Post by Tobias HeiderPost by Leclerc, SebastienPost by Tobias HeiderIf that doesn't help you could share the output of 'ipsecctl -sa' to find
out if the IPsec SAs or flows are the problem.
(192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to,
192.168.9.101 is what the vpn client is trying to communicate with)
# ipsecctl -sa
No flows
esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 enc aes-256
esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 enc aes-256
Ok, so this seems to be the cause. From your log snippet i can see that
there must have been SAs at some point because it shows an
"ikev2_childsa_enable" line.
Try running iked with -vv. Maybe the verbose log contains an error message
that helps us find out what's wrong.
The SAs seem to be only the first "from" clause (from 192.168.8.2 to 192.168.1.109), which are the VPN endpoints, not the second one, which covers the network behind the OpenBSD machine, and the IP assigned to the Windows machine in this same subnet (arp-proxied).
Here is the verbose log :
# iked -Tdvv
create_ike: using rsa for peer 192.168.1.109
ikev2 "windows" passive tunnel esp inet from 192.168.8.2 to 192.168.1.109 from 192.168.9.0/24 to 192.168.9.208 local 192.168.8.2 peer 192.168.1.109 ikesa enc aes-128-gcm enc aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 192.168.8.2 lifetime 10800 bytes 536870912 rsa config address 192.168.9.208 config netmask 255.255.255.0 config name-server 192.168.1.222 config netbios-server 192.168.1.222
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
config_getpolicy: received policy
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: no mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN CA/emailAddress=***@domain.local
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 192.168.8.2.crt
ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.8.2/emailAddress=***@domain.local ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
policy_lookup: setting policy 'windows'
spi=0xd5f403b2c665646e: recv IKE_SA_INIT req 0 peer 192.168.1.109:500 local 192.168.8.2:500, 528 bytes, policy 'windows'
ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x0000000000000000
ikev2_policy2id: srcid IPV4/192.168.8.2 length 8
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #3 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #5 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #6 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xd5f403b2c665646e 0x0000000000000000 192.168.1.109:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xd5f403b2c665646e 0x0000000000000000 192.168.8.2:500
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 41
proposals_negotiate: score 32
proposals_negotiate: score 29
proposals_negotiate: score 20
proposals_negotiate: score 33
proposals_negotiate: score 24
policy_lookup: setting policy 'windows'
spi=0xd5f403b2c665646e: sa_state: INIT -> SA_INIT
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 41
proposals_negotiate: score 32
proposals_negotiate: score 29
proposals_negotiate: score 20
proposals_negotiate: score 33
proposals_negotiate: score 24
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0xd5f403b2c665646e: ikev2_sa_keys: DHSECRET with 128 bytes
ikev2_sa_keys: SKEYSEED with 32 bytes
spi=0xd5f403b2c665646e: ikev2_sa_keys: S with 96 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 136 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload CERTREQ
ikev2_add_certreq: type RSA_KEY length 1
ikev2_next_payload: length 5 nextpayload NONE
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 278 response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #4 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
ikev2_pld_ke: dh group MODP_1024 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload CERTREQ critical 0x00 length 36
ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
ikev2_pld_certreq: type RSA_KEY length 0
spi=0xd5f403b2c665646e: send IKE_SA_INIT res 0 peer 192.168.1.109:500 local 192.168.8.2:500, 278 bytes
config_free_proposals: free 0x212b5bf4c80
config_free_proposals: free 0x212b5bd0700
config_free_proposals: free 0x212b5c0bb00
config_free_proposals: free 0x212b5bf3f80
config_free_proposals: free 0x212b5bf3d00
config_free_proposals: free 0x212b5bd0380
spi=0xd5f403b2c665646e: recv IKE_AUTH req 1 peer 192.168.1.109:500 local 192.168.8.2:500, 7440 bytes, policy 'windows'
ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2
ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.8.2:500
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 7440 response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 7412
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 7376
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 7376/7376 padding 10
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 199
ikev2_pld_id: id ASN1_DN//C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/emailAddress=***@domain.local length 195
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1097
ikev2_pld_cert: type X509_CERT length 1092
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 5645
ikev2_pld_certreq: type X509_CERT length 5640
ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 24
ikev2_pld_cp: type REQUEST length 16
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 80
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x1436a680
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x1436a680
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
ikev2_pld_tss: count 1 length 16
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
ikev2_pld_tss: count 1 length 16
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
sa_stateok: SA_INIT flags 0x0000, require 0x0000
spi=0xd5f403b2c665646e: sa_state: SA_INIT -> AUTH_REQUEST
policy_lookup: peerid '/C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/emailAddress=***@domain.local'
proposals_negotiate: score 0
proposals_negotiate: score 20
policy_lookup: setting policy 'windows'
ikev2_policy2id: srcid IPV4/192.168.8.2 length 8
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
ikev2_msg_auth: responder auth data length 358
ca_setauth: auth length 358
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 13
proposals_negotiate: score 0
sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
config_free_proposals: free 0x212b5c0b680
