Discussion:
ikev2 and road warriors setup
Radek
2018-01-27 18:55:46 UTC
Permalink
Hello,

I have configured OpenIKED Site-to-Site VPN between two gateways:
serv73 - OBSD6.1, IP A.B.C.73,
serv75 - OBSD6.2, IP A.B.C.75.
I seems to work fine.

I'm trying to set up VPN for a few road warriors in one of these gateways. As much as it is possible authorisation should be users's IP independent. If I get it right certificate is always binded to cetrain IP so I need to use login and password authentication.
After spending some time with playing around that I can not find the proper configutarion.
I know the reason for that is a lack of certificate (I don't have any idea what cert it is) but maybe something else that I have missed or did it wrong.
I have read manuals but not everything is clear for me.

On win7 I got 809 error.
Client is configured as below:
https://hide.me/en/vpnsetup/windows7/ikev2/

Any help appreciated :)

My configs:

[root@@serv75/home/rdk:]iked -dv
ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 policy 'roadwarrior' id 0, 528 bytes
ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 325 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ca_getreq: no valid local certificate found
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes


root@@serv75/home/rdk:]cat /etc/iked.conf
remote_gw73 = "A.B.C.73" # serv33
remote_lan73 = "10.0.73.0/24"
local_gw = "10.0.75.254" # serv75
local_lan = "10.0.75.0/24"
dns1 = "8.8.8.8"

ikev2 active esp from $local_gw to $remote_gw73 \
from $local_lan to $remote_lan73 peer $remote_gw73 \
psk "test123"

user "test" "pass1234"
ikev2 "roadwarrior" passive esp \
from 0.0.0.0/0 to 10.0.75.0/24 \
local any peer any \
eap "mschap-v2" \
config address 10.0.75.123 \
config name-server 8.8.8.8 \
tag "$name-$id"

[root@@serv75/home/rdk:]cat /etc/pf.conf
ext_if = "vr0"
lan_if = "vr1" # vr1
lan_local = $lan_if:network # 10.0.75.0/24
ext_ip = "A.B.C.75"
bud = "A.B.C.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port = "1071"
icmp_types = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.C.73, A.B.C.74 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to <vpn_peers> keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state
block return in on ! lo0 proto tcp to port 6000:6010

[root@@serv75/home/rdk:]cat /etc/hostname.vr0
inet A.B.C.75 255.255.254.0 NONE description "WAN75"
group trust

[root@@serv75/home/rdk:]cat /etc/hostname.vr1
inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
group trust

[root@@serv75/home/rdk:]cat /etc/hostname.enc0
up

[root@@serv75/home/rdk:]cat /etc/rc.conf.local
iked_flags=YES
ntpd_flags="-s"
dhcpd_flags="vr1 vr2 vr3"

[root@@serv75/home/rdk:]cat /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
--
radek
Radek
2018-02-07 21:01:16 UTC
Permalink
Hi again,

I'm still trying to make it work for roadwarriors.
VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.

I generated certs:

# hostname
serv73

# ikectl ca vpn create (CN = serv73)
# ikectl ca vpn install

# ikectl ca vpn certificate A.B.9.73 create
# ikectl ca vpn certificate A.B.9.73 install

# ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
# ikectl ca vpn certificate A.B.9.76 export

After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP address that is in range A.B.9.0/23.

I can't connect from IP that is NOT from A.B.9.0/23.
I tried to connect from many IPs (public and behind NAT) but every time I got "809 error".

Can anyone please help me with solving that problem?

# cat /etc/iked.conf
[snip]
ikev2 "roadWarrior" passive esp \
from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
srcid A.B.9.73 \
config address 10.0.70.128 \
tag "$name-$id"

# iked -n
configuration OK

# cat /etc.pf.conf
ext_if = "vr0"
lan_if = "vr1" # vr1
lan_local = $lan_if:network # 10.0.73.0/24
ext_ip = "A.B.9.73"
bud = "A.B.9.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port = "1071"
icmp_types = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.9.74, A.B.C.75 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic

match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)

pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
set prio (1, 6) keep state

pass out quick on egress proto esp from (egress:0) to <vpn_peers> keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state

pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state

block return in on ! lo0 proto tcp to port 6000:6010



# iked -dvv
ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500 policy 'roadWarrior' id 0, 528 bytes
ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x35e2e7f614678913 0x0000000000000000 E.F.G.H:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x0000000000000000 A.B.9.73:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f A.B.9.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f E.F.G.H:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid 0, 325 bytes
config_free_proposals: free 0x8134e000

Generating and installing certificate for E.F.G.H doesn't make any change.


