Re: iked: how to request a virtual IP when running as a road warrior

Wed, 31 Jan 2018 01:49:28 -0800 

Hello

On 01/30/18 22:00, Peter Müller wrote:

Hello *,

I am trying to set up an IPsec connection between OpenBSD 6.2
and an IPFire firewall, while the OpenBSD is a road warrior.
There, I use "iked", while the firewall is running "strongswan".

After struggling with some cryptography issues (curve25519 and
brainpool512 did not work, neither did aes-gcm), the IKE
connection is now established, but the firewall requires a
request for a virtual IP:

[log snippet from "iked" @ OpenBSD:]
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 
length 12
ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 
length 8
ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED

[log snippet from "strongswan" @ IPFire:]
21:45:26 charon:  07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH 
N(AUTH_LFT) N(FAIL_CP_REQ) ]
21:45:26 charon:  07[IKE] failed to establish CHILD_SA, keeping IKE_SA
21:45:26 charon:  07[IKE] configuration payload negotiation failed, no CHILD_SA 
built
21:45:26 charon:  07[IKE] expected a virtual IP request, sending 
FAILED_CP_REQUIRED

Until now, I tried inserting the following directives to my
/etc/iked.conf - without luck, they didn't seem to change anything:

(1) config address 10.XXX.XXX.XXX

(2) config address 10.XXX.XXX.XXX/24

(3) config address 10.XXX.XXX.XXX\
     config address 10.XXX.XXX.XXX/24

How do I configure "iked" to request a virtual IP?

Any help is highly appreciated, since I am flying blind here.

Thanks and best regards,
Peter Müller
Last time I looked, OpenIKED was not yet able to request a config payload, only reply to one. Looking at the source code of iked confirms this. 

/src/sbin/iked/ikev2.c
========================
ssize_t
ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
{
...
        switch (sa->sa_cp) {
        case IKEV2_CP_REQUEST:
                cp->cp_type = IKEV2_CP_REPLY;
                break;
        case IKEV2_CP_REPLY:
        case IKEV2_CP_SET:
        case IKEV2_CP_ACK:
                /* Not yet supported */ <===!!!
                return (-1);
        }
...

Cheers Kim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to