance request for IKEv2 VPN setup with iked

Dear all, I am in desperate need of assistance for setting up an IKEv2 VPN tunnel to a remote LAN with OpenBSD as my VPN gateway. A short outline of what I'm trying to achieve: 1. I have a remote private LAN with Windows Servers and one OpenBSD gateway (gateway has a public IP, the re

Re: IKEv2: CHILD_SA is not created

status that >> prevents multiple traffic selectors from being supported in one child SA >> in >> IKEv2. >> >> For more information: >> >> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCue42170/?reffering_site=dumpcr >> >> Known affected releases: 8.

Re: IKEv2: CHILD_SA is not created

): > It turns out that the Cisco ASA has a bug CSCue42170 with open status that > prevents multiple traffic selectors from being supported in one child SA in > IKEv2. > > For more information: > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCue42170/?reffering_site=dump

Re: IKEv2: CHILD_SA is not created

It turns out that the Cisco ASA has a bug CSCue42170 with open status that prevents multiple traffic selectors from being supported in one child SA in IKEv2. For more information: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCue42170/?reffering_site=dumpcr Known affected releases: 8.6(1), 9.1

Re: IKEv2: CHILD_SA is not created

Finally solved! Tried TS one after another. To put it mildly, I'm surprised. it turns out that the equipment on the remote side is configured in such a way that for each TS I had to set up a separate connection. This configuration working fine now: ikev2 crypto-primary active esp \

Re: IKEv2: CHILD_SA is not created

Tobias, I replaced the OpenBSD with the same configuration: -> % uname -r -p 6.9 amd64 Now, with this configuration: ikev2 crypto-primary active esp \ from any to any \ peer 7.7.7.7 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048 \ childsa a

Re: IKEv2: CHILD_SA is not created

On Wed, May 12, 2021 at 12:06:21PM +0300, Денис Давыдов wrote: > I tried to specify an explicit parameter -T to disable NAT-Traversal > auto-detection and use `local' parameter. Also according to your advice > tried a configuration like this: > > ikev2 crypto-primary active es

Re: IKEv2: CHILD_SA is not created

I tried to specify an explicit parameter -T to disable NAT-Traversal auto-detection and use `local' parameter. Also according to your advice tried a configuration like this: ikev2 crypto-primary active esp \ from any to any \ local 1.1.1.1 peer 7.7.7.7 \ ikesa auth hmac-sha

Re: IKEv2: CHILD_SA is not created

Svc_2_2_2_2 > host 2.2.2.2 > object network Svc_3_3_3_3 > host 3.3.3.3 > crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 > protocol esp encryption aes-256 > protocol esp integrity sha-256 > > object-group network Customer > description Customer > network-object

Re: IKEv2: CHILD_SA is not created

Tobias, The remote side gave me their Cisco ASA 5585 settings and they showed the logs: object network Svc_2_2_2_2 host 2.2.2.2 object network Svc_3_3_3_3 host 3.3.3.3 crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2 protocol esp encryption aes-256 protocol esp integrity sha-256 object-group

Re: IKEv2: CHILD_SA is not created

7 - our isp provider (some of cisco devices) > > /etc/iked.conf (on 1.1.1.1): > > ikev2 crypto-primary active esp \ > from 10.21.139.8/30 to 2.2.2.2 \ > from 10.21.139.8/30 to 3.3.3.3 \ > peer 7.7.7.7 \ > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-

IKEv2: CHILD_SA is not created

Hello all, I can't understand why I got SA_INIT timeout: May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free: SA_INIT timeout 1.1.1.1 (crypto-gw2) - my host 7.7.7.7 - our isp provider (some of cisco devices) /etc/iked.conf (on 1.1.1.1): ikev2 crypto-primary activ

Re: IKEv1 support with IKEv2 on the same router

gt; > DPD-check-interval=30 > > Default-phase-1-lifetime=86400,60:86400 > > Default-phase-2-lifetime=86400,60:86400 > > > > But how to bind iked (IKEv2) to another address Y.Y.Y.Y? > > Running both on the same system isn't possible. As far as I understand > it&

