> On Aug 17, 2015, at 5:39 AM, Reyk Floeter <r...@openbsd.org> wrote: > > On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote: >> Hello misc, >> >> Has anyone connected successfully between the new OS X ikev2 impl. >> To an OpenBSD box? >> > > No, we don't have the beta. > > Reyk
I’ve put some hours into it. Doesn’t work out of the box (no surprises). Right now, as far as I can tell, OS X sends a real dubious proposal. That results in iked (rightly) not sending an auth response. ———— ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x00c7832b ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE [...] ikev2_match_proposals: xform 1 <-> 2 (4): INTEGR HMAC_SHA1_96 (keylength 0 <-> 0) ikev2_match_proposals: xform 1 <-> 2 (2): ESN NONE (keylength 0 <-> 0) ikev2_sa_negotiate: score 0 ikev2_ike_auth_recv: no proposal chosen ikev2_resp_recv: failed to send auth response ———— I’ve not yet surfaced where the ikev2 proposal/policy configs hide in OS X. cheers weaver
