Ok I've got the same error on three different OpenBSD, tell me what error
do you want or if you want an access.
Kind regards
On Mon, Feb 22, 2021 at 11:33 AM Tobias Heider <tobias.hei...@stusta.de>
wrote:
> On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote:
> > I there I've got a lot of problems putting a IKE2 point to point
> connection
> > stable between OpenBSD/OpenIKED and VyOS/Strongswan.
> >
> > Basically OpenBSD is a transport GRE in passive mode. Strongswan active
> GRE
> > transport. Gre tunnel is builded above and keepalive work in all the two
> > sides, because I've changed the beaviour of the tun interface in linux.
> >
> > This is the error that I've got also in the OpenBSD side:
> >
> > Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> >
>
> I don't see any obvious misconfiguration so this might be a bug,
> but without the log i won't be able to help.
>
> - Tobias
>
> >
> > Here you are the Strongswan configuration:
> >
> > conn XXXX
> > keyexchange=ikev2
> > type=transport
> > auto=start
> > reauth=no
> > ikelifetime=1h
> > dpdaction=restart
> > dpddelay=15
> > dpdtimeout=1
> > closeaction=restart
> >
> > left=%defaultroute
> > leftsourceip=%config4
> > leftauth=pubkey
> > leftid=%indra@XXXX
> > leftprotoport=gre
> > leftupdown=/config/ipsec/ESJP-updown.sh
> >
> > right=XXXX
> > rightsubnet=XXXX
> > rightauth=pubkey
> > rightid=%jXXXX
> > rightcert=/etc/ipsec.d/certs/XXXX.crt
> > rightprotoport=gre
> >
> > #!/bin/bash
> >
> > set -o nounset
> > set -o errexit
> >
> > TUN_IFACE="tun2"
> >
> > case "${PLUTO_VERB}" in
> > up-host)
> > echo "Putting interface ${TUN_IFACE} up"
> > ifconfig $TUN_IFACE up
> > echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}"
> > sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1"
> > echo "Accepting gre keepalive"
> > sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1"
> > ;;
> > down-host)
> > ifconfig $TUN_IFACE down
> > ;;
> > esac
> >
> > IKE is checked with DPD
> > SA is checked with te script
> >
> > above also a cron script acting in this way:
> >
> > #!/bin/bash
> > ROUTER_IP=XXXX
> > IPSEC="XXXX"
> > GRE="tun2"
> >
> > PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1)
> > ALIVE="alive"
> > STATUS=$(ipsec status $IPSEC)
> > ESTABLISED="INSTALLED"
> >
> > if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then
> > if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then
> > ipsec stroke down-nb $IPSEC
> > ipsec up $IPSEC
> > else
> > ipsec up $IPSEC
> > fi
> > fi
> >
> > In the OpenBSD side:
> >
> > set dpd_check_interval 15
> > ikev2 "XXXX" passive transport \
> > proto gre \
> > from XXXX to XXXX\
> > local jXXXXpeer any \
> > ikesa uth hmac-sha2-256 enc aes-256 group ecp256 \
> > childsa auth hmac-sha2-256 enc aes-256 group ecp256 \
> > srcid "shiva@XXXX" \
> > ikelifetime 86400 lifetime 3600
> >
> > root@shiva:/etc# cat hostname.gre1
> >
> >
> >
> > description "XXXX"
> > keepalive 5 2
> > mtu 1392
> > !ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up
> > !ifconfig gre1 tunnel XXXX XXXX
> > root@shiva:/etc#
> >
> > And some ifstated to check keepalive status.
> >
> > Any suggestions?
> >
> > --
> > Name: Riccardo Giuntoli
> > Email: tag...@gmail.com
> > Location: sant Pere de Ribes, BCN, Spain
> > PGP Key: 0x67123739
> > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
> > Key server: hkp://wwwkeys.eu.pgp.net
>
--
Name: Riccardo Giuntoli
Email: tag...@gmail.com
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
