iked troubles, SA not installed

Vincent Gross Wed, 20 Aug 2014 06:26:45 -0700

Hi folks,

I am trying to set up an IPSec VPN between my OpenBSD-current laptop and
my OpenBSD-current gateway at home. The gateway is connected with plain
old ADSL + PPPoE, and the laptop uses my smartphone tethering functions.


laptop has a vether(4) with 192.168.55.220/24 configured and up, and
gateway has a vether(4) with 192.168.56.1/24 configured and up. Yeah I
could do without, but I've mainly seen examples where the tunnel
outgoing interface was different from the routed range interface, and
wanted to make sure it was not due to some weird address overlap.

What goes on is, when I start both iked, negociation completes, but:
1) only the gateway installs the SA and SP, laptop does not
2) I am not able to go beyond the TCP three-way-handshake when
connecting from laptop to gateway.

I tcpdump'd the traffic on outgoing interfaces: every packet that is
sent by one side is received by the other. I can observe traffic on
gateway's enc0, but nothing on laptop's enc0 (which makes sense as SA
and SP are not installed).

both are running a fairly recent -current (no more than 10 days old).

Any clues on what might be going ?

Cheers,

--
Vincent / dermiste


## gateway /etc/iked.conf:

ikev2 esp proto icmp \
        from 192.168.56.1 to 192.168.55.220 peer 37.160.239.206 \
        psk "redacted"


## laptop /etc/iked.conf:

ikev2 active esp proto icmp \
        from 192.168.55.220 to 192.168.56.1 peer 79.143.250.153 \
        psk "redacted"


## initial sa state on both machines:

$ sudo ipsecctl -sa
FLOWS:
No flows

SAD:
No entries







## On gateway:

$ sudo tcpdump -ni pppoe0 udp port 500 or 4500 or tcp port 222
tcpdump: listening on pppoe0, link-type PPP_ETHER
tcpdump: WARNING: compensating for unaligned libpcap packets
14:57:16.480895 37.160.239.206.20603 > 79.143.250.153.4500:udpencap: isakmp
v2.0 exchange IKE_SA_INIT
        cookie: 143d03ddc5809c39->0000000000000000 msgid: 00000000 len: 520
14:57:16.531113 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: isakmp
v2.0 exchange IKE_SA_INIT
        cookie: 143d03ddc5809c39->383ed0522188ecdc msgid: 00000000 len: 432
14:57:17.226835 37.160.239.206.20603 > 79.143.250.153.4500:udpencap: isakmp
v2.0 exchange IKE_AUTH
        cookie: 143d03ddc5809c39->383ed0522188ecdc msgid: 00000001 len: 272
14:57:17.228337 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: isakmp
v2.0 exchange IKE_AUTH
        cookie: 143d03ddc5809c39->383ed0522188ecdc msgid: 00000001 len: 224
14:57:17.229556 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 2 len 376 (DF) [tos 0x10]
14:57:17.229799 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 3 len 136 (DF) [tos 0x10]
14:57:18.059200 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 4 len 824 (DF) [tos 0x10]
14:57:18.059587 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 5 len 136 (DF) [tos 0x10]
14:57:18.266023 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 6 len 1192 (DF) [tos 0x10]
14:57:19.726565 37.160.239.206.20606 > 79.143.250.153.222: S
4201433516:4201433516(0) win 16384 <mss 1300,sackOK,nop,nop,nop,wscale 3>
(DF)
14:57:19.726641 79.143.250.153.222 > 37.160.239.206.20606: S
918752052:918752052(0) ack 4201433517 win 16384 <mss
1452,nop,nop,sackOK,nop,wscale 3> (DF)
14:57:19.826467 37.160.239.206.20606 > 79.143.250.153.222: . ack 1 win 2048
(DF)
14:57:19.852144 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 7 len 104 (DF)
14:57:19.866853 37.160.239.206.20606 > 79.143.250.153.222: P 1:22(21) ack 1
win 8000 (DF)
14:57:20.066284 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 8 len 1048 (DF)
14:57:20.266288 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 9 len 1384 (DF) [tos 0x10]
14:57:20.868080 37.160.239.206.20606 > 79.143.250.153.222: P 1:22(21) ack 1
win 8000 (DF)
14:57:20.868190 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 10 len 88 (DF)
14:57:22.868423 37.160.239.206.20606 > 79.143.250.153.222: P 1:22(21) ack 1
win 8000 (DF)
14:57:22.868615 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 11 len 88 (DF)
14:57:24.266858 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 12 len 1384 [tos 0x10]
14:57:25.847062 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 13 len 1064 (DF)
14:57:26.869638 37.160.239.206.20606 > 79.143.250.153.222: P 1:22(21) ack 1
win 8000 (DF)
14:57:26.869732 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 14 len 88 (DF)
14:57:32.268023 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 15 len 1384 [tos 0x10]
14:57:34.871372 37.160.239.206.20606 > 79.143.250.153.222: P 1:22(21) ack 1
win 8000 (DF)
14:57:34.871563 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 16 len 88 (DF)
14:57:37.848731 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 17 len 1064 (DF)
14:57:48.270216 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 18 len 1384 [tos 0x10]
14:57:50.872739 37.160.239.206.20606 > 79.143.250.153.222: P 1:22(21) ack 1
win 8000 (DF)
14:57:50.872856 79.143.250.153.4500 > 37.160.239.206.20603:udpencap: esp
79.143.250.153 > 37.160.239.206 spi 0xba588fdd seq 19 len 88 (DF)



