Why are you using ipsec in the 21th century:
https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use
I see no pros here just cons unless you need to setup a vpn with some
crappy old device which should be just switched out with an obsd box
anyway :)
On 2017-06-29 11:29, Liviu Daia wrote:
On 29 June 2017, Liviu Daia <liviu.d...@gmail.com> wrote:
[...]
On the server:
# iked -d
ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to
x.y.z.t:500 policy 'sb1' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to
89.136.163.27:500 msgid 0, 471 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
x.y.z.t:500 policy 'sb1' id 1, 1520 bytes
ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to
89.136.163.27:500 msgid 1, 1440 bytes
sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500
policy 'sb1'
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
On the home router:
# iked -d
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to
x.y.z.t:500 msgid 0, 510 bytes
ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to
89.136.163.27:500 policy 'home' id 0, 471 bytes
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
msgid 1, 1520 bytes
ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to
89.136.163.27:500 policy 'home' id 1, 1440 bytes
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
msgid 2, 1520 bytes
The warning about pubkey doesn't go away if I copy the server's
certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
/etc/iked/certs. And then there's this, which doesn't look normal:
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
[...]
Ok this post sent me on the right course:
http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html
Here's what I did:
cd /etc/ssl/vpn/private
openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home
router.
After that the VPN works, I can send packets from a machine at home
and I'm seeing them on enc0 on the remote server:
# tcpdump -n -i enc0
tcpdump: listening on enc0, link-type ENC
05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> 10.0.0.102: icmp: echo request (encap)
05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> 10.0.0.102: icmp: echo request (encap)
05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> 10.0.0.102: icmp: echo request (encap)
...
However, I'm now running into what seems to be a firewall problem,
an I'm getting no answer. I do have "pass quick inet proto esp" on
both
VPN ends. Any idea where / how to fix this?
Also, IPs aren't assigned automatically to the VPN ends. I can
add them to hostname.enc0, but is this the right thing to do? I tried
adding a line
config address 10.0.0.102
to /etc/iked.conf, but that's rejected as a syntax error. A clue stick
again please?
Regards,
Liviu Daia
