On 2023-04-04, m...@phosphorus.com.br <m...@phosphorus.com.br> wrote: > ikectl ca VPN create > ikectl ca VPN install > ikectl ca VPN certificate 33.33.33.33 create server > ikectl ca VPN certificate 33.33.33.33 install > ikectl ca VPN certificate p6.local create client > ikectl ca VPN certificate p6.local install
here you installed the client's cert onto the server, you don't want that, it should only go on the client. that's probably what you run into now. > ikectl ca VPN certificate p6.local export > > Then imported p6.local.pfx from p6.local.zip into the iphone > > ---- > ikev2 "vpn" passive esp \ > from 0.0.0.0/0 to 0.0.0.0/0 \ > from ::0/0 to ::0/0 \ you normally want "to dynamic" with "config address" > local egress peer any \ > ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group > modp2048 \ > childsa enc aes-256 auth hmac-sha2-256 group modp2048 \ > srcid 33.33.33.33 \ > dstid p6.local \ > config address 172.24.24.0/24 \ > config address 2001:470:203a:a0::/64 \ i'm not sure if it works to list both v4 and v6 "config address" blocks, try with just one or the other if it seems like you have address-related problems > config name-server 172.24.24.1 \ > config name-server 2001:470:203a:a0::1 \ > > ---- > > > ---- > > host9# iked -d -v > ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from >::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf > hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth > hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local > lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 > config address 2001:470:203a:a0:: config name-server 172.24.24.1 config > name-server 2001:470:203a:a0::1 > > > spi=0xe461b2e822193627: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461 > local 33.33.33.33:500, 604 bytes, policy 'vpn' > spi=0xe461b2e822193627: send IKE_SA_INIT res 0 peer 44.55.66.77:11461 > local 33.33.33.33:500, 473 bytes > spi=0xe461b2e822193627: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local > 33.33.33.33:4500, 496 bytes, policy 'vpn' > spi=0xe461b2e822193627: ikev2_send_auth_failed: authentication failed > for FQDN/p6.local > spi=0xe461b2e822193627: send IKE_AUTH res 1 peer 44.55.66.77:11460 local > 33.33.33.33:4500, 80 bytes, NAT-T > spi=0xe461b2e822193627: sa_free: authentication failed > spi=0xe461b2e822193627: ca_getreq: found cert with matching ID but > without matching key. > spi=0xe71692de490589ab: recv IKE_SA_INIT req 0 peer 44.55.66.77:11461 > local 33.33.33.33:500, 604 bytes, policy 'vpn' > spi=0xe71692de490589ab: send IKE_SA_INIT res 0 peer 44.55.66.77:11461 > local 33.33.33.33:500, 473 bytes > spi=0xe71692de490589ab: recv IKE_AUTH req 1 peer 44.55.66.77:11460 local > 33.33.33.33:4500, 496 bytes, policy 'vpn' > spi=0xe71692de490589ab: ikev2_send_auth_failed: authentication failed > for FQDN/p6.local > spi=0xe71692de490589ab: send IKE_AUTH res 1 peer 44.55.66.77:11460 local > 33.33.33.33:4500, 80 bytes, NAT-T > spi=0xe71692de490589ab: sa_free: authentication failed > spi=0xe71692de490589ab: ca_getreq: found cert with matching ID but > without matching key. > > ^Cikev2 exiting, pid 93228 > ca exiting, pid 55488 > control exiting, pid 6213 > parent terminating > > ---- > > > ---- > > host9# iked -d -vv > > create_ike: using signature for peer p6.local > ikev2 "vpn" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 from >::/0 to ::/0 local 33.33.33.33 peer any ikesa enc aes-256 prf > hmac-sha2-256 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth > hmac-sha2-256 group modp2048 esn noesn srcid 33.33.33.33 dstid p6.local > lifetime 10800 bytes 4294967296 signature config address 172.24.24.0 > config address 2001:470:203a:a0:: config name-server 172.24.24.1 config > name-server 2001:470:203a:a0::1 > /etc/iked.conf: loaded 1 configuration rules > ca_privkey_serialize: type RSA_KEY length 1193 > ca_pubkey_serialize: type RSA_KEY length 270 > ca_privkey_to_method: type RSA_KEY method RSA_SIG > config_getpolicy: received policy > ca_getkey: received private key type RSA_KEY length 1193 > config_getpfkey: received pfkey fd 3 > ca_getkey: received public key type RSA_KEY