Hi *,
I've been trying to a longer time now to setup a connection between a
strongswan server and an openbsd client. Which as
turns out isn't as straightforward as I thought. Doesn't matter how I setup the
strongswan config I'm running into the
same problem.
The connection is successfully established. When pinging the endpoint behinde
the strongswan router I see icmp packets
entering enc0. When listening for packets exiting the tunnel on the strongswan
side it seems like there aren't any. And
I don't see a trace of what could have happend to these packets. Neither in the
firewall logs nor in the IPS logfiles.
It's driving me nuts.
I've put you in CC tobias@ because I know you're successfully running such a
setup.
My configs:
$ cat /etc/iked.conf
set fragmentation
ikev2 'randomID' active esp \
from 0.0.0.0/0 to 10.0.3.100/32 \
local <local-public-addr> peer
<public-ip-of-strongswan-router> \
ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512
group curve25519 \
childsa enc aes-256-gcm prf hmac-sha2-512 group
curve25519 \
srcid <id-of-local-endpoint> dstid <id-of-strongswan> \
ikelifetime 7200 lifetime 3600
$ cat ipsec.conf
conn randomID
left=%defaultroute
leftsubnet=10.0.3.100/32
leftfirewall=yes
lefthostaccess=yes
right=185.165.169.190
leftcert=/var/storage/certs/hostcert.pem
rightcert=/var/storage/certs/<iked-endpoint>.pem
leftid="<id-of-strongswan>"
rightid="<id-of-iked>""
type=tunnel
ike=chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-sha2_512-curve25519,aes256gcm128-sha2_512-curve448,aes256gcm128-sha2_512-modp4096,aes256gcm128-sha2_512-modp3072,aes256gcm128-sha2_512-modp2048,aes256gcm128-sha2_256-curve25519,aes256gcm128-sha2_256-curve448,aes256gcm128-sha2_256-modp4096,aes256gcm128-sha2_256-modp3072,aes256gcm128-sha2_256-modp2048,aes256gcm96-sha2_512-curve25519,aes256gcm96-sha2_512-curve448,aes256gcm96-sha2_512-modp4096,aes256gcm96-sha2_512-modp3072,aes256gcm96-sha2_512-modp2048,aes256gcm96-sha2_256-curve25519,aes256gcm96-sha2_256-curve448,aes256gcm96-sha2_256-modp4096,aes256gcm96-sha2_256-modp3072,aes256gcm96-sha2_256-modp2048,aes256gcm64-sha2_512-curve25519,aes256gcm64-sha2_512-curve448,aes256gcm64-sha2_512-modp4096,aes256gcm64-sha2_512-modp3072,aes256gcm64-sha2_512-modp2048,aes256gcm64-sha2_256-curve25519,aes256gcm64-sha2_256-curve448,aes256gcm64-sha2_256-modp4096,aes256gcm64-sha2_256-modp3072,aes256gcm64-sha2_256-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-sha2_512-curve25519,aes192gcm128-sha2_512-curve448,aes192gcm128-sha2_512-modp4096,aes192gcm128-sha2_512-modp3072,aes192gcm128-sha2_512-modp2048,aes192gcm128-sha2_256-curve25519,aes192gcm128-sha2_256-curve448,aes192gcm128-sha2_256-modp4096,aes192gcm128-sha2_256-modp3072,aes192gcm128-sha2_256-modp2048,aes192gcm96-sha2_512-curve25519,aes192gcm96-sha2_512-curve448,aes192gcm96-sha2_512-modp4096,aes192gcm96-sha2_512-modp3072,aes192gcm96-sha2_512-modp2048,aes192gcm96-sha2_256-curve25519,aes192gcm96-sha2_256-curve448,aes192gcm96-sha2_256-modp4096,aes192gcm96-sha2_256-modp3072,aes192gcm96-sha2_256-modp2048,aes192gcm64-sha2_512-curve25519,aes192gcm64-sha2_512-curve448,aes192gcm64-sha2_512-modp4096,aes192gcm64-sha2_512-modp3072,aes192gcm64-sha2_512-modp2048,aes192gcm64-sha2_256-curve25519,aes192gcm64-sha2_256-curve448,aes192gcm64-sha2_256-modp4096,aes192gcm64-sha2_256-modp3072,aes192gcm64-sha2_256-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-sha2_512-curve25519,aes128gcm128-sha2_512-curve448,aes128gcm128-sha2_512-modp4096,aes128gcm128-sha2_512-modp3072,aes128gcm128-sha2_512-modp2048,aes128gcm128-sha2_256-curve25519,aes128gcm128-sha2_256-curve448,aes128gcm128-sha2_256-modp4096,aes128gcm128-sha2_256-modp3072,aes128gcm128-sha2_256-modp2048,aes128gcm96-sha2_512-curve25519,aes128gcm96-sha2_512-curve448,aes128gcm96-sha2_512-modp4096,aes128gcm96-sha2_512-modp3072,aes128gcm96-sha2_512-modp2048,aes128gcm96-sha2_256-curve25519,aes128gcm96-sha2_256-curve448,aes128gcm96-sha2_256-modp4096,aes128gcm96-sha2_256-modp3072,aes128gcm96-sha2_256-modp2048,aes128gcm64-sha2_512-curve25519,aes128gcm64-sha2_512-curve448,aes128gcm64-sha2_512-modp4096,aes128gcm64-sha2_512-modp3072,aes128gcm64-sha2_512-modp2048,aes128gcm64-sha2_256-curve25519,aes128gcm64-sha2_256-curve448,aes128gcm64-sha2_256-modp4096,aes128gcm64-sha2_256-modp3072,aes128gcm64-sha2_256-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048!
esp=chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-curve25519,aes256gcm128-curve448,aes256gcm128-modp4096,aes256gcm128-modp3072,aes256gcm128-modp2048,aes256gcm96-curve25519,aes256gcm96-curve448,aes256gcm96-modp4096,aes256gcm96-modp3072,aes256gcm96-modp2048,aes256gcm64-curve25519,aes256gcm64-curve448,aes256gcm64-modp4096,aes256gcm64-modp3072,aes256gcm64-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-curve25519,aes192gcm128-curve448,aes192gcm128-modp4096,aes192gcm128-modp3072,aes192gcm128-modp2048,aes192gcm96-curve25519,aes192gcm96-curve448,aes192gcm96-modp4096,aes192gcm96-modp3072,aes192gcm96-modp2048,aes192gcm64-curve25519,aes192gcm64-curve448,aes192gcm64-modp4096,aes192gcm64-modp3072,aes192gcm64-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-curve25519,aes128gcm128-curve448,aes128gcm128-modp4096,aes128gcm128-modp3072,aes128gcm128-modp2048,aes128gcm96-curve25519,aes128gcm96-curve448,aes128gcm96-modp4096,aes128gcm96-modp3072,aes128gcm96-modp2048,aes128gcm64-curve25519,aes128gcm64-curve448,aes128gcm64-modp4096,aes128gcm64-modp3072,aes128gcm64-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048!
keyexchange=ikev2
ikelifetime=3h
keylife=1h
dpdaction=clear
dpddelay=30
dpdtimeout=120
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=add
rightsourceip=
fragmentation=yes
I'd appreciate it SO MUCH if you could help me in any way.
Best regards,
Stephan