On Sat, 27 Jan 2018 19:55:46 +0100
Post by Radek
Hello,
serv73 - OBSD6.1, IP A.B.C.73,
serv75 - OBSD6.2, IP A.B.C.75.
I seems to work fine.
I'm trying to set up VPN for a few road warriors in one of these gateways. As much as it is possible authorisation should be users's IP independent. If I get it right certificate is always binded to cetrain IP so I need to use login and password authentication.
After spending some time with playing around that I can not find the proper configutarion.
I know the reason for that is a lack of certificate (I don't have any idea what cert it is) but maybe something else that I have missed or did it wrong.
I have read manuals but not everything is clear for me.
On win7 I got 809 error.
https://hide.me/en/vpnsetup/windows7/ikev2/
Any help appreciated :)
ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 policy 'roadwarrior' id 0, 528 bytes
ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 325 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ca_getreq: no valid local certificate found
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
remote_gw73 = "A.B.C.73" # serv33
remote_lan73 = "10.0.73.0/24"
local_gw = "10.0.75.254" # serv75
local_lan = "10.0.75.0/24"
dns1 = "8.8.8.8"
ikev2 active esp from $local_gw to $remote_gw73 \
from $local_lan to $remote_lan73 peer $remote_gw73 \
psk "test123"
user "test" "pass1234"
ikev2 "roadwarrior" passive esp \
from 0.0.0.0/0 to 10.0.75.0/24 \
local any peer any \
eap "mschap-v2" \
config address 10.0.75.123 \
config name-server 8.8.8.8 \
tag "$name-$id"
ext_if = "vr0"
lan_if = "vr1" # vr1
lan_local = $lan_if:network # 10.0.75.0/24
ext_ip = "A.B.C.75"
bud = "A.B.C.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port = "1071"
icmp_types = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.C.73, A.B.C.74 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to <vpn_peers> keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state
block return in on ! lo0 proto tcp to port 6000:6010
inet A.B.C.75 255.255.254.0 NONE description "WAN75"
group trust
inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
group trust
up
iked_flags=YES
ntpd_flags="-s"
dhcpd_flags="vr1 vr2 vr3"
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
--
radek
--
radek
Radek
2018-10-28 14:04:21 UTC
Permalink
Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23).
Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same.

Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23

I do not know what I am doing wrong.
Can anyone please help me with solving this problem?
Thank you.

This is a fresh 6.3/i386 install:

# syspatch -l
001_perl
002_libtls
003_arp
004_gif
005_httpd
006_ipseclen
007_libcrypto
008_ipsecout
009_libcrypto
011_perl
012_execsize
013_ipsecexpire
014_amdlfence
015_ioport

WAN:
# cat /etc/hostname.vr0
inet A.B.C.77 255.255.254.0

LAN:
# cat /etc/hostname.vr3
inet 172.16.0.254 255.255.255.0 NONE
group lan

# cat /etc/hostname.enc0
inet 10.0.1.1 255.255.255.0 10.0.1.255
up

# cat /etc/iked.conf
ikev2 "test" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid A.B.C.77 \
config address 10.0.1.0/24 \
config name-server 8.8.8.8 \
tag "IKED"

# cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)
match out on egress from lan:network to any nat-to egress
match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types


# ikectl show ca vpn certificates
subject= /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com
SHA1 Fingerprint=37:2F:33:EA:C4:9C:45:0A:80:38:EC:0E:A6:F8:8B:EA:10:84:71:CB
notBefore=Oct 25 12:23:53 2018 GMT
notAfter=Oct 25 12:23:53 2019 GMT

subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com
SHA1 Fingerprint=4C:AE:A5:C6:E3:71:81:09:C0:73:BF:03:5F:E2:02:CE:48:BF:03:78
notBefore=Oct 25 12:27:35 2018 GMT
notAfter=Oct 25 12:27:35 2019 GMT

subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=win7/emailAddress=***@123.com
SHA1 Fingerprint=E2:C1:96:F3:26:0F:CA:CD:49:0A:33:65:58:0E:07:B7:A7:90:D4:18
notBefore=Oct 25 12:32:31 2018 GMT
notAfter=Oct 25 12:32:31 2019 GMT

subject= /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=w520/emailAddress=***@123.com
SHA1 Fingerprint=00:ED:49:7B:CE:AF:46:25:BE:39:B6:51:AD:3E:06:91:99:58:50:C9
notBefore=Oct 27 08:54:14 2018 GMT
notAfter=Oct 27 08:54:14 2019 GMT

# iked -vvd
ikev2 "test" passive esp inet from 0.0.0.0/0 to 0.0.0.0/0 local A.B.C.77 peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid A.B.C.77 lifetime 10800 bytes 536870912 signature config address 10.0.1.0 config name-server 8.8.8.8 tag "IKED"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1193
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
ca_reload: loaded ca file ca.crt
config_getsocket: received socket fd 7
config_getmobike: mobike
ca_reload: loaded crl file ca.crl
ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file A.B.C.77.crt
ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20




ikev2_recv: IKE_SA_INIT request from initiator 1.2.3.119:500 to A.B.C.77:500 policy 'test' id 0, 528 bytes
ikev2_recv: ispi 0x683d59d10fbe4a9e rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/A.B.C.77 length 8
ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x683d59d10fbe4a9e 0x0000000000000000 1.2.3.119:500
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x683d59d10fbe4a9e 0x0000000000000000 A.B.C.77:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
ikev2_sa_negotiate: score 12
ikev2_sa_negotiate: score 17
ikev2_sa_negotiate: score 8
ikev2_sa_negotiate: score 0
ikev2_sa_negotiate: score 0
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: DHSECRET with 128 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x683d59d10fbe4a9e 0x4698e736ae5196ac A.B.C.77:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x683d59d10fbe4a9e 0x4698e736ae5196ac 1.2.3.119:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x683d59d10fbe4a9e rspi 0x4698e736ae5196ac nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 329 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.C.77:500 to 1.2.3.119:500 msgid 0, 329 bytes
config_free_proposals: free 0x7fcc4880
config_free_proposals: free 0x85753900
config_free_proposals: free 0x7fcc03c0
config_free_proposals: free 0x7fcc4080
config_free_proposals: free 0x7fcc4580
config_free_proposals: free 0x825a0a00

Then I get 809 Error.

On Wed, 7 Feb 2018 22:01:16 +0100
Post by Radek
Hi again,
I'm still trying to make it work for roadwarriors.
VPN server has IP address A.B.9.73/23. It is OpenBSD6.1.
# hostname
serv73
# ikectl ca vpn create (CN = serv73)
# ikectl ca vpn install
# ikectl ca vpn certificate A.B.9.73 create
# ikectl ca vpn certificate A.B.9.73 install
# ikectl ca vpn certificate A.B.9.76 create #(CN = A.B.9.76)
# ikectl ca vpn certificate A.B.9.76 export
After installing A.B.9.76.zip in Win7 I can connect to VPN server from any IP address that is in range A.B.9.0/23.
I can't connect from IP that is NOT from A.B.9.0/23.
I tried to connect from many IPs (public and behind NAT) but every time I got "809 error".
Can anyone please help me with solving that problem?
# cat /etc/iked.conf
[snip]
ikev2 "roadWarrior" passive esp \
from 10.0.73.0/24 to 0.0.0.0/0 local A.B.9.73 peer any \
srcid A.B.9.73 \
config address 10.0.70.128 \
tag "$name-$id"
# iked -n
configuration OK
# cat /etc.pf.conf
ext_if = "vr0"
lan_if = "vr1" # vr1
lan_local = $lan_if:network # 10.0.73.0/24
ext_ip = "A.B.9.73"
bud = "A.B.9.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port = "1071"
icmp_types = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.9.74, A.B.C.75 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to <vpn_peers> keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state
block return in on ! lo0 proto tcp to port 6000:6010
# iked -dvv
ikev2_recv: IKE_SA_INIT request from initiator E.F.G.H:500 to A.B.9.73:500 policy 'roadWarrior' id 0, 528 bytes
ikev2_recv: ispi 0x35e2e7f614678913 rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/A.B.9.73 length 8
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x35e2e7f614678913 0x0000000000000000 E.F.G.H:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x35e2e7f614678913 0x0000000000000000 A.B.9.73:500
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 21
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 20 bytes
ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 20 bytes
ikev2_prfplus: T2 with 20 bytes
ikev2_prfplus: T3 with 20 bytes
ikev2_prfplus: T4 with 20 bytes
ikev2_prfplus: T5 with 20 bytes
ikev2_prfplus: T6 with 20 bytes
ikev2_prfplus: T7 with 20 bytes
ikev2_prfplus: T8 with 20 bytes
ikev2_prfplus: Tn with 160 bytes
ikev2_sa_keys: SK_d with 20 bytes
ikev2_sa_keys: SK_ai with 20 bytes
ikev2_sa_keys: SK_ar with 20 bytes
ikev2_sa_keys: SK_ei with 24 bytes
ikev2_sa_keys: SK_er with 24 bytes
ikev2_sa_keys: SK_pi with 20 bytes
ikev2_sa_keys: SK_pr with 20 bytes
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x35e2e7f614678913 0x177a4400d017d93f A.B.9.73:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x35e2e7f614678913 0x177a4400d017d93f E.F.G.H:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NONE
ikev2_pld_parse: header ispi 0x35e2e7f614678913 rspi 0x177a4400d017d93f nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 325 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_msg_send: IKE_SA_INIT response from A.B.9.73:500 to E.F.G.H:500 msgid 0, 325 bytes
config_free_proposals: free 0x8134e000
Generating and installing certificate for E.F.G.H doesn't make any change.
On Sat, 27 Jan 2018 19:55:46 +0100
Post by Radek
Hello,
serv73 - OBSD6.1, IP A.B.C.73,
serv75 - OBSD6.2, IP A.B.C.75.
I seems to work fine.
I'm trying to set up VPN for a few road warriors in one of these gateways. As much as it is possible authorisation should be users's IP independent. If I get it right certificate is always binded to cetrain IP so I need to use login and password authentication.
After spending some time with playing around that I can not find the proper configutarion.
I know the reason for that is a lack of certificate (I don't have any idea what cert it is) but maybe something else that I have missed or did it wrong.
I have read manuals but not everything is clear for me.
On win7 I got 809 error.
https://hide.me/en/vpnsetup/windows7/ikev2/
Any help appreciated :)
ikev2_recv: IKE_SA_INIT request from initiator X.X.X.X:500 to A.B.C.75:500 policy 'roadwarrior' id 0, 528 bytes
ikev2_msg_send: IKE_SA_INIT response from A.B.C.75:500 to X.X.X.X:500 msgid 0, 325 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ca_getreq: no valid local certificate found
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
ikev2_recv: IKE_AUTH request from initiator X.X.X.X:4500 to A.B.C.75:4500 policy 'roadwarrior' id 1, 764 bytes
remote_gw73 = "A.B.C.73" # serv33
remote_lan73 = "10.0.73.0/24"
local_gw = "10.0.75.254" # serv75
local_lan = "10.0.75.0/24"
dns1 = "8.8.8.8"
ikev2 active esp from $local_gw to $remote_gw73 \
from $local_lan to $remote_lan73 peer $remote_gw73 \
psk "test123"
user "test" "pass1234"
ikev2 "roadwarrior" passive esp \
from 0.0.0.0/0 to 10.0.75.0/24 \
local any peer any \
eap "mschap-v2" \
config address 10.0.75.123 \
config name-server 8.8.8.8 \
tag "$name-$id"
ext_if = "vr0"
lan_if = "vr1" # vr1
lan_local = $lan_if:network # 10.0.75.0/24
ext_ip = "A.B.C.75"
bud = "A.B.C.0/25"
rdkhome_wy = "YY.YY.YY.YY"
rdkhome_mon = "XX.XX.XX.XX"
ssh_port = "1071"
icmp_types = "{ echoreq, unreach }"
table <vpn_peers> const { A.B.C.73, A.B.C.74 }
set skip on { lo, enc0 }
block return on $ext_if # block stateless traffic
match out log on $ext_if from $lan_local nat-to $ext_if set prio (1, 6)
pass in log quick inet proto tcp from { $bud, $rdkhome_wy, $rdkhome_mon} to $ext_if port $ssh_port \
set prio (1, 6) keep state
pass out quick on egress proto esp from (egress:0) to <vpn_peers> keep state
pass out quick on egress proto udp from (egress:0) to <vpn_peers> port {500, 4500} keep state
pass in quick on egress proto esp from <vpn_peers> to (egress:0) keep state
pass in quick on egress proto udp from <vpn_peers> to (egress:0) port {500, 4500} keep state
pass out quick on trust received-on enc0 keep state
pass out log proto tcp set prio (1, 6) keep state
pass log proto udp set prio (1, 6) keep state
pass inet proto icmp all icmp-type $icmp_types set prio (1, 6) keep state
pass log inet proto { tcp, udp } from $lan_local to any set prio (1, 6) keep state
block return in on ! lo0 proto tcp to port 6000:6010
inet A.B.C.75 255.255.254.0 NONE description "WAN75"
group trust
inet 10.0.75.254 255.255.255.0 NONE description "LAN75"
group trust
up
iked_flags=YES
ntpd_flags="-s"
dhcpd_flags="vr1 vr2 vr3"
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1
net.inet.esp.enable=1
--
radek
--
radek
--
radek
Kim Zeitler
2018-10-31 10:50:25 UTC
Permalink
Post by Radek
Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23).
Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same.
Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23
I do not know what I am doing wrong.
Can anyone please help me with solving this problem?
Thank you.
# cat /etc/hostname.enc0
inet 10.0.1.1 255.255.255.0 10.0.1.255
up
You don't need an IP on enc0
Post by Radek
# cat /etc/iked.conf
ikev2 "test" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid A.B.C.77 \
config address 10.0.1.0/24 \
config name-server 8.8.8.8 \
tag "IKED"
Try something like this, it works for both Win7 and Win10:

/etc/iked.conf
---------------------------------
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
peer any \
srcid $srcid \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server $dns1 \
config name-server $dns2 \
config access-server A.B.C.77 \
config protected-subnet 0.0.0.0/0 \
tag "$id"

'access-server' tells Windows what gateway to use for 'protected-subnet'
(see iked.conf(5)).
Radek
2018-11-02 21:16:05 UTC
Permalink
Thank you for your response,

Following your suggestion I removed IP from enc0 and changed iked.conf as below:

$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com" \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server $dns1 \
config name-server $dns2 \
config access-server A.B.C.77 \
config protected-subnet 0.0.0.0/0 \
tag "$id"

It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.

I also tried another scenario: puffy_server <-> puffy_warrior
The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23.
Both machines are 6.3/i386.

Confs:
puffy_server (just changed /etc/iked.conf and /etc/hostname.enc0 as below, the rest of my previous conf is untached)

$ cat /etc/iked.conf
# puffy_server
ikev2 office passive esp \
from 172.16.0.64 to 0.0.0.0/0 \
from 172.16.0.254 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com"

$ cat /etc/hostname.enc0
up

puffy_warrior:

$ cat /etc/iked.conf
# puffy_warrior
ikev2 home active esp \
from egress to 172.16.0.0/24 \
local egress peer A.B.C.77 \
srcid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com" dstid "/C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com"

$ pfctl -s rules
pass all flags S/SA

This is warrior log, public IP 1.2.3.119:

$ iked -dvv
set_policy_auth_method: using rfc7427 for peer
ikev2 "home" active esp inet from 1.2.3.119 to 172.16.0.0/24 local 1.2.3.119 peer A.B.C.77 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com dstid /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com lifetime 10800 bytes 536870912 rfc7427
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file puffy63.crt
ca_validate_cert: /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getmobike: mobike
ikev2_init_ike_sa: initiating "home"
ca_x509_name_parse: setting 'C' to 'PL'
ca_x509_name_parse: setting 'ST' to 'ZK'
ca_x509_name_parse: setting 'L' to 'KL'
ca_x509_name_parse: setting 'O' to 'PK'
ca_x509_name_parse: setting 'OU' to 'test'
ca_x509_name_parse: setting 'CN' to 'puffy63'
ca_x509_name_parse: setting 'emailAddress' to '***@123.com'
ikev2_policy2id: srcid ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com length 123
ikev2_add_proposals: length 108
ikev2_next_payload: length 112 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x64068214f68d9422 0x0000000000000000 1.2.3.119:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x64068214f68d9422 0x0000000000000000 A.B.C.77:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112
ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0 xforms 11 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT request from 1.2.3.119:500 to A.B.C.77:500 msgid 0, 510 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT response from responder A.B.C.77:500 to 1.2.3.119:500 policy 'home' id 0, 471 bytes
ikev2_recv: ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d
ikev2_recv: updated SA to peer A.B.C.77:500 local 1.2.3.119:500
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x64068214f68d9422 0x84af2c52dcbc294d A.B.C.77:500
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x64068214f68d9422 0x84af2c52dcbc294d 1.2.3.119:500
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ca_x509_name_parse: setting 'C' to 'PL'
ca_x509_name_parse: setting 'ST' to 'ZK'
ca_x509_name_parse: setting 'L' to 'KL'
ca_x509_name_parse: setting 'O' to 'PK'
ca_x509_name_parse: setting 'OU' to 'test'
ca_x509_name_parse: setting 'CN' to 'puffy63'
ca_x509_name_parse: setting 'emailAddress' to '***@123.com'
ikev2_policy2id: srcid ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com length 123
sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
ikev2_sa_keys: DHSECRET with 256 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 574
ca_setauth: using SIG (RFC7427)
ca_setauth: auth length 574
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
config_free_proposals: free 0x79d91600
ca_getreq: found CA /C=PL/ST=ZP/L=KL/O=PK/OU=test/CN=A.B.C.77/emailAddress=***@123.com
ca_getreq: found local certificate /C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com
ca_setauth: auth length 272
ikev2_getimsgdata: imsg 20 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 initiator 1 sa valid type 4 data length 961
ikev2_dispatch_cert: cert type X509_CERT length 961, ok
sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
ikev2_getimsgdata: imsg 25 rspi 0x84af2c52dcbc294d ispi 0x64068214f68d9422 initiator 1 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
ikev2_next_payload: length 127 nextpayload CERT
ikev2_next_payload: length 966 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
pfkey_sa_getspi: spi 0xda769508
pfkey_sa_init: new spi 0xda769508
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1530
ikev2_msg_encrypt: padded length 1536
ikev2_msg_encrypt: length 1531, padding 5, output length 1568
ikev2_next_payload: length 1572 nextpayload IDi
ikev2_msg_integr: message length 1600
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0x64068214f68d9422 rspi 0x84af2c52dcbc294d nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1600 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1572
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1536
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1536/1536 padding 5
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 127
ikev2_pld_id: id ASN1_DN//C=PL/ST=ZK/L=KL/O=PK/OU=test/CN=puffy63/emailAddress=***@123.com length 123
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 966
ikev2_pld_cert: type X509_CERT length 961
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 xforms 7 spi 0xda769508
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 1.2.3.119 end 1.2.3.119
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 172.16.0.0 end 172.16.0.255
ikev2_msg_send: IKE_AUTH request from 1.2.3.119:500 to A.B.C.77:500 msgid 1, 1600 bytes
ikev2_init_ike_sa: "home" is already active

$ ipsecctl -sa
FLOWS:
flow esp out from ::/0 to ::/0 type deny

SAD:

I really do not know what I am doing wrong.



On Wed, 31 Oct 2018 11:50:25 +0100
Post by Kim Zeitler
Post by Radek
Hello,
I really need your help.
I am still trying to configure Ikev2 VPN Gateway (A.B.C.77/23) for road warriors clients (Windows).
The problem is that it works ONLY if clients are in the same subnet as VPN Gateway (A.B.C.0/23).
Clients from out of the gateway's subnet (!A.B.C.0/23) can not establish the connection (809 Error). It does not matter if they are behind NAT or not, tried different ISP - the same.
Current tested client is Win7 (1.2.3.119). It works from A.B.C.0/23
I do not know what I am doing wrong.
Can anyone please help me with solving this problem?
Thank you.
# cat /etc/hostname.enc0
inet 10.0.1.1 255.255.255.0 10.0.1.255
up
You don't need an IP on enc0
Post by Radek
# cat /etc/iked.conf
ikev2 "test" passive esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
srcid A.B.C.77 \
config address 10.0.1.0/24 \
config name-server 8.8.8.8 \
tag "IKED"
/etc/iked.conf
---------------------------------
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
peer any \
srcid $srcid \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server $dns1 \
config name-server $dns2 \
config access-server A.B.C.77 \
config protected-subnet 0.0.0.0/0 \
tag "$id"
'access-server' tells Windows what gateway to use for 'protected-subnet'
(see iked.conf(5)).
--
radek
Kim Zeitler
2018-11-05 08:27:25 UTC
Permalink
Hello Radek,
Post by Radek
Thank you for your response,
$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server $dns1 \
config name-server $dns2 \
config access-server A.B.C.77 \
config protected-subnet 0.0.0.0/0 \
tag "$id"
It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.
I know this set-up to be working, as it is currently running here in
production.
Post by Radek
I also tried another scenario: puffy_server <-> puffy_warrior
The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23.
Both machines are 6.3/i386.
Your set-up is still a bit 'unclear', I would rather say you have a
firewall/routing problem than an IPSec problem. Error 809 means no data
received.

Could you post your pf.conf?
How do you connect to networks !A.B.C.0/23
Is your IPSec connection NATed?

Cheers
Kim
Kim Zeitler
2018-11-06 06:48:37 UTC
Permalink
Good morning Radek,

I have a suspicion ...
Post by Radek
For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...

Cheers,
Kim
Radek
2018-11-06 10:21:52 UTC
Permalink
Hello Kim,
Post by Kim Zeitler
My question was concerning the VPN_server, is the server NATed?
A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
Post by Kim Zeitler
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
I only have switches in my building.
All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked.

I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm.
https://community.riocities.com/openike_openbsd.html
But I can not setup a VPN_server for road warriors.

I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem.

On Tue, 6 Nov 2018 07:48:37 +0100
Post by Kim Zeitler
Good morning Radek,
I have a suspicion ...
Post by Radek
For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
Cheers,
Kim
--
radek
Radek
2018-11-07 11:17:09 UTC
Permalink
Yesterday I tried this scenario:

Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
VPN_IKEv2 - A.B.C.77/23, not NATed

I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time.
Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine.

When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809.

Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything.

Another thing:
I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED?

Any idea?


