Hi, I feel that I've tried just about every permutation of the various iked and Cisco crypto settings to get this tunnel up and it just won't work.
One endpoint is a OpenBSD 6.2 and the other is a Cisco ASA 5510 9.1(7). I started out with high crypto settings but have adjusted down along the way. I've also tried initiating from both sides but the result is pretty much the same: OpenBSD stops responding when receiving the Cisco proposal (and pf does not block any packets). The iked config: The Cisco config: It seems to me, from the output below, that iked is bent on using certificates instead of pre-shared keys. Here is iked output when acting as passive: # iked -dvvT ikev2 "DO-test" passive esp from 10.11.12.0/24 to 192.168.66.0/24 local any peer any ikesa enc aes-256 prf hmac-sha1 auth hmac-sha1 group modp1024 childsa enc aes-256 auth hmac-sha1 lifetime 86400 bytes 536870912 psk 0x3132333435363738 /etc/iked.conf: loaded 1 configuration rules ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 ca_privkey_to_method: type RSA_KEY method RSA_SIG ca_getkey: received private key type RSA_KEY length 1191 config_getpolicy: received policy ca_getkey: received public key type RSA_KEY length 270 config_getpfkey: received pfkey fd 3 ca_dispatch_parent: config reset config_getcompile: compilation done config_getsocket: received socket fd 4 ca_reload: local cert type RSA_KEY config_getsocket: received socket fd 5 config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 ikev2_recv: IKE_SA_INIT request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy 'DO-test' id 0, 657 bytes ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0x0000000000000000 ikev2_policy2id: srcid FQDN/vpn-gw.openbsd.fo length 25 ikev2_pld_parse: header ispi 0xaf51a28350f1c918 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 657 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 248 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 68 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 23 ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 59 ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length 19 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid IKE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xaf51a28350f1c918 0x0000000000000000 2.2.2.2:500 ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28 ikev2_pld_notify: protoid IKE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xaf51a28350f1c918 0x0000000000000000 1.1.1.1:500 ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 20 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) ikev2_sa_keys: SKEYSEED with 20 bytes ikev2_sa_keys: S with 112 bytes ikev2_prfplus: T1 with 20 bytes ikev2_prfplus: T2 with 20 bytes ikev2_prfplus: T3 with 20 bytes ikev2_prfplus: T4 with 20 bytes ikev2_prfplus: T5 with 20 bytes ikev2_prfplus: T6 with 20 bytes ikev2_prfplus: T7 with 20 bytes ikev2_prfplus: T8 with 20 bytes ikev2_prfplus: T9 with 20 bytes ikev2_prfplus: Tn with 180 bytes ikev2_sa_keys: SK_d with 20 bytes ikev2_sa_keys: SK_ai with 20 bytes ikev2_sa_keys: SK_ar with 20 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 20 bytes ikev2_sa_keys: SK_pr with 20 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 136 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NONE ikev2_pld_parse: header ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 248 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136 ikev2_pld_ke: dh group MODP_1024 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NONE critical 0x00 length 36 ikev2_msg_send: IKE_SA_INIT response from 1.1.1.1:500 to 2.2.2.2:500 msgid 0, 248 bytes config_free_proposals: free 0x796f5700 ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy 'DO-test' id 1, 332 bytes ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 ikev2_recv: updated SA to peer 2.2.2.2:500 local 1.1.1.1:500 ikev2_pld_parse: header ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 332 response 0 ikev2_pld_payloads: payload SK nextpayload VENDOR critical 0x00 length 304 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 272 ikev2_msg_decrypt: integrity checksum length 12 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 272/272 padding 4 ikev2_pld_payloads: decrypted payload VENDOR nextpayload IDi critical 0x00 length 20 ikev2_pld_payloads: decrypted payload IDi nextpayload CERTREQ critical 0x00 length 18 ikev2_pld_id: id FQDN/vpn.cisco.fo length 14 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 45 ikev2_pld_certreq: type X509_CERT length 40 ikev2_policy2id: srcid FQDN/vpn-gw.openbsd.fo length 25 sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 28 ikev2_pld_auth: method SHARED_KEY_MIC length 20 sa_state: SA_INIT -> AUTH_REQUEST ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 52 ikev2_pld_sa: more 0 reserved 0 length 48 proposal #1 protoid ESP spisize 4 xforms 4 spi 0xcd5c647e ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 40 ikev2_pld_ts: count 2 length 32 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.66.249 end 192.168.66.249 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.66.0 end 192.168.66.255 ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 40 ikev2_pld_ts: count 2 length 32 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.11.12.5 end 10.11.12.5 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.11.12.0 end 10.11.12.255 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid IKE spisize 0 type INITIAL_CONTACT ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8 ikev2_pld_notify: protoid IKE spisize 0 type ESP_TFC_PADDING_NOT_SUPPORTED ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid IKE spisize 0 type NON_FIRST_FRAGMENTS_ALSO sa_stateok: SA_INIT flags 0x0000, require 0x0000 policy_lookup: peerid 'vpn.cisco.fo' ikev2_msg_auth: responder auth data length 332 ikev2_msg_auth: initiator auth data length 709 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 20 type NONE *ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x002c -> 0x003c certreq,auth,authvalid,sa (required 0x0039 cert,auth,authvalid,sa) ikev2_sa_negotiate: score 4 sa_stateflags: 0x003c -> 0x003c certreq,auth,authvalid,sa (required 0x0039 cert,auth,authvalid,sa) sa_stateok: VALID flags 0x0038, require 0x0039 cert,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0x75dbd740 ca_getreq: no valid local certificate found* ikev2_getimsgdata: imsg 19 rspi 0xac9649f5b88d71a9 ispi 0xaf51a28350f1c918 initiator 0 sa valid type 0 data length 0 ikev2_dispatch_cert: cert type NONE length 0, ignored ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy 'DO-test' id 1, 332 bytes ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy 'DO-test' id 1, 332 bytes ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy 'DO-test' id 1, 332 bytes ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 ikev2_recv: IKE_AUTH request from initiator 2.2.2.2:500 to 1.1.1.1:500 policy 'DO-test' id 1, 332 bytes ikev2_recv: ispi 0xaf51a28350f1c918 rspi 0xac9649f5b88d71a9 ^Ccontrol exiting, pid 27599 ikev2 exiting, pid 62350 ca exiting, pid 73320 parent terminating To me it looks like it has authenticated but still requires a certificate?!? I can post the Cisco debugging output if required but in order to not make this post too verbose I'll defer with that. Hopefully somebody has a solution or even suggestions are much appreciated. Thanks, Danial -- Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
