[Apologies if anyone gets this a second time -- Sent twice but did not show up in the list]
5.7-stable. Cannot get an ikev2 road warrior setup working for days now. Read all relevant stuff but cannot see what I am doing wrong. Other people report similar setup working, so it must be my fault. The connection schema follows: (Note: 57.57.57.57 is the OBSD-5.7 box ext interface; 81.81.81.81 is the ext interface of the router the win box is behind.) LAN (10.15.0.0/16) <--> [ obsd 5.7 box (ext if 57.57.57.57) ] <--> <--> Internet <--> router (81.81.81.81) <--> win 8.1 box The win box shows error 809 (remote server is not responding) on connection attempt. (I never managed to get anything else.) Client is Win8.1 Enterprise (behind nat, should not matter...?) Connection properties: -- General | Host name: 57.57.57.57 -- Security | Type of VPN: IKEv2 -- Security | Data Encryption: Require Encryption -- Security | Authentication: use machine certificates -- Networking | IPv4 (the only thing enabled): set to IP 10.10.10.7, DNS 8.8.8.8 # sysctl net.inet.ip.forwarding=1 # pfctl -d # only to get ipsec tunnel working; then I'll set it up # cat /etc/iked.conf: ikev2 "road-warriors" passive esp \ from 10.15.0.0/16 to 10.10.10.0/24 \ local 57.57.57.57 peer 0.0.0.0/0 \ srcid 57.57.57.57 \ config address 10.10.10.7 Debug log from 'iked -vv -d' shown below. Please, help me figure this out. Any hints or directions are much appreciated! -Yassen D. P.S. Forgot to mention that the full CA dance has been properly done; the Win box has the vpn CA cert and key (in Trusted Root Authorities) and its own client certificate (in Personal) imported successfully. # iked -vv -d ikev2_recv: IKE_SA_INIT request from initiator 81.81.81.81:53392 to 57.57.57.57:500 policy 'road-warriors' id 0, 880 bytes ikev2_recv: ispi 0xc775b4390519c851 rspi 0x0000000000000000 ikev2_policy2id: srcid IPV4/57.57.57.57 length 8 ikev2_pld_parse: header ispi 0xc775b4390519c851 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 880 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 520 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xc775b4390519c851 0x0000000000000000 81.81.81.81:53392 ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xc775b4390519c851 0x0000000000000000 57.57.57.57:500 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20 ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 23 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateflags: 0x00 -> 0x10 sa (required 0x00 ) ikev2_sa_keys: SKEYSEED with 20 bytes ikev2_sa_keys: S with 96 bytes ikev2_prfplus: T1 with 20 bytes ikev2_prfplus: T2 with 20 bytes ikev2_prfplus: T3 with 20 bytes ikev2_prfplus: T4 with 20 bytes ikev2_prfplus: T5 with 20 bytes ikev2_prfplus: T6 with 20 bytes ikev2_prfplus: T7 with 20 bytes ikev2_prfplus: T8 with 20 bytes ikev2_prfplus: Tn with 160 bytes ikev2_sa_keys: SK_d with 20 bytes ikev2_sa_keys: SK_ai with 20 bytes ikev2_sa_keys: SK_ar with 20 bytes ikev2_sa_keys: SK_ei with 24 bytes ikev2_sa_keys: SK_er with 24 bytes ikev2_sa_keys: SK_pi with 20 bytes ikev2_sa_keys: SK_pr with 20 bytes ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xc775b4390519c851 0x5a9bb34a8d3b420e 57.57.57.57:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xc775b4390519c851 0x5a9bb34a8d3b420e 81.81.81.81:53392 ikev2_next_payload: length 28 nextpayload CERTREQ ikev2_add_certreq: type X509_CERT length 21 ikev2_next_payload: length 25 nextpayload NONE ikev2_pld_parse: header ispi 0xc775b4390519c851 rspi 0x5a9bb34a8d3b420e nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ikev2_msg_send: IKE_SA_INIT response from 57.57.57.57:500 to 81.81.81.81:53392 msgid 0, 325 bytes config_free_proposals: free 0x3cc6b78ad00 =eof=