On Tue, 6 Nov 2018 11:21:52 +0100
Post by Radek
Hello Kim,
Post by Kim Zeitler
My question was concerning the VPN_server, is the server NATed?
A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
Post by Kim Zeitler
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
I only have switches in my building.
All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked.
I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm.
https://community.riocities.com/openike_openbsd.html
But I can not setup a VPN_server for road warriors.
I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem.
On Tue, 6 Nov 2018 07:48:37 +0100
Post by Kim Zeitler
Good morning Radek,
I have a suspicion ...
Post by Radek
For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
Cheers,
Kim
--
radek
--
radek
Radek
2018-11-08 13:04:23 UTC
Permalink
I've been playing around with netcat.
I noticed that the netcat process on my VPN_server does not show any "X" on stdout for ports 4500 and 1701.

May it be relevant to my VPN issue?

VPN_serv is A.B.C.77/23 (it is not behind NAT):

$ pfctl -s rules
pass all flags S/SA

$ nc -u -l 500
XXXX

X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
A.B.C.69/23$ nc -vuz A.B.C.77 4500
$ nc -u -l 4500
NOTHING IS HERE

$ nc -u -l 4499
XXXX

$ nc -u -l 4501
XXXX

X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
A.B.C.69/23$ nc -vuz A.B.C.77 1701
$ nc -u -l 1701
NOTHING IS HERE

$ nc -u -l 22
XXXX

$ nc -u -l 1234
XXXX

On Wed, 7 Nov 2018 12:17:09 +0100
Post by Radek
Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
VPN_IKEv2 - A.B.C.77/23, not NATed
I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time.
Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine.
When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809.
Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything.
I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED?
Any idea?
On Tue, 6 Nov 2018 11:21:52 +0100
Post by Radek
Hello Kim,
Post by Kim Zeitler
My question was concerning the VPN_server, is the server NATed?
A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
Post by Kim Zeitler
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
I only have switches in my building.
All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked.
I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm.
https://community.riocities.com/openike_openbsd.html
But I can not setup a VPN_server for road warriors.
I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem.
On Tue, 6 Nov 2018 07:48:37 +0100
Post by Kim Zeitler
Good morning Radek,
I have a suspicion ...
Post by Radek
For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
Cheers,
Kim
--
radek
--
radek
--
radek
Radek
2018-11-30 14:06:28 UTC
Permalink
Hello,

Thank all of you for your time and your help in this matter!
I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv.
Site-to-Site VPN is doing its job.

The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use default gateway on remote network" is set.
I need to make road_warriors:
- reaching GW88_LAN_machines 192.168.2.254/24
- reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
- force road_warriors to use its own gateway for the rest of traffic - unticked "use default gateway on remote network".

I was playing around with iked.conf and pf.conf but I did not find the way to make it work.
I will be grateful if anyone could help me with that.

My network diagram and configs of GW88:

GW88$ cat /etc/hostname.enc0
inet 10.0.1.254 255.255.255.0

GW88$ cat /etc/iked.conf
#
ikev2 "roadWarrior" passive esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24
#
#
remote_gw_GW119 = "1.2.3.119" # fw_GW119
remote_lan_GW119_1 = "172.16.1.0/24"
remote_lan_GW119_2 = "172.16.2.0/24"

local_gw_GW88_2 = "192.168.2.254"
local_lan_GW88_2 = "192.168.2.0/24"

ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
psk "pkspass"

ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
psk "pskpass"


GW88$ cat /etc/pf.conf
set skip on {lo, enc}

match in all scrub (no-df random-id)
match out all scrub (no-df random-id)

match out on egress from lan:network to any nat-to egress

block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan

table <bruteforce> persist counters
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags S/SA \
set prio (6, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush global)

icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types



+------------+
|road_warrior|
+---------+10.0.1.0/24 |
| +------------+
|
ikev2
|
|
v

4.5.6.88 1.2.3.119
+---------+ +----------+
| |
| GW88 | <--+site-to-site VPN+------> | GW119 |
+--+------+ +-------+--+
| |
+-----+192.168.1.254/24 |
| |
| 172.16.1.254/24---+
| |
+---+-+192.168.2.254/24 |
| | |
| | +-----------+ |
| +---+192.168.2.1| 172.16.2.254/24---|
| +------------+
|
|----+192.168.3.254/24

Thanks!

On Thu, 8 Nov 2018 14:04:23 +0100
Post by Radek
I've been playing around with netcat.
I noticed that the netcat process on my VPN_server does not show any "X" on stdout for ports 4500 and 1701.
May it be relevant to my VPN issue?
$ pfctl -s rules
pass all flags S/SA
$ nc -u -l 500
XXXX
X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
A.B.C.69/23$ nc -vuz A.B.C.77 4500
$ nc -u -l 4500
NOTHING IS HERE
$ nc -u -l 4499
XXXX
$ nc -u -l 4501
XXXX
X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
A.B.C.69/23$ nc -vuz A.B.C.77 1701
$ nc -u -l 1701
NOTHING IS HERE
$ nc -u -l 22
XXXX
$ nc -u -l 1234
XXXX
On Wed, 7 Nov 2018 12:17:09 +0100
Post by Radek
Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
VPN_IKEv2 - A.B.C.77/23, not NATed
I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time.
Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine.
When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809.
Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything.
I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED?
Any idea?
On Tue, 6 Nov 2018 11:21:52 +0100
Post by Radek
Hello Kim,
Post by Kim Zeitler
My question was concerning the VPN_server, is the server NATed?
A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
Post by Kim Zeitler
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
I only have switches in my building.
All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked.
I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm.
https://community.riocities.com/openike_openbsd.html
But I can not setup a VPN_server for road warriors.
I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem.
On Tue, 6 Nov 2018 07:48:37 +0100
Post by Kim Zeitler
Good morning Radek,
I have a suspicion ...
Post by Radek
For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
Cheers,
Kim
--
radek
--
radek
--
radek
--
radek
Radek
2018-12-07 19:20:21 UTC
Permalink
Hello,

I am still almost in the same point.
If I want to reach my GW88_LAN I have to check "use default gateway on remote network" box (Windows roadwarrior), but this option makes me reaching the internet through GW88.

I want to use VPN GW88 to access 192.168.2.0/24 ONLY and roadwarrior's "local" gateway for the rest of the traffic - unchecked box "use default gateway on remote network".
If the box is unchecked I am not able to access 192.168.2.0/24.

What should I change in my confs to get it working in this manner?

GW88# grep "^[^#;]" /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass out quick on egress inet received-on enc0 nat-to (egress)
pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan


GW88# grep "^[^#;]" /etc/iked.conf
ikev2 "roadWarrior" passive esp \
from 0.0.0.0/0 to 10.0.1.0/24 \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server 8.8.8.8

On Fri, 30 Nov 2018 15:06:28 +0100
Post by Radek
Hello,
Thank all of you for your time and your help in this matter!
I think that the ISP of A.B.C.0/23 is filtering/blocking some certificates.
I have moved VPN server and clients out of A.B.C.0/23. They can connect pretty fine using CA now. Clients from A.B.C.0/23 still can NOT connect to VPN serv.
Site-to-Site VPN is doing its job.
The road_warriors(Windows) can ping GW88_LAN_machine (192.168.2.1) ONLY if "use default gateway on remote network" is set.
- reaching GW88_LAN_machines 192.168.2.254/24
- reaching GW119_LAN_machines 172.16.X.X via GW88 - if it is possible
- force road_warriors to use its own gateway for the rest of traffic - unticked "use default gateway on remote network".
I was playing around with iked.conf and pf.conf but I did not find the way to make it work.
I will be grateful if anyone could help me with that.
GW88$ cat /etc/hostname.enc0
inet 10.0.1.254 255.255.255.0
GW88$ cat /etc/iked.conf
#
ikev2 "roadWarrior" passive esp \
from 192.168.2.0/24 to 10.0.1.0/24 \
local 4.5.6.88 peer any \
srcid 4.5.6.88 \
config address 10.0.1.0/24
#
#
remote_gw_GW119 = "1.2.3.119" # fw_GW119
remote_lan_GW119_1 = "172.16.1.0/24"
remote_lan_GW119_2 = "172.16.2.0/24"
local_gw_GW88_2 = "192.168.2.254"
local_lan_GW88_2 = "192.168.2.0/24"
ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_1 peer $remote_gw_GW119 \
psk "pkspass"
ikev2 active esp from $local_gw_GW88_2 to $remote_gw_GW119 \
from $local_lan_GW88_2 to $remote_lan_GW119_2 peer $remote_gw_GW119 \
psk "pskpass"
GW88$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id)
match out all scrub (no-df random-id)
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
table <bruteforce> persist counters
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh flags S/SA \
set prio (6, 7) keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush global)
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types
+------------+
|road_warrior|
+---------+10.0.1.0/24 |
| +------------+
|
ikev2
|
|
v
4.5.6.88 1.2.3.119
+---------+ +----------+
| |
| GW88 | <--+site-to-site VPN+------> | GW119 |
+--+------+ +-------+--+
| |
+-----+192.168.1.254/24 |
| |
| 172.16.1.254/24---+
| |
+---+-+192.168.2.254/24 |
| | |
| | +-----------+ |
| +---+192.168.2.1| 172.16.2.254/24---|
| +------------+
|
|----+192.168.3.254/24
Thanks!
On Thu, 8 Nov 2018 14:04:23 +0100
Post by Radek
I've been playing around with netcat.
I noticed that the netcat process on my VPN_server does not show any "X" on stdout for ports 4500 and 1701.
May it be relevant to my VPN issue?
$ pfctl -s rules
pass all flags S/SA
$ nc -u -l 500
XXXX
X.Y.Z.11/29$ nc -vuz A.B.C.77 4500
A.B.C.69/23$ nc -vuz A.B.C.77 4500
$ nc -u -l 4500
NOTHING IS HERE
$ nc -u -l 4499
XXXX
$ nc -u -l 4501
XXXX
X.Y.Z.11/29$ nc -vuz A.B.C.77 1701
A.B.C.69/23$ nc -vuz A.B.C.77 1701
$ nc -u -l 1701
NOTHING IS HERE
$ nc -u -l 22
XXXX
$ nc -u -l 1234
XXXX
On Wed, 7 Nov 2018 12:17:09 +0100
Post by Radek
Win7_warrior - 192.168.x.x, NAT, GW: 1.2.3.119
VPN_L2TP (Mikrotik) - A.B.C.75/23, not NATed
VPN_IKEv2 - A.B.C.77/23, not NATed
I connected Win7_warrior to VPN_L2TP and then to VPN_IKEv2. I was having two active VPN conn in one time.
Next, I disconnected VPN_L2TP. VPN_IKEv2 was still active and was working fine.
When I disconnected VPN_IKEv2 and was trying to connect VPN_IKEv2 omitting VPN_L2TP - I got 809.
Removing home_router which is between Win7_warrior and 1.2.3.119 does not change anything.
I install VPN_IKEv2 OS via PXEboot and get private IP from dhcp server. Then I move to public A.B.C.77/23 editing /etc/hostname, mygate, resolv.conf. Maybe I missed something in network conf that is important for OpenIKED?
Any idea?
On Tue, 6 Nov 2018 11:21:52 +0100
Post by Radek
Hello Kim,
Post by Kim Zeitler
My question was concerning the VPN_server, is the server NATed?
A.B.C.0/23 is not NATed, it is a public pool. VPN_server is not NATed.
Post by Kim Zeitler
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
I only have switches in my building.
All routers/firewalls of my network are in another building, I do not know the whole network structure, devices, security policies... but I have never noticed that any ports were blocked.
I can setup a IKEV2 site-to-site VPN A.B.C.D/23 <--> !A.B.C.0/23 and it works like a charm.
https://community.riocities.com/openike_openbsd.html
But I can not setup a VPN_server for road warriors.
I have just set up a VPN_L2TP_serv on Mikrotik (A.B.C.75/23). I can connect my Win7_warrior from !A.B.C.0/23 (currently testing on GSM network).
L2TP and IKEV2 use 500, 4500 ports. If L2TP works fine so I conclude that it is not any Router/FW problem.
On Tue, 6 Nov 2018 07:48:37 +0100
Post by Kim Zeitler
Good morning Radek,
I have a suspicion ...
Post by Radek
For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
My question was concerning the VPN_server, is the server NATed?
How is A.B.C.0/23 connected to the 'rest' of the world? Router/Firewall ...
Cheers,
Kim
--
radek
--
radek
--
radek
--
radek
--
radek
Radek
2018-11-05 18:54:19 UTC
Permalink
Hello Kim,
Post by Kim Zeitler
Could you post your pf.conf?
My VPN_server's(A.B.C.77/23) pf.conf is:

(1)
$ cat /etc/pf.conf
set skip on {lo, enc}
match in all scrub (no-df random-id max-mss 1310)

match out on egress from lan:network to any nat-to egress
#match out on egress from enc0:network to any nat-to egress
block log all
pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}
pass in on egress proto {ah,esp}
pass out on egress
pass on lan
pass in on egress proto tcp from { 1.2.3.119 A.B.C.0/23 } to port ssh
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types

I also tested my setup with this:
(2)
$ pfctl -s rules
pass all flags S/SA

and this:
(3)
$ pfctl -d
pfctl: pf not enabled

For (1), (2) and (3) VPN is working just fine with Win7_warrior and puffy_warrior if they are connecting from A.B.C.0/23 (it does not matter if warrior has public IP or it is behind NAT). The rest of the world fails to connect the VPN_server.
Post by Kim Zeitler
How do you connect to networks !A.B.C.0/23
Is your IPSec connection NATed?
!A.B.C.0/23 I mean:
A.B.F.0/24 - tested both: public IP and behind router/NAT, warrior: Win7_warrior
1.2.3.119 - tested both: public IP and behind router/NAT, warrior: Win7_warrior and puffy_warrior
GSM network - only NATed connections, warrior: Win7_warrior

Some tcpdumps of attempts to connect to VPN_server(pass all flags S/SA):

### Win7_warrior, behind NAT:
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:32:12.794944 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65->0000000000000000 msgid: 00000000 len: 528
18:32:13.002417 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 87afea67c2d6ce65->8da1daeaa81e51b2 msgid: 00000000 len: 329
^C
811 packets received by filter
0 packets dropped by kernel

### Win7_warrior, public IP
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:51:25.446238 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d->0000000000000000 msgid: 00000000 len: 528
18:51:25.654428 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 06d0dd81ba2f129d->3e3cf1b1a7a5a3b8 msgid: 00000000 len: 329
^C
292 packets received by filter
0 packets dropped by kernel

### puffy_warrior (pfctl -d), behind NAT
$ tcpdump -i vr0 -n host 1.2.3.119
tcpdump: listening on vr0, link-type EN10MB
18:45:33.600661 A.B.C.77.22 > 1.2.3.119.49486: . ack 2747766535 win 273 (DF)
18:45:40.562967 1.2.3.119.500 > A.B.C.77.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2->0000000000000000 msgid: 00000000 len: 510
18:45:41.927874 A.B.C.77.500 > 1.2.3.119.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 64755be010cd32d2->2a0fe33c6b9afff8 msgid: 00000000 len: 471

Thanks!

On Mon, 5 Nov 2018 09:27:25 +0100
Post by Kim Zeitler
Hello Radek,
Post by Radek
Thank you for your response,
$ cat /etc/iked.conf
dns1 = "8.8.8.8"
dns2 = "8.8.4.4"
ikev2 "roadWarrior" ipcomp esp \
from 0.0.0.0/0 to 0.0.0.0/0 \
local A.B.C.77 peer any \
config address 10.0.1.0/24 \
config netmask 255.255.255.0 \
config name-server $dns1 \
config name-server $dns2 \
config access-server A.B.C.77 \
config protected-subnet 0.0.0.0/0 \
tag "$id"
It did not solve my problem. Clients from !A.B.C.0/23 still get 809 Error.
I know this set-up to be working, as it is currently running here in
production.
Post by Radek
I also tried another scenario: puffy_server <-> puffy_warrior
The same. My warrior also can not connect if it is !A.B.C.0/23 and it VPN works fine for clients from A.B.C.0/23.
Both machines are 6.3/i386.
Your set-up is still a bit 'unclear', I would rather say you have a
firewall/routing problem than an IPSec problem. Error 809 means no data
received.
Could you post your pf.conf?
How do you connect to networks !A.B.C.0/23
Is your IPSec connection NATed?
Cheers
Kim
--
radek
Loading...