length 270 > ca_dispatch_parent: config reset > config_getcompile: compilation done > config_getsocket: received socket fd 4 > config_getsocket: received socket fd 5 > config_getsocket: received socket fd 6 > config_getsocket: received socket fd 7 > config_getstatic: dpd_check_interval 60 > config_getstatic: no enforcesingleikesa > config_getstatic: no fragmentation > config_getstatic: mobike > config_getstatic: nattport 4500 > config_getstatic: no stickyaddress > ca_reload: loaded ca file ca.crt > ca_reload: loaded crl file ca.crl > ca_reload: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN > CA/emailAddress=r...@openbsd.org > ca_reload: loaded 1 ca certificate > ca_reload: loaded cert file 33.33.33.33.crt > ca_reload: loaded cert file phone.local.crt > ca_reload: loaded cert file p6.local.crt > ca_validate_cert: /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=phone.local/emailAddress=r...@openbsd.org > > ok > ca_validate_cert: /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=33.33.33.33/emailAddress=r...@openbsd.org > > ok > ca_validate_cert: /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p6.local/emailAddress=r...@openbsd.org > ok > ca_reload: local cert type X509_CERT > config_getocsp: ocsp_url none tolerate 0 maxage -1 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 > policy_lookup: setting policy 'vpn' > spi=0xa401bda7cbb03777: recv IKE_SA_INIT req 0 peer 44.55.66.77:35027 > local 33.33.33.33:500, 604 bytes, policy 'vpn' > ikev2_recv: ispi 0xa401bda7cbb03777 rspi 0x0000000000000000 > ikev2_policy2id: srcid IPV4/33.33.33.33 length 8 > ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 > length 604 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 220 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #3 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 0 reserved 0 length 40 proposal #5 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length > 264 > ikev2_pld_ke: dh group MODP_2048 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 > length 20 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 8 > ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xa401bda7cbb03777 0x0000000000000000 > 44.55.66.77:35027 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type > NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xa401bda7cbb03777 > 0x0000000000000000 33.33.33.33:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length > 8 > ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED > proposals_negotiate: score 4 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > policy_lookup: setting policy 'vpn' > spi=0xa401bda7cbb03777: sa_state: INIT -> SA_INIT > proposals_negotiate: score 4 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > spi=0xa401bda7cbb03777: ikev2_sa_keys: DHSECRET with 256 bytes > ikev2_sa_keys: SKEYSEED with 32 bytes > spi=0xa401bda7cbb03777: ikev2_sa_keys: S with 64 bytes > ikev2_prfplus: T1 with 32 bytes > ikev2_prfplus: T2 with 32 bytes > ikev2_prfplus: T3 with 32 bytes > ikev2_prfplus: T4 with 32 bytes > ikev2_prfplus: T5 with 32 bytes > ikev2_prfplus: T6 with 32 bytes > ikev2_prfplus: T7 with 32 bytes > ikev2_prfplus: Tn with 224 bytes > ikev2_sa_keys: SK_d with 32 bytes > ikev2_sa_keys: SK_ai with 32 bytes > ikev2_sa_keys: SK_ar with 32 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 32 bytes > ikev2_sa_keys: SK_pr with 32 bytes > ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 264 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload VENDOR > ikev2_next_payload: length 16 nextpayload NOTIFY > ikev2_nat_detection: local source 0xa401bda7cbb03777 0xa7b83476f3b174ff > 33.33.33.33:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xa401bda7cbb03777 > 0xa7b83476f3b174ff 44.55.66.77:35027 > ikev2_next_payload: length 28 nextpayload CERTREQ > ikev2_add_certreq: type X509_CERT length 21 > ikev2_next_payload: length 25 nextpayload NONE > ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 > length 473 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length > 264 > ikev2_pld_ke: dh group MODP_2048 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 > length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 > length 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type > NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 > length 25 > ikev2_pld_certreq: type X509_CERT length 20 > spi=0xa401bda7cbb03777: send IKE_SA_INIT res 0 peer 44.55.66.77:35027 > local 33.33.33.33:500, 473 bytes > config_free_proposals: free 0xab8d70b5780 > config_free_proposals: free 0xab8d70cca00 > config_free_proposals: free 0xab8d70c4d80 > config_free_proposals: free 0xab8d70c5580 > config_free_proposals: free 0xab8d70b5380 > spi=0xa401bda7cbb03777: recv IKE_AUTH req 1 peer 44.55.66.77:35037 local > 33.33.33.33:4500, 496 bytes, policy 'vpn' > ikev2_recv: ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff > ikev2_recv: updated SA to peer 44.55.66.77:35037 local 33.33.33.33:4500 > ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length > 496 response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 468 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 432 > ikev2_msg_decrypt: integrity checksum length 16 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 432/432 padding 3 > ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical > 0x00 length 16 > ikev2_pld_id: id FQDN/p6.local length 12 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT > ikev2_pld_payloads: decrypted payload IDr nextpayload CP critical 0x00 > length 12 > ikev2_pld_id: id IPV4/33.33.33.33 length 8 > ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical > 0x00 length 40 > ikev2_pld_cp: type REQUEST length 32 > ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 > ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0 > ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0 > ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 > ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 > ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0 > ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 > ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type > ESP_TFC_PADDING_NOT_SUPPORTED > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 200 > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP > spisize 4 xforms 3 spi 0x0209efaa > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #2 protoid ESP > spisize 4 xforms 3 spi 0x0d0e3511 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid ESP > spisize 4 xforms 3 spi 0x078c1fac > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #4 protoid ESP > spisize 4 xforms 3 spi 0x00f6cb41 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #5 protoid ESP > spisize 4 xforms 3 spi 0x0d8e4376 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 64 > ikev2_pld_tss: count 2 length 56 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 > endport 65535 > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical > 0x00 length 64 > ikev2_pld_tss: count 2 length 56 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 > endport 65535 > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED > ikev2_handle_notifies: mobike enabled > ikev2_resp_recv: NAT-T message received, updated SA > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > policy_lookup: peerid 'p6.local' > policy_lookup: localid '33.33.33.33' > proposals_negotiate: score 4 > policy_lookup: setting policy 'vpn' > ikev2_policy2id: srcid IPV4/33.33.33.33 length 8 > sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) > spi=0xa401bda7cbb03777: ikev2_ike_auth_recv: missing auth payload > spi=0xa401bda7cbb03777: ikev2_send_auth_failed: authentication failed > for FQDN/p6.local > ikev2_next_payload: length 8 nextpayload NONE > ikev2_next_payload: length 52 nextpayload NOTIFY > ikev2_msg_encrypt: decrypted length 8 > ikev2_msg_encrypt: padded length 16 > ikev2_msg_encrypt: length 9, padding 7, output length 48 > ikev2_msg_integr: message length 80 > ikev2_msg_integr: integrity checksum length 16 > ikev2_pld_parse: header ispi 0xa401bda7cbb03777 rspi 0xa7b83476f3b174ff > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length > 80 response 1 > ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length > 52 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 16 > ikev2_msg_decrypt: integrity checksum length 16 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 16/16 padding 7 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical > 0x00 length 8 > ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED > spi=0xa401bda7cbb03777: send IKE_AUTH res 1 peer 44.55.66.77:35037 local > 33.33.33.33:4500, 80 bytes, NAT-T > spi=0xa401bda7cbb03777: sa_state: SA_INIT -> CLOSING > ikev2_resp_recv: failed to send auth response > spi=0xa401bda7cbb03777: sa_state: CLOSING -> CLOSED from > 44.55.66.77:35037 to 33.33.33.33:4500 policy 'vpn' > ikev2_recv: closing SA > spi=0xa401bda7cbb03777: sa_free: authentication failed > config_free_proposals: free 0xab8d70c4700 > config_free_proposals: free 0xab8d70cc200 > config_free_proposals: free 0xab8d70b5900 > config_free_proposals: free 0xab8d70c5a00 > config_free_proposals: free 0xab8d70c5280 > config_free_proposals: free 0xab8d70b5f00 > ca_getreq: found CA /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN > CA/emailAddress=r...@openbsd.org > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > ca_cert_local: certificate key mismatch > spi=0xa401bda7cbb03777: ca_getreq: found cert with matching ID but > without matching key. > ca_getreq: found local certificate /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=33.33.33.33/emailAddress=r...@openbsd.org > ikev2_getimsgdata: imsg 22 rspi 0xa7b83476f3b174ff ispi > 0xa401bda7cbb03777 initiator 0 sa invalid type 4 data length 994 > ikev2_dispatch_cert: invalid cert reply > policy_lookup: setting policy 'vpn' > spi=0xb5e5ba4386a986f3: recv IKE_SA_INIT req 0 peer 44.55.66.77:35027 > local 33.33.33.33:500, 604 bytes, policy 'vpn' > ikev2_recv: ispi 0xb5e5ba4386a986f3 rspi 0x0000000000000000 > ikev2_policy2id: srcid IPV4/33.33.33.33 length 8 > ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x0000000000000000 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 > length 604 response 0 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 220 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #3 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536 > ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_sa: more 0 reserved 0 length 40 proposal #5 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length > 264 > ikev2_pld_ke: dh group MODP_2048 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 > length 20 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 8 > ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_nat_detection: peer source 0xb5e5ba4386a986f3 0x0000000000000000 > 44.55.66.77:35027 > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type > NAT_DETECTION_DESTINATION_IP > ikev2_nat_detection: peer destination 0xb5e5ba4386a986f3 > 0x0000000000000000 33.33.33.33:500 > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length > 8 > ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED > proposals_negotiate: score 4 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > policy_lookup: setting policy 'vpn' > spi=0xb5e5ba4386a986f3: sa_state: INIT -> SA_INIT > proposals_negotiate: score 4 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > proposals_negotiate: score 0 > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) > spi=0xb5e5ba4386a986f3: ikev2_sa_keys: DHSECRET with 256 bytes > ikev2_sa_keys: SKEYSEED with 32 bytes > spi=0xb5e5ba4386a986f3: ikev2_sa_keys: S with 64 bytes > ikev2_prfplus: T1 with 32 bytes > ikev2_prfplus: T2 with 32 bytes > ikev2_prfplus: T3 with 32 bytes > ikev2_prfplus: T4 with 32 bytes > ikev2_prfplus: T5 with 32 bytes > ikev2_prfplus: T6 with 32 bytes > ikev2_prfplus: T7 with 32 bytes > ikev2_prfplus: Tn with 224 bytes > ikev2_sa_keys: SK_d with 32 bytes > ikev2_sa_keys: SK_ai with 32 bytes > ikev2_sa_keys: SK_ar with 32 bytes > ikev2_sa_keys: SK_ei with 32 bytes > ikev2_sa_keys: SK_er with 32 bytes > ikev2_sa_keys: SK_pi with 32 bytes > ikev2_sa_keys: SK_pr with 32 bytes > ikev2_resp_ike_sa_init: detected NAT, enabling UDP encapsulation > ikev2_add_proposals: length 44 > ikev2_next_payload: length 48 nextpayload KE > ikev2_next_payload: length 264 nextpayload NONCE > ikev2_next_payload: length 36 nextpayload VENDOR > ikev2_next_payload: length 16 nextpayload NOTIFY > ikev2_nat_detection: local source 0xb5e5ba4386a986f3 0x34cfe60768e5e796 > 33.33.33.33:500 > ikev2_next_payload: length 28 nextpayload NOTIFY > ikev2_nat_detection: local destination 0xb5e5ba4386a986f3 > 0x34cfe60768e5e796 44.55.66.77:35027 > ikev2_next_payload: length 28 nextpayload CERTREQ > ikev2_add_certreq: type X509_CERT length 21 > ikev2_next_payload: length 25 nextpayload NONE > ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796 > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 > length 473 response 1 > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 > ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE > spisize 0 xforms 4 spi 0 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length > 264 > ikev2_pld_ke: dh group MODP_2048 reserved 0 > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 > length 36 > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 > length 16 > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP > ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 > length 28 > ikev2_pld_notify: protoid NONE spisize 0 type > NAT_DETECTION_DESTINATION_IP > ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 > length 25 > ikev2_pld_certreq: type X509_CERT length 20 > spi=0xb5e5ba4386a986f3: send IKE_SA_INIT res 0 peer 44.55.66.77:35027 > local 33.33.33.33:500, 473 bytes > config_free_proposals: free 0xab8d70c5500 > config_free_proposals: free 0xab8d70c4e80 > config_free_proposals: free 0xab8d70b5480 > config_free_proposals: free 0xab8d70c5700 > config_free_proposals: free 0xab8d70b5200 > spi=0xb5e5ba4386a986f3: recv IKE_AUTH req 1 peer 44.55.66.77:35037 local > 33.33.33.33:4500, 496 bytes, policy 'vpn' > ikev2_recv: ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796 > ikev2_recv: updated SA to peer 44.55.66.77:35037 local 33.33.33.33:4500 > ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796 > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length > 496 response 0 > ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 468 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 432 > ikev2_msg_decrypt: integrity checksum length 16 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 432/432 padding 3 > ikev2_pld_payloads: decrypted payload IDi nextpayload NOTIFY critical > 0x00 length 16 > ikev2_pld_id: id FQDN/p6.local length 12 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload IDr critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT > ikev2_pld_payloads: decrypted payload IDr nextpayload CP critical 0x00 > length 12 > ikev2_pld_id: id IPV4/33.33.33.33 length 8 > ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical > 0x00 length 40 > ikev2_pld_cp: type REQUEST length 32 > ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0 > ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 0 > ikev2_pld_cp: INTERNAL_IP4_DHCP 0x0006 length 0 > ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0 > ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0 > ikev2_pld_cp: INTERNAL_IP6_DHCP 0x000c length 0 > ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0 > ikev2_pld_cp: <UNKNOWN:25> 0x0019 length 0 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type > ESP_TFC_PADDING_NOT_SUPPORTED > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type NON_FIRST_FRAGMENTS_ALSO > ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 > length 200 > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP > spisize 4 xforms 3 spi 0x03783304 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #2 protoid ESP > spisize 4 xforms 3 spi 0x0dafe4ea > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid ESP > spisize 4 xforms 3 spi 0x0ef2c7af > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id > HMAC_SHA2_256_128 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 2 reserved 0 length 40 proposal #4 protoid ESP > spisize 4 xforms 3 spi 0x0769d7b8 > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC > ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #5 protoid ESP > spisize 4 xforms 3 spi 0x0011b792 > ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES > ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 > ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE > ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 > length 64 > ikev2_pld_tss: count 2 length 56 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 > endport 65535 > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical > 0x00 length 64 > ikev2_pld_tss: count 2 length 56 > ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 > endport 65535 > ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255 > ikev2_pld_tss: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 > endport 65535 > ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical > 0x00 length 8 > ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED > ikev2_handle_notifies: mobike enabled > ikev2_resp_recv: NAT-T message received, updated SA > sa_stateok: SA_INIT flags 0x0000, require 0x0000 > policy_lookup: peerid 'p6.local' > policy_lookup: localid '33.33.33.33' > proposals_negotiate: score 4 > policy_lookup: setting policy 'vpn' > ikev2_policy2id: srcid IPV4/33.33.33.33 length 8 > sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) > spi=0xb5e5ba4386a986f3: ikev2_ike_auth_recv: missing auth payload > spi=0xb5e5ba4386a986f3: ikev2_send_auth_failed: authentication failed > for FQDN/p6.local > ikev2_next_payload: length 8 nextpayload NONE > ikev2_next_payload: length 52 nextpayload NOTIFY > ikev2_msg_encrypt: decrypted length 8 > ikev2_msg_encrypt: padded length 16 > ikev2_msg_encrypt: length 9, padding 7, output length 48 > ikev2_msg_integr: message length 80 > ikev2_msg_integr: integrity checksum length 16 > ikev2_pld_parse: header ispi 0xb5e5ba4386a986f3 rspi 0x34cfe60768e5e796 > nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length > 80 response 1 > ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length > 52 > ikev2_msg_decrypt: IV length 16 > ikev2_msg_decrypt: encrypted payload length 16 > ikev2_msg_decrypt: integrity checksum length 16 > ikev2_msg_decrypt: integrity check succeeded > ikev2_msg_decrypt: decrypted payload length 16/16 padding 7 > ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical > 0x00 length 8 > ikev2_pld_notify: protoid IKE spisize 0 type AUTHENTICATION_FAILED > spi=0xb5e5ba4386a986f3: send IKE_AUTH res 1 peer 44.55.66.77:35037 local > 33.33.33.33:4500, 80 bytes, NAT-T > spi=0xb5e5ba4386a986f3: sa_state: SA_INIT -> CLOSING > ikev2_resp_recv: failed to send auth response > spi=0xb5e5ba4386a986f3: sa_state: CLOSING -> CLOSED from > 44.55.66.77:35037 to 33.33.33.33:4500 policy 'vpn' > ikev2_recv: closing SA > spi=0xb5e5ba4386a986f3: sa_free: authentication failed > config_free_proposals: free 0xab8d70c4d00 > config_free_proposals: free 0xab8d70c4c00 > config_free_proposals: free 0xab8d70c5300 > config_free_proposals: free 0xab8d70c3180 > config_free_proposals: free 0xab8d70b5580 > config_free_proposals: free 0xab8d70c4800 > ca_getreq: found CA /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN > CA/emailAddress=r...@openbsd.org > ca_x509_subjectaltname_do: did not find subjectAltName in certificate > ca_cert_local: certificate key mismatch > spi=0xb5e5ba4386a986f3: ca_getreq: found cert with matching ID but > without matching key. > ca_getreq: found local certificate /C=DE/ST=Lower > Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=33.33.33.33/emailAddress=r...@openbsd.org > ikev2_getimsgdata: imsg 22 rspi 0x34cfe60768e5e796 ispi > 0xb5e5ba4386a986f3 initiator 0 sa invalid type 4 data length 994 > ikev2_dispatch_cert: invalid cert reply > ^Cconfig_doreset: flushing policies > config_free_proposals: free 0xab8d70b5d80 > config_free_proposals: free 0xab8d70c4680 > config_free_flows: free 0xab8d70d4800 > config_free_flows: free 0xab8d7099400 > config_doreset: flushing SAs > config_doreset: flushing users > ikev2 exiting, pid 91232 > ca exiting, pid 86139 > control exiting, pid 58820 > parent terminating > > ---- > > -- Please keep replies on the mailing list.
