All incoming connections go to “redheart” policy. “blackjack” users cannot connect. I’m using 6.4.
# iked -dv set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local ikev2 "blackjack" passive esp inet from 0.0.0.0/0 to 10.0.0.2 local 45.32.34.115 peer any ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk 0x7465737470736b31 set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local ikev2 "redheart" passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 local 45.32.34.115 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8 ikev2_recv: IKE_SA_INIT request from initiator 27.8.173.76:500 to 45.32.34.115:500 policy 'redheart' id 0, 230 bytes ikev2_sa_responder: no proposal chosen ikev2_msg_send: IKE_SA_INIT response from 45.32.34.115:500 to 27.8.173.76:500 msgid 0, 36 bytes sa_state: SA_INIT -> CLOSED from any to any policy 'redheart' > On Nov 5, 2018, at 7:25 AM, Aaron Mason <simplersolut...@gmail.com> wrote: > > What happens when you remove quick from both policies? > On Mon, Nov 5, 2018 at 7:00 AM 雷致强 <zhiqiang....@gmail.com> wrote: >> >> OpenIKED is so great when I use one policy for all users. However, I’m >> having trouble when I try to apply different policies to different users. >> With iked.conf followed, iked seems to applies “blackjack” policy to >> incoming connections only, which keeps the users of “redheart” out. >> >> ikev2 "blackjack" quick passive ipcomp esp \ >> from 0.0.0.0/0 to 10.0.0.2 \ >> local egress \ >> ikesa enc aes-256 prf hmac-sha2-256 group curve25519 \ >> childsa enc chacha20-poly1305 group curve25519 \ >> dstid "blackjack.local" \ >> psk "testpsk1" \ >> >> ikev2 "redheart" quick passive ipcomp esp \ >> from 0.0.0.0/0 to 172.16.0.0/24 \ >> local egress \ >> dstid "redheart.local" \ >> psk "testpsk2" \ >> config protected-subnet 0.0.0.0/0 \ >> config address 172.16.0.0/24 \ >> config netmask 255.255.255.0 \ >> config name-server 8.8.8.8 >> >> This is what happens when redheart.local connects to the responder. (I >> replaced the IPs to redheart.local and asgard.local) >> >> # iked -dv >> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/blackjack.local >> ikev2 "blackjack" quick passive esp inet from 0.0.0.0/0 to 10.0.0.2 local >> asgard.local peer any ikesa enc aes-256 prf hmac-sha2-256 auth >> hmac-sha2-256,hmac-sha1 group curve25519 childsa enc chacha20-poly1305 group >> curve25519 dstid blackjack.local lifetime 10800 bytes 536870912 psk >> 0x7465737470736b31 >> set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/redheart.local >> ikev2 "redheart" quick passive esp inet from 0.0.0.0/0 to 172.16.0.0/24 >> local asgard.local peer any ikesa enc aes-256,aes-192,aes-128,3des prf >> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group >> modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth >> hmac-sha2-256,hmac-sha1 dstid redheart.local lifetime 10800 bytes 536870912 >> psk 0x7465737470736b32 config protected-subnet 0.0.0.0 config address >> 172.16.0.0 config netmask 255.255.255.0 config name-server 8.8.8.8 >> ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to >> asgard.local:500 policy 'blackjack' id 0, 604 bytes >> ikev2_sa_responder: no proposal chosen >> ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to >> redheart.local:60970 msgid 0, 36 bytes >> sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' >> ikev2_recv: IKE_SA_INIT request from initiator redheart.local:60970 to >> asgard.local:500 policy 'blackjack' id 0, 604 bytes >> ikev2_sa_responder: no proposal chosen >> ikev2_msg_send: IKE_SA_INIT response from asgard.local:500 to >> redheart.local:60970 msgid 0, 36 bytes >> sa_state: SA_INIT -> CLOSED from any to any policy 'blackjack' >> >> If I remove the “quick” option of “blackjack” policy, all incoming >> connection goes to “redheart” policy, which blocks “blackjack” users. >> >> Regarding to all the examples I saw, I guess dstid is not a condition to >> match the policies? Only “peer” matters? >> > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse
