Re: IKEv2 difference with 6.7

Wed, 17 Jun 2020 01:39:22 -0700 

On Tue, Jun 16, 2020 at 08:20:59PM -0400, Daniel Ouellet wrote:
> Hi,
> 
> > What I see is that the initial message is received but ignored, so this
> > side here probably runs into some kind of error.
> > To find out what exactly causes this, a more verbose log would help.
> > You could manually start iked with -dvv and share the log for an
> > incoming IKE_SA_INIT request from 72.83.103.147:500 (best without the
> > grep because the following lines may contain the actual error messages).
> 
> gateway# iked -dvv
> set_policy_auth_method: using rsa for peer
> /etc/iked/pubkeys/ipv4/66.63.5.250
> set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250
> ikev2 "VPN" active tunnel esp inet from 72.83.103.147 to 66.63.5.250
> local 72.83.103.147 peer 66.63.5.250 ikesa enc
> aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
> hmac-sha2-256,hmac-sha1 group
> curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
> childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
> esn,noesn lifetime 10800 bytes 536870912 rsa
> set_policy_auth_method: using rsa for peer
> /etc/iked/pubkeys/ipv4/66.63.5.250
> set_policy: found pubkey for /etc/iked/pubkeys/ipv4/66.63.5.250
> ikev2 "Flow" active tunnel esp inet from 66.63.44.66 to 0.0.0.0/0 from
> 66.63.44.90 to 0.0.0.0/0 from 66.63.44.96/28 to 0.0.0.0/0 from
> 66.63.44.67 to 66.63.0.0/18 from 66.63.44.79 to 45.7.36.0/22 from
> 66.63.44.79 to 185.40.64.0/22 from 66.63.44.79 to 43.229.64.0/22 from
> 66.63.44.79 to 162.249.72.0/21 from 66.63.44.79 to 104.160.128.0/19 from
> 66.63.44.79 to 192.64.168.0/21 from 66.63.44.79 to 103.240.224.0/22 from
> 66.63.44.65 to 66.63.5.245 from 66.63.44.65 to 66.63.5.250 local any
> peer 66.63.5.250 ikesa enc aes-256,aes-192,aes-128,3des prf
> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group
> curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024
> childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1
> esn,noesn lifetime 10800 bytes 536870912 rsa
> /etc/iked.conf: loaded 2 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1191
> ca_pubkey_serialize: type RSA_KEY length 270
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1191
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> config_getpolicy: received policy
> ca_reload: local cert type RSA_KEY
> config_getocsp: ocsp_url none
> config_getpolicy: received policy
> ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getmobike: mobike
> config_getfragmentation: no fragmentation
> config_getnattport: nattport 4500
> ikev2_init_ike_sa: initiating "VPN"
> ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22
> ikev2_add_proposals: length 156
> ikev2_next_payload: length 160 nextpayload KE
> ikev2_next_payload: length 40 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xe6b00a86abde210d 0x0000000000000000
> 72.83.103.147:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xe6b00a86abde210d
> 0x0000000000000000 66.63.5.250:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0xe6b00a86abde210d rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
> length 334 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
> ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE
> spisize 0 xforms 17 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
> ikev2_pld_ke: dh group CURVE25519 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0xe6b00a86abde210d: send IKE_SA_INIT req 0 peer 66.63.5.250:500
> local 72.83.103.147:500, 334 bytes
> spi=0xe6b00a86abde210d: sa_state: INIT -> SA_INIT
> ikev2_init_ike_sa: initiating "Flow"
> ikev2_policy2id: srcid FQDN/gateway.ouellet.us length 22
> ikev2_add_proposals: length 156
> ikev2_next_payload: length 160 nextpayload KE
> ikev2_next_payload: length 40 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xdc7db92c1d646cad 0x0000000000000000
> 0.0.0.0:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xdc7db92c1d646cad
> 0x0000000000000000 66.63.5.250:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0xdc7db92c1d646cad rspi 0x0000000000000000
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0
> length 334 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160
> ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE
> spisize 0 xforms 17 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40
> ikev2_pld_ke: dh group CURVE25519 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00
> length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0xdc7db92c1d646cad: send IKE_SA_INIT req 0 peer 66.63.5.250:500
> local 0.0.0.0:500, 334 bytes
> spi=0xdc7db92c1d646cad: sa_state: INIT -> SA_INIT
> spi=0xe6b00a86abde210d: retransmit 1 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 72.83.103.147:500
> spi=0xdc7db92c1d646cad: retransmit 1 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 0.0.0.0:500
> spi=0xe6b00a86abde210d: retransmit 2 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 72.83.103.147:500
> spi=0xdc7db92c1d646cad: retransmit 2 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 0.0.0.0:500
> spi=0xe6b00a86abde210d: retransmit 3 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 72.83.103.147:500
> spi=0xdc7db92c1d646cad: retransmit 3 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 0.0.0.0:500
> spi=0xe6b00a86abde210d: retransmit 4 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 72.83.103.147:500
> spi=0xdc7db92c1d646cad: retransmit 4 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 0.0.0.0:500
> ikev2_init_ike_sa: "VPN" is already active
> ikev2_init_ike_sa: "Flow" is already active
> spi=0xdc7db92c1d646cad: retransmit 5 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 0.0.0.0:500
> spi=0xe6b00a86abde210d: retransmit 5 IKE_SA_INIT req 0 peer
> 66.63.5.250:500 local 72.83.103.147:500
> ^Cca exiting, pid 583
> ikev2 exiting, pid 54
> control exiting, pid 16821
> parent terminating
> gateway#
> 
> > Another thing i notice is that this log seems to be from an older iked 
> > version.
> > Could you give me a hint what iked version we're looking at so i can try
> > to reproduce the problem?
> 
> And yes, the local (gateway name) is running 6.6 well and 6.7 no avail.
> 
> The remote one at 66.63.5.250 is running a very old one as so far I
> haven't been able to shut it down to upgrade it. To many users on that
> one. But it is running 5.6. I know it's old. Never the less it's been
> very reliable and yes it does need to be upgraded too.
> 
> Daniel.
> 

So the error message is probably in the other side's logs but here is
a guess: 5.6 doesn't know curve25519.

Try adding the following to your iked.conf:

        ikesa group modp2048

Reply via email to