$ sudo ipsecctl -sa
FLOWS:
flow esp in from 192.168.55.220 to 192.168.56.1 peer 37.160.239.206 srcid
FQDN/brouwer.kilob.yt dstid FQDN/spinoza.kilob.yt type use
flow esp out from 192.168.56.1 to 192.168.55.220 peer 37.160.239.206 srcid
FQDN/brouwer.kilob.yt dstid FQDN/spinoza.kilob.yt type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 37.160.239.206 to 79.143.250.153 spi 0x051b2f21 auth
hmac-sha2-256 enc aes-256
esp tunnel from 79.143.250.153 to 37.160.239.206 spi 0xba588fdd auth
hmac-sha2-256 enc aes-256

$ sudo /sbin/iked -dvt
ikev2 "policy1" passive esp proto 1 inet from 192.168.56.1 to 192.168.55.220
local any peer 37.160.239.206 ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128
auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk
0x7265646163746564
ikev2_recv: IKE_SA_INIT request from initiator 37.160.239.206:20603 to
79.143.250.153:4500 policy 'policy1' id 0, 520 bytes
ikev2_msg_send: IKE_SA_INIT response from 79.143.250.153:4500 to
37.160.239.206:20603 msgid 0, 432 bytes, NAT-T
ikev2_recv: IKE_AUTH request from initiator 37.160.239.206:20603 to
79.143.250.153:4500 policy 'policy1' id 1, 272 bytes
ikev2_msg_send: IKE_AUTH response from 79.143.250.153:4500 to
37.160.239.206:20603 msgid 1, 224 bytes, NAT-T
sa_state: VALID -> ESTABLISHED from 37.160.239.206:20603 to
79.143.250.153:4500 policy 'policy1'





## on laptop:

$ sudo ipsecctl -sa
FLOWS:
flow esp out from ::/0 to ::/0 type deny

SAD:
No entries

$ sudo /sbin/iked -dvt
ikev2 "policy1" active esp proto 1 inet from 192.168.55.220 to 192.168.56.1
local any peer 79.143.250.153 ikesa enc aes-256,aes-192,aes-128,3des prf
hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group
modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128
auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk
0x7265646163746564
ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:4500 to 79.143.250.153:4500
msgid 0, 520 bytes, NAT-T
ikev2_recv: IKE_SA_INIT response from responder 79.143.250.153:4500 to
192.168.43.220:4500 policy 'policy1' id 0, 432 bytes
ikev2_msg_send: IKE_AUTH request from 192.168.43.220:4500 to
79.143.250.153:4500 msgid 1, 272 bytes, NAT-T
ikev2_recv: IKE_AUTH response from responder 79.143.250.153:4500 to
192.168.43.220:4500 policy 'policy1' id 1, 224 bytes

[demime 1.01d removed an attachment of type application/pgp-signature]

iked troubles, SA not installed

Reply via email to