On Thu, Nov 24, 2022 at 12:45:03PM +0300, Aleksandr Mikhaylov wrote: > Hi. Please tell me how to connect to an OpenBSD 7.2 Release > from an OpenBSD 7.2 Release client via iked. > I'm trying to set it up with this documentation, > https://www.openbsd.org/faq/faq17.html#clientikev2 > but it just doesn't work. > > I have a VDS machine (server) with OpenBSD, > with one external ip-address A.B.C.D, > which I want to connect to from my laptop. > > I copied the file from VDS /etc/iked/local.pub to the laptop in > /etc/iked/pubkeys/fqdn/bsd.server.vds and from the laptop the file > /etc/iked/local.pub on VDS in /etc/iked/pubkeys/fqdn/amihailov.laptop > > VDS machine settings: > > cat /etc/iked.conf > ikev2 'responder_rsa' passive esp \ > from any to dynamic \ > local any peer any \ > srcid bsd.server.vds \ > config address 172.24.24.0/24 \ > tag "ROADW" > > cat /etc/sysctl.conf > net.inet.ip.forwarding=1 > > pf.conf: > ... > block in on vio0 > pass out > pass in proto udp from any to port {500, 4500} keep state > pass in proto esp from any > pass on enc0 from any to any > pass on enc0 from any to self keep state (if-bound) > ... > > # cat /etc/hostname.enc0 > inet 172.24.24.1 255.255.255.0 172.24.24.255 > up > > Laptop settings: > ikev2 'amihailov.laptop' active esp \ > from dynamic to any \ \ > peer bsd.server.vds \ > srcid amihailov.laptop \ > dstid bsd.server.vds \ > request address any \ > iface lo1 > > When I run iked - I get the following log messages on the server: > > https://pastebin.com/raw/rgpTtMzr > > And on the laptop: > > https://pastebin.com/raw/UUrryZCN > > A.B.C.D is the external address of the server, > 10.222.222.222 is the address of the laptop in the local network > W.X.Y.Z is the external address of the gateway, > through which the laptop gets to the Internet. > > Lo1 interface on the laptop also does not get an ip-address. > I would be very grateful if you could tell me what I am doing wrong. > If you need any additional logs and information, I will send it to you. > Thanks for your attention! >
Hi, your configs look ok. The server log shows the handshake is completed and a IKE_AUTH reply is sent to the client, but on the client side this message never arrives. This is why it keeps on resending the AUTH request until it times out. It is not clear whether the reply is lost in transit or discarded by your client. You could try looking at a tcpdump of your handshake or enable verbose logging in iked on your client and see if you can find anything suspicious after "send IKE_AUTH req 1 ...". - Tobias
