Hi,
I need some advice to configure an iked server. I guess it's called
"roadwarrior", but as english is not my main language, here is what I
need :
* Connect to this server via any device (no certificate at first)
* Allow any incoming IP to connect.
* Route the traffic to the web through the vpn.
What I did on the server after reading the list and manpages :
# cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
# echo "up" > /etc/hostname.enc0
# sh /etc/netstart enc0
# cat /etc/pf.conf
set skip on enc0
pass in on egress proto udp from any to any port {isakmp, ipsec-nat-t}
pass out on egress proto udp from any to any port {isakmp, ipsec-nat-t}
pass in on egress proto esp
pass out on egress proto esp
match out on enc0 from 192.168.47.160/27 nat-to (egress:0)
# cat /etc/iked.conf
user "test" "password12345"
ikev2 "warrior" passive ipcomp esp \
from any to any \
peer any \
srcid "hostname.tld" \
local ip.ip.ip.ip \
peer any \
eap "mschap-v2" \
config address 192.168.47.160/27 \
tag "$name-$id"
It doesn't work as expected.
Here is the trace of "iked -vvd" on the server at auth attempt :
reiva# iked -vvd
ikev2 "warrior" passive esp from any to any local any peer any ikesa
enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes
536870912 signature
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
config_new_user: inserting new user test
user "test" "password12345"
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
ikev2_recv: IKE_SA_INIT request from initiator 176.180.81.105:19956 to
46.23.92.147:500 policy 'warrior' id 0, 716 bytes
ikev2_recv: ispi 0x515201836a3a178d rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/reiva.openbsd.amsterdam length 27
ikev2_pld_parse: header ispi 0x515201836a3a178d rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 716
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 492
ikev2_pld_sa: more 2 reserved 0 length 228 proposal #1 protoid IKE
spisize 0 xforms 26 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:31>
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_sa: more 0 reserved 0 length 260 proposal #2 protoid IKE
spisize 0 xforms 27 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id
CHACHA20_POLY1305
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:31>
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
ikev2_pld_ke: dh group ECP_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x515201836a3a178d 0x0000000000000000
176.180.81.105:19956
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x515201836a3a178d
0x0000000000000000 46.23.92.147:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
ikev2_sa_negotiate: score 0
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_responder_dh: want dh MODP_2048, KE has ECP_256
ikev2_resp_recv: failed to get IKE SA keys
ikev2_add_error: done
ikev2_next_payload: length 10 nextpayload NONE
ikev2_pld_parse: header ispi 0x515201836a3a178d rspi 0xb89825e77ff6fc61
nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length
38 response 1
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00
length 10
ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD
ikev2_msg_send: IKE_SA_INIT response from 46.23.92.147:500 to
176.180.81.105:19956 msgid 0, 38 bytes
sa_state: SA_INIT -> CLOSED from any to any policy 'warrior'
config_free_proposals: free 0x17094e007480
config_free_proposals: free 0x1709b676c300
ikev2_recv: IKE_SA_INIT request from initiator 176.180.81.105:19956 to
46.23.92.147:500 policy 'warrior' id 0, 908 bytes
ikev2_recv: ispi 0x515201836a3a178d rspi 0x0000000000000000
sa_free: ispi 0x515201836a3a178d rspi 0xb89825e77ff6fc61
config_free_proposals: free 0x1709a5202100
ikev2_policy2id: srcid FQDN/reiva.openbsd.amsterdam length 27
ikev2_pld_parse: header ispi 0x515201836a3a178d rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 908
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 492
ikev2_pld_sa: more 2 reserved 0 length 228 proposal #1 protoid IKE
spisize 0 xforms 26 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:31>
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192
ikev2_pld_sa: more 0 reserved 0 length 260 proposal #2 protoid IKE
spisize 0 xforms 27 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id
CHACHA20_POLY1305
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:31>
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_8192
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x515201836a3a178d 0x0000000000000000
176.180.81.105:19956
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x515201836a3a178d
0x0000000000000000 46.23.92.147:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00
length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
ikev2_sa_negotiate: score 0
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x515201836a3a178d 0x72e7d26735a1b6e8
46.23.92.147:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x515201836a3a178d
0x72e7d26735a1b6e8 176.180.81.105:19956
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type RSA_KEY length 1
ikev2_next_payload: length 5 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x515201836a3a178d rspi 0x72e7d26735a1b6e8
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 451
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE
spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length
264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00
length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00
length 28
ikev2_pld_notify: protoid NONE spisize 0 type
NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00
length 5
ikev2_pld_certreq: type RSA_KEY length 0
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00
length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 46.23.92.147:500 to
176.180.81.105:19956 msgid 0, 451 bytes
config_free_proposals: free 0x17094e007980
config_free_proposals: free 0x17094e007000
ikev2_recv: IKE_AUTH request from initiator 176.180.81.105:19761 to
46.23.92.147:4500 policy 'warrior' id 1, 3536 bytes
ikev2_recv: ispi 0x515201836a3a178d rspi 0x72e7d26735a1b6e8
ikev2_recv: updated SA to peer 176.180.81.105:19761 local
46.23.92.147:4500
ikev2_pld_parse: header ispi 0x515201836a3a178d rspi 0x72e7d26735a1b6e8
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 3536
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 3508
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 3472
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 3472/3472 padding 10
ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical
0x00 length 12
ikev2_pld_id: id FQDN/test length 8
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload CP critical
0x00 length 3105
ikev2_pld_certreq: type X509_CERT length 3100
ikev2_policy2id: srcid FQDN/reiva.openbsd.amsterdam length 27
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical
0x00 length 24
ikev2_pld_cp: type REQUEST length 16
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type
ESP_TFC_PADDING_NOT_SUPPORTED
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00
length 144
ikev2_pld_sa: more 2 reserved 0 length 52 proposal #1 protoid ESP
spisize 4 xforms 4 spi 0x355caaab
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id
CHACHA20_POLY1305
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 88 proposal #2 protoid ESP
spisize 4 xforms 8 spi 0x355caaab
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id
HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00
length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical
0x00 length 64
ikev2_pld_ts: count 2 length 56
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0
endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0
endport 65535
ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type NO_ADDITIONAL_ADDRESSES
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY
critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical
0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type
IKEV2_MESSAGE_ID_SYNC_SUPPORTED
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'test'
ikev2_msg_auth: responder auth data length 515
ca_setauth: auth length 515
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 4
sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x0000 )
config_free_proposals: free 0x1709115c1a00
config_free_proposals: free 0x17094e007000
ca_getreq: no valid local certificate found
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 20 rspi 0x72e7d26735a1b6e8 ispi
0x515201836a3a178d initiator 0 sa valid type 0 data length 0
ikev2_dispatch_cert: cert type NONE length 0, ignored
ikev2_getimsgdata: imsg 25 rspi 0x72e7d26735a1b6e8 ispi
0x515201836a3a178d initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0024 -> 0x002c certreq,auth,sa (required 0x0000 )
ikev2_recv: IKE_AUTH request from initiator 176.180.81.105:19761 to
46.23.92.147:4500 policy 'warrior' id 1, 3536 bytes
ikev2_recv: ispi 0x515201836a3a178d rspi 0x72e7d26735a1b6e8
Any advice please ?
--
thuban