Re: IKEv1 support with IKEv2 on the same router

imple, for example: > /etc/isakmpd/isakmpd.conf > [General] > Listen-on=X.X.X.X > Retransmits=32 > Exchange-max-time=240 > DPD-check-interval=30 > Default-phase-1-lifetime=86400,60:86400 > Default-phase-2-lifetime=86400,60:86400 > > But how to bind iked (IKEv2) to another

IKEv1 support with IKEv2 on the same router

hange-max-time=240 DPD-check-interval=30 Default-phase-1-lifetime=86400,60:86400 Default-phase-2-lifetime=86400,60:86400 But how to bind iked (IKEv2) to another address Y.Y.Y.Y? $ uname -r 6.7 -- wbr, Denis

Re: ikectl ca and subjectAltName for IKEv2 VPNs

On 2021-03-04, David Newman wrote: > On 3/4/21 12:29 AM, Stuart Henderson wrote: > >> On 2021-03-04, David Newman wrote: >>> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName >>> in the client cert, not just the CN, to set up IKEv2 VPN tunnel

Re: ikectl ca and subjectAltName for IKEv2 VPNs

On 3/4/21 12:29 AM, Stuart Henderson wrote: > On 2021-03-04, David Newman wrote: >> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName >> in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The >> subjectAltName can be the same as the

Re: ikectl ca and subjectAltName for IKEv2 VPNs

On 2021-03-04, David Newman wrote: > Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName > in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The > subjectAltName can be the same as the CN; it just has to be present. Most IKE software has always ne

ikectl ca and subjectAltName for IKEv2 VPNs

Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The subjectAltName can be the same as the CN; it just has to be present. Questions about this: 1. Does the 'ikectl ca certificate create' comma

Re: Fwd: ikev2 active roadwarrior with openbsd

>> On 2021-02-04, Riccardo Giuntoli wrote: >> > A ikev2 passive server in France that got: >> > >> > A CA >> > A server certificate for tls server >> > And a client certificate for tls client >> > >> > I export the CA in PEM

Fwd: ikev2 active roadwarrior with openbsd

-- Forwarded message - From: Riccardo Giuntoli Date: Thu, Feb 4, 2021 at 1:44 PM Subject: Re: ikev2 active roadwarrior with openbsd To: Stuart Henderson root@ganesha:/etc# cat iked.conf set dpd_check_interval 15 ikev2 'uma' active esp \ from xxx to 172.

Re: ikev2 active roadwarrior with openbsd

On 2021-02-04, Riccardo Giuntoli wrote: > Hello misc, how are you? > > I've got this scenario: > > A ikev2 passive server in France that got: > > A CA > A server certificate for tls server > And a client certificate for tls client > > I export the CA in

ikev2 active roadwarrior with openbsd

Hello misc, how are you? I've got this scenario: A ikev2 passive server in France that got: A CA A server certificate for tls server And a client certificate for tls client I export the CA in PEM format and put it on /etc/iked/ca Next I export the private key and the certificate and put

Re: IKEv2 on Windows 10

ow: > >> > >> PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" > >> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate > >> -AllUserConnection -Force > > > > "-AuthenticationMethod MachineCert

Re: IKEv2 on Windows 10

erverAddress "vpn.company.com" >> -TunnelType IKEv2 -AuthenticationMethod MachineCertificate >> -AllUserConnection -Force > > "-AuthenticationMethod MachineCertificate" - I thought you were using > MSCHAP not machine certs? I’m just trying anything and everyt

Re: IKEv2 on Windows 10

On 2021-01-13, Ian Timothy wrote: > Looking at some of the other information provided, I tried this along with > the registry edit below: > > PS> Add-VpnConnection -Name "IPB2" -ServerAddress "vpn.company.com" > -TunnelType IKEv2 -AuthenticationMethod

Re: IKEv2 on Windows 10

uickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10

Re: IKEv2 on Windows 10

h are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the

Re: IKEv2 on Windows 10

Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > Hi, > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with > macOS without issue. Changing to EAP MSCHAP for use with Windows results in > the following error: > > "

IKEv2 on Windows 10

Hi, I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK with macOS without issue. Changing to EAP MSCHAP for use with Windows results in the following error: "The network connection between your computer and the VPN server could not be established bec

Re: VPN IKEv2 Traffic Flows Only One Direction

On 2020-11-16, Ian Timothy wrote: > int_if = "em0" > > ext_if = "em1" > ext_net = "23.X.X.128/29" > > gateway_ip_ext = "{ 23.X.X.129 }" > gateway_ip_int = "{ 10.0.0.1 }" > > set skip on {lo, enc0} > > block return# block stateless traffic > pass# establish keep-state > > pass out on $e

Re: VPN IKEv2 Traffic Flows Only One Direction

On 2020-11-16, Ian Timothy wrote: > I’ve been a long time user of OpenBSD, but this is the first time I’m trying > to setup a VPN. I’m not sure what I’m doing wrong, or what should be the next > step to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find. > > I

VPN IKEv2 Traffic Flows Only One Direction

I’ve been a long time user of OpenBSD, but this is the first time I’m trying to setup a VPN. I’m not sure what I’m doing wrong, or what should be the next step to troubleshoot. I’ve probably reviewed every IKEv2 how-to I can find. I need to end up with a configuration that will support several

OpenSMTPd can't sent mail behind IKEv2 NAT

{1.2.3.4} table helonames {1.2.3.4 = smtp.domain.tld} ... Now all server's traffic goes trough IKEv2 gateway with NAT, and smtpd runs on the same server, but now behind IPsec NAT. The goal is that smtpd should send/receive mail trough IPsec tunnel. smtpd receives mail successfully but can'

Re: IKEv2 difference with 6.7

Hi Tobias, > So the error message is probably in the other side's logs but here is > a guess: 5.6 doesn't know curve25519. > > Try adding the following to your iked.conf: > > ikesa group modp2048 Many thanks!!! That was the issue and you saved me from pulling what I have left of hairs.

Re: IKEv2 difference with 6.7

On 2020-06-16 12:32, Tobias Heider wrote: On Fri, Jun 12, 2020 at 09:27:18PM +0200, Tobias Heider wrote: On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote: Hi, We have two OpenBSD machines acting as gateways for our network using CARP and IPsec (IKEv2). When the machines were

Re: IKEv2 difference with 6.7

method: using rsa for peer > /etc/iked/pubkeys/ipv4/66.63.5.250 > set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250 > ikev2 "VPN" active tunnel esp inet from 72.83.103.147 to 66.63.5.250 > local 72.83.103.147 peer 66.63.5.250 ikesa enc > aes-256,aes-192,aes-128,3des p

Re: IKEv2 difference with 6.7

SA_INIT request from 72.83.103.147:500 (best without the > grep because the following lines may contain the actual error messages). gateway# iked -dvv set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/ipv4/66.63.5.250 set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250

Re: IKEv2 difference with 6.7

On Tue, Jun 16, 2020 at 05:08:47PM -0400, Daniel Ouellet wrote: > > The retransmits tell us that the peer doesn't answer. Or, to be more > > precise, it doesn't receive *any* message from the peer. Can you have > > a look at the peer's logs? Does the peer see these packets but chooses > > not to

Re: IKEv2 difference with 6.7

On 2020-06-12, Tobias Heider wrote: > Probably related to the following change documented in > https://www.openbsd.org/faq/upgrade67.html: > > iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) > or > isakmpd(8) was changed from "use" to "require". This means unencrypted

Re: IKEv2 difference with 6.7

> The retransmits tell us that the peer doesn't answer. Or, to be more > precise, it doesn't receive *any* message from the peer. Can you have > a look at the peer's logs? Does the peer see these packets but chooses > not to reply? Is the peer also an OpenBSD? 6.6? 6.7? Not a big deal, but y

Re: IKEv2 difference with 6.7

(This above was to allow the two local subnet to take to one an other as > >> they are in different dmz. I can delete that config and it changed > >> nothing anyway. Just wanted to write why in case you wonder.) > >> > >> gateway$ doas cat /etc/iked.conf > >>

Re: IKEv2 difference with 6.7

113.1" local_network="198.51.100.0/24" remote_gw="203.0.113.2" remote_network="192.0.2.0/26" remote_network2="192.0.2.64/26" ikev2 active esp \ from $local_gw to $remote_gw \ from $local_network to $remote_network \ from $local_network to $remote

