Hello Stuart,
>>>
>>> strongSwan's module to install policies to the kernel (kernel-pfkey) does
>>> not support OpenBSD without making code changes. Not impossible but hasn't
>>> been done. Only their userland setup that works with tun(4) devices
>>> (slightly confusingly called kernel-ipsec) is available.
>>
>> Hm, after fiddling around for a while, I am a bit helpless on this. Do you
>> happen to have
>> some example configuration? If yes, I would be very grateful to see it. :-)
>
> I put a sanitized version of my config in the pkg-readme file in the
> strongswan package - but I only used it for a very basic EAP-MSCHAP
> client (and I don't know strongswan very well; I normally only use it
> on Android with the gui configuration tool) so there is nothing fancy
> in there.
>
Thank you - unfortunately, it does not seem to work here. An IKE_SA is
successfully
established, CHILD_SA fails with the same error message. If "installpolicy=no"
is
appended to the appropriate connection in /etc/strongswan/ipsec.conf, both
IKE_SA
and CHILD_SA can be established but no traffic will be routed through the
tunnel:
> Status of IKE charon daemon (strongSwan 5.8.1, OpenBSD 6.6, amd64):
> uptime: 2 minutes, since Feb 17 15:44:04 2020
> worker threads: 6 of 16 idle, 6/0/4/0 working, job queue: 0/0/0/0,
> scheduled: 6
> loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 mgf1 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem botan fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm attr
> kernel-libipsec kernel-pfroute resolve socket-default stroke vici updown
> eap-identity eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap
> xauth-generic xauth-eap counters
> Listening IP addresses:
> 94.xxx.xxx.xxx
> 2a03:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
> Connections:
> N2NTESTCONN: xxx...yyy IKEv2, dpddelay=10s
> N2NTESTCONN: local: [xxx] uses public key authentication
> N2NTESTCONN: cert: "C=EU, O=xxx, CN=xxx"
> N2NTESTCONN: remote: [yyy] uses public key authentication
> N2NTESTCONN: cert: "C=EU, O=yyy, CN=yyy"
> N2NTESTCONN: child: 10.xxx.xxx.2/32 === 10.yyy.yyy.0/24 TUNNEL,
> dpdaction=restart
> Security Associations (1 up, 0 connecting):
> N2NTESTCONN[1]: ESTABLISHED 2 minutes ago,
> 94.xxx.xxx.xxx[xxx]...87.yyy.yyy.yyy[yyy]
> N2NTESTCONN[1]: IKEv2 SPIs: a14ff33decbcc124_i* 2a6d95dc56127468_r,
> public key reauthentication in 2 hours
> N2NTESTCONN[1]: IKE proposal:
> AES_GCM_16_256/PRF_HMAC_SHA2_512/CURVE_25519
> N2NTESTCONN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> f44fa42e_i cf5467e8_o
> N2NTESTCONN{1}: AES_GCM_16_256, 5040 bytes_i (60 pkts, 0s ago), 0
> bytes_o, rekeying in 42 minutes
> N2NTESTCONN{1}: 10.xxx.xxx.2/32 === 10.yyy.yyy.0/24
Traffic from the remote IPsec peer (which is a Linux machine) successfully
reaches the
OpenBSD system ("5040 bytes_i"), but responses do not make it back ("0
bytes_o"). Actually,
this is where I need help - manually installing SAs does not make sense to me.
Thank you in advance for any hints.
Best regards,
Peter Müller
P.S.: Sorry, I thought I had sent this to <misc@openbsd.org> already, but put
in some
crappy To-Header. Sleep is no adequate substitution for caffeine... :-/
