Hi
I'm currently trying to set up a OpenIKED GW running 5.7-stable with a
proprietary fw/VPN hosted at one of our clients.
Seemingly worked so far ipsecctl shows flows and SADs. I was able to
ping a machine on the 'other-side' but this stopped without apparent reason.
Diving deeper into the logs and running iked in foreground gave me two
messages
'pfkey_sa_last_used: message: No such process'
and
'ikev2_init_ike_sa: "h" is already active'
I would greatly appreciate any help with this one.
# ipsecctl -s all
FLOWS:
flow esp in from 192.168.80.120 to 172.16.10.0/24 peer 217.6.6.6 srcid
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use
flow esp out from 172.16.10.0/24 to 192.168.80.120 peer 217.6.6.6 srcid
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require
flow esp in from 192.168.106.0/24 to 192.168.3.30 peer 217.6.6.6 srcid
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type use
flow esp out from 192.168.3.30 to 192.168.106.0/24 peer 217.6.6.6 srcid
IPV4/80.1.1.1 dstid IPV4/217.6.6.6 type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from 192.168.32.2 to 217.6.6.6 spi 0x2360324c auth
hmac-sha2-256 enc aes-256
esp tunnel from 217.6.6.6 to 192.168.32.2 spi 0xa6537a08 auth
hmac-sha2-256 enc aes-256
#iked -dvv
...
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 16 bytes
ikev2_prfplus: T2 with 16 bytes
ikev2_prfplus: T3 with 16 bytes
ikev2_prfplus: T4 with 16 bytes
ikev2_prfplus: T5 with 16 bytes
ikev2_prfplus: T6 with 16 bytes
ikev2_prfplus: T7 with 16 bytes
ikev2_prfplus: T8 with 16 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_add: add spi 0x2360324c
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x2360324c
pfkey_sa_add: update spi 0xa6537a08
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0xa6537a08
ikev2_childsa_enable: loaded flow 0x151839b73800
ikev2_childsa_enable: loaded flow 0x15180aa49400
ikev2_childsa_enable: loaded flow 0x151839b73c00
ikev2_childsa_enable: loaded flow 0x151839b73000
sa_state: VALID -> ESTABLISHED from 217.6.6.6:4500 to 192.168.32.2:4500
policy 'h'
config_free_proposals: free 0x15180bc69880
ikev2_recv: INFORMATIONAL request from responder 217.6.6.6:4500 to
192.168.32.2:4500 policy 'h' id 0, 80 bytes
ikev2_recv: ispi 0xd6e43c6448fe0750 rspi 0x7f77a74b12244234
ikev2_init_recv: unknown SA
ikev2_init_ike_sa: "h" is already active
-- last line repeated several times --
...
/var/log/daemon
...
Sep 21 11:38:46 h iked[8231]: pfkey_sa_last_used: message: No such process
Sep 21 11:39:46 h last message repeated 2 times
...
#cat /etc/iked.conf
...
ikev2 "h" active esp \
from $k_dev to $h_server \
from $postgres_server to $h_dev \
peer $h_gw \
ikesa auth hmac-sha2-256 \
enc aes-256 \
group modp1536 \
childsa auth hmac-sha2-256 \
enc aes-256 \
group modp1536 \
srcid '80.154.4.243' \
ikelifetime 28800 \
lifetime 28800 \
psk ""
#cat /etc/pf.conf
...
block return # block stateless traffic
pass proto udp to port $ipsec_types
pass in on $ext_if proto esp from $h_gw
pass out on $ext_if proto esp to $h_gw
pass in on $ipsec_if proto ipencap from $h_gw keep state (if-bound)
pass out on $ipsec_if proto ipencap to $h_gw keep state (if-bound)
pass proto tcp from $k_dev to $h_server port $test_ports
pass proto tcp from $h_server port $test_ports to $k_dev
pass proto tcp from $h_dev to $h_postgres port postgresql
pass proto tcp from $h_postgres port postgresql to $h_dev
pass proto tcp from $k to (self) port ssh
pass proto tcp from 192.168.32.1 to (self) port ssh
pass inet proto icmp icmp-type $icmp_types
...
--
Cheers
Kim