Re: IKEv2 difference with 6.7

anted to write why in case you wonder.) >> >> gateway$ doas cat /etc/iked.conf >> # All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in >> Ashburn. >> ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com >> >> ikev2 "Flow&qu

Re: IKEv2 difference with 6.7

was to allow the two local subnet to take to one an other as > they are in different dmz. I can delete that config and it changed > nothing anyway. Just wanted to write why in case you wonder.) > > gateway$ doas cat /etc/iked.conf > # All IP from 66.63.44.79 are E

Re: IKEv2 difference with 6.7

ite why in case you wonder.) gateway$ doas cat /etc/iked.conf # All IP from 66.63.44.79 are Etienne computer to Riot on AS 6507 in Ashburn. ikev2 "VPN" active esp inet from re0 to tunnel.realconnect.com ikev2 "Flow" active \ from re1 to tunnel.realconnect.com \

Re: IKEv2 difference with 6.7

s://marc.info/?l=openbsd-misc&m=159178866010830&w=2 to see if disabling DPD would actually solve your problem. > > Here's my configuration: > > local_gw="203.0.113.1" > local_network="198.51.100.0/24" > > remote_gw="203.0.113.2" >

Re: IKEv2 difference with 6.7

On Fri, Jun 12, 2020 at 09:27:18PM +0200, Tobias Heider wrote: > On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote: > > Hi, > > > > We have two OpenBSD machines acting as gateways for our network using > > CARP and IPsec (IKEv2). > > > > Whe

Re: IKEv2 difference with 6.7

Hi Daniel, On Mon, Jun 15, 2020 at 08:04:43PM -0400, Daniel Ouellet wrote: > > Probably related to the following change documented in > > https://www.openbsd.org/faq/upgrade67.html: > > > > iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by > > iked(8) or > > isakmpd(8) was cha

Re: IKEv2 difference with 6.7

> Probably related to the following change documented in > https://www.openbsd.org/faq/upgrade67.html: > > iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) > or > isakmpd(8) was changed from "use" to "require". This means unencrypted traffic > matching the flows will n

Re: IKEv2 difference with 6.7

On 6/15/20 8:04 PM, Daniel Ouellet wrote: >> Probably related to the following change documented in >> https://www.openbsd.org/faq/upgrade67.html: >> >> iked(8)/isakmpd(8). The type of incoming ipsec(4) flows installed by iked(8) >> or >> isakmpd(8) was changed from "use" to "require". This means

Re: IKEv2 difference with 6.7

On Fri, Jun 12, 2020 at 03:31:56PM +0200, Patrik Ragnarsson wrote: > Hi, > > We have two OpenBSD machines acting as gateways for our network using > CARP and IPsec (IKEv2). > > When the machines were running OpenBSD 6.6, from an IPSec client, you > were able to reach the

IKEv2 difference with 6.7

Hi, We have two OpenBSD machines acting as gateways for our network using CARP and IPsec (IKEv2). When the machines were running OpenBSD 6.6, from an IPSec client, you were able to reach the passive gateway while being connected to the active gateway. On OpenBSD 6.7, it seems this is no longer

VPN, configuring an IKEv2 server

Dear group, try to configure on an 6.7 installation a IKEv2 VPN server to be accessed by linux and android clients but got completely lost. I don't even know how to debug it! Here is my iked-dv output: ikev2 "vpn" passive tunnel esp inet6 from 0.0.0.0/0 to 0.0.0.0/0 from ::/

Re: issue with IKEv2 setup

On Wed, Jun 03, 2020 at 02:07:52PM -0400, Sonic wrote: > On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider wrote: > > It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public > > key > > should be. > > The peers public key is there, the peer, as far as I can tell is > server1.domain

Re: issue with IKEv2 setup

On Wed, Jun 3, 2020 at 1:49 PM Tobias Heider wrote: > It does. /etc/iked/pubkeys/fqdn/server2.domain is where the peer's public key > should be. The peers public key is there, the peer, as far as I can tell is server1.domain, yet the example shows server2.domain.

Re: issue with IKEv2 setup

On Wed, Jun 03, 2020 at 01:09:02PM -0400, Sonic wrote: > Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into > the following problem with the server2 example: > === > ikev2 'server2_rsa' active esp \ > from 1

issue with IKEv2 setup

Following the FAQ at https://www.openbsd.org/faq/faq17.html I ran into the following problem with the server2 example: === ikev2 'server2_rsa' active esp \ from 10.0.2.0/24 to 10.0.1.0/24 \ peer 192.0.2.1 \ dstid serv

IKEv2 VPN -- creating specific routes after sending 0.0.0.0/0 to a default gateway

.0.0/0," I can't ever specify a different gateway for some other traffic. -- begin /etc/iked.conf: # roadwarrior's iked.conf: remote_gw = "insert remote gw IP here" roadwarrior ="192.168.100.2" # on 192.168.100.0/24 othermachine = "172.16.0.15"

Re: Unable to create IKEv2 VPN using strongSwan to iked

Ajust as your necessity * > >( Don't forget to adjust your pf rules accordingly ) * > > > >OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) > >ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ > local egress peer any \ > ikesa enc aes

Re: Unable to create IKEv2 VPN using strongSwan to iked

Ajust as your necessity * ( Don't forget to adjust your pf rules accordingly ) * OpenBSD 6.X ( Works with IPHONE AND STRONGSWAN ) ikev2 "roadwarrior" passive esp from 0.0.0.0/0 to 10.20.30.0/24 \ local egress peer any \ ikesa enc aes-256 auth hmac-sha2-256 group modp2048

Unable to create IKEv2 VPN using strongSwan to iked

quot;. Does anybody have a working setup between iked and strongSwan or any insights? Config files and logs below. Thanks, Jona iked.conf: ikev2 passive esp \     from 0.0.0.0/0 to 10.201.201.0/24 \     from 192.168.0.0/16 to 10.244.244.0/24 \     from 10.244.244.0/24 to 192.168.0.

Re: No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

‐‐‐ Original Message ‐‐‐ On Monday, February 3, 2020 9:03 PM, Martin Got wrote: > OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 > based road warrior - > client with dynamic IP. VPN works stable even using a link behind ISP NAT > with ping

Re: No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

‐‐‐ Original Message ‐‐‐ On Monday, February 3, 2020 9:03 PM, Martin Got wrote: > OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 > based road warrior - > client with dynamic IP. VPN works stable even using a link behind ISP NAT > with ping latency from &

No traffic from/to road warrior's LAN hosts when IKEv2 VPN is connected

OpenIKED IKEv2 VPN setup consists of OpenBSD-6.6 based remote server and 6.6 based road warrior - client with dynamic IP. VPN works stable even using a link behind ISP NAT with ping latency from ~750ms to ~1100ms. Hope latency about 1000ms can't be related to the issue because all the

IKEv2 multiple subnets

Hi, I am trying to set up a IKEv2 VPN with iked(8), between an OpenBSD firewall and a SonicWall one. The VPN set up correctly as long as only one subnetwork is configured. However, as soon as at least 2 subnets are configured, only one of them operates. Below is the OpenBSD side configuration

Re: IKEv2 OpenBSD client using X.509 Certificate Authentication

On 2019/10/16 15:49, Tristan Pilat" wrote: > On 10/16/19 at 08:31P, Stuart Henderson wrote: > > On 2019-10-07, Tristan Pilat wrote: > > > I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication > > > with > > > iked(8). In the Vir

Re: IKEv2 OpenBSD client using X.509 Certificate Authentication

On 10/16/19 at 08:31P, Stuart Henderson wrote: > On 2019-10-07, Tristan Pilat wrote: > > I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with > > iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no > > section about setti

Re: IKEv2 OpenBSD client using X.509 Certificate Authentication

On 2019-10-07, Tristan Pilat wrote: > I'm trying to set up a IKEv2 VPN using X.509 Certificate Authentication with > iked(8). In the Virtual Private Networks (VPN) section of the FAQ there no > section about setting up this with an OpenBSD client. Is there anybody here > who&#

  1   2   3   >