On Tue, Oct 28, 2014 at 09:49:58AM -0400, I wrote: > On 2014-10-28 08:09, Vincent Gross wrote: [snip] > >I had the very same issue on my own setup. I did not investigate the > >source, but I think there is a bug in the code that handles PSK authn, > >because it worked perfectly fine when I switched to RSA key authn. > > Thank you, Vincent. I will return to simple certificate testing.
I have re-tested with RSA keys and certificates. This time, I was successful ... perhaps because the lab machines are clean snapshots; prior cert testing was on living systems. As you reported, removing "psk <key>" from the configurations and using the RSA keys worked! Thank you! I do have further testing to do for my use case, now that I have a successful esp tunnel established. One of the things I have discovered in early testing is that using "proto <protocol>" works syntactically, but the Flows are still unrestricted by protocol. e.g.: ikev2 a2b proto udp from a.lab to b.lab results in (wrapped for Email): ikev2 "a2b" passive esp proto 17 inet from 10.0.0.1 to 10.0.0.2 local 10.0.0.1 peer 10.0.0.2 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256, aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rsa But the flows are not established by protocol. All traffic is encapsulated. Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 10.0.0.2/32 0 10.0.0.1/32 0 0 10.0.0.2/esp/use/in 10.0.0.1/32 0 10.0.0.2/32 0 0 10.0.0.2/esp/require/out default 0 default 0 0 none/esp/deny/out It looks like this is similar to what sthen@ mentioned in http://marc.info/?l=openbsd-misc&m=140879041225874&w=2