config_free_proposals: free 0x212b5c0b700
ca_getreq: found CA /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN CA/emailAddress=***@domain.local
ca_getreq: found local certificate /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.8.2/emailAddress=***@domain.local
ca_setauth: auth length 256
ikev2_getimsgdata: imsg 23 rspi 0x1c65b0250699bcd2 ispi 0xd5f403b2c665646e initiator 0 sa valid type 4 data length 1090
ikev2_dispatch_cert: cert type X509_CERT length 1090, ok
sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
ikev2_getimsgdata: imsg 34 rspi 0x1c65b0250699bcd2 ispi 0xd5f403b2c665646e initiator 0 sa valid type 1 data length 256
ikev2_dispatch_cert: AUTH type 1 len 256
sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
ca_validate_pubkey: unsupported public key type ASN1_DN
ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/emailAddress=***@domain.local ok
ikev2_getimsgdata: imsg 24 rspi 0x1c65b0250699bcd2 ispi 0xd5f403b2c665646e initiator 0 sa valid type 4 data length 1092
ikev2_msg_auth: initiator auth data length 592
ikev2_msg_authverify: method RSA_SIG keylen 1092 type X509_CERT
ikev2_msg_authverify: authentication successful
spi=0xd5f403b2c665646e: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
spi=0xd5f403b2c665646e: sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 104
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x6cab2e28
pfkey_sa_init: new spi 0x6cab2e28
ikev2_next_payload: length 12 nextpayload CERT
ikev2_next_payload: length 1095 nextpayload AUTH
ikev2_next_payload: length 264 nextpayload CP
ikev2_next_payload: length 40 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 1572 nextpayload IDr
ikev2_msg_encrypt: decrypted length 1535
ikev2_msg_encrypt: padded length 1536
ikev2_msg_encrypt: length 1536, padding 0, output length 1568
ikev2_msg_integr: message length 1600
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1600 response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1572
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1536
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1536/1536 padding 0
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12
ikev2_pld_id: id IPV4/192.168.8.2 length 8
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1095
ikev2_pld_cert: type X509_CERT length 1090
ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 264
ikev2_pld_auth: method RSA_SIG length 256
ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 40
ikev2_pld_cp: type REPLY length 32
ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 4
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x6cab2e28
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.168.1.109 end 192.168.1.109
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.168.9.208 end 192.168.9.208
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.168.8.2 end 192.168.8.2
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 192.168.9.0 end 192.168.9.255
spi=0xd5f403b2c665646e: send IKE_AUTH res 1 peer 192.168.1.109:500 local 192.168.8.2:500, 1600 bytes
pfkey_sa_add: update spi 0x6cab2e28
ikev2_childsa_enable: loaded CHILD SA spi 0x6cab2e28
pfkey_sa_add: add spi 0x1436a680
ikev2_childsa_enable: loaded CHILD SA spi 0x1436a680
ikev2_childsa_enable: remember SA peer 192.168.1.109:500
spi=0xd5f403b2c665646e: ikev2_childsa_enable: loaded SPIs: 0x6cab2e28, 0x1436a680 (enc aes-256 auth hmac-sha1)
spi=0xd5f403b2c665646e: sa_state: VALID -> ESTABLISHED from 192.168.1.109:500 to 192.168.8.2:500 policy 'windows'
spi=0xd5f403b2c665646e: established peer 192.168.1.109:500[ASN1_DN//C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.1.109/emailAddress=***@domain.local] local 192.168.8.2:500[IPV4/192.168.8.2] policy 'windows' as responder (enc aes-256 auth hmac-sha2-256 group modp1024 prf hmac-sha2-256)
pfkey_sa_lookup: last_used 1622470299
ikev2_ike_sa_alive: incoming CHILD SA spi 0x6cab2e28 last used 43 second(s) ago
spi=0xd5f403b2c665646e: recv INFORMATIONAL req 2 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes, policy 'windows'
ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2
ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.8.2:500
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 80 response 0
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 3
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12
ikev2_pld_delete: proto ESP spisize 4 nspi 1
ikev2_handle_delete: spi 0x1436a680
spi=0xd5f403b2c665646e: ikev2_childsa_delete: deleted CHILD SA spi 0x6cab2e28
spi=0xd5f403b2c665646e: ikev2_childsa_delete: deleted CHILD SA spi 0x1436a680
spi=0xd5f403b2c665646e: deleted 1 SPI: 0x1436a680
ikev2_next_payload: length 12 nextpayload NONE
ikev2_next_payload: length 52 nextpayload DELETE
ikev2_msg_encrypt: decrypted length 12
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 13, padding 3, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 2 length 80 response 1
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 3
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12
ikev2_pld_delete: proto ESP spisize 4 nspi 1
spi=0xd5f403b2c665646e: send INFORMATIONAL res 2 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes
spi=0xd5f403b2c665646e: recv INFORMATIONAL req 2 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes, policy 'windows'
ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2
spi=0xd5f403b2c665646e: retransmit INFORMATIONAL res 2 local 192.168.8.2:500 peer 192.168.1.109:500
spi=0xd5f403b2c665646e: recv INFORMATIONAL req 3 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes, policy 'windows'
ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2
ikev2_recv: updated SA to peer 192.168.1.109:500 local 192.168.8.2:500
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 3 length 80 response 0
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 8
ikev2_pld_delete: proto IKE spisize 0 nspi 0
spi=0xd5f403b2c665646e: ikev2_ikesa_recv_delete: received delete
spi=0xd5f403b2c665646e: sa_state: ESTABLISHED -> CLOSED from 192.168.1.109:500 to 192.168.8.2:500 policy 'windows'
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_encrypt: decrypted length 0
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 1, padding 15, output length 48
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x1c65b0250699bcd2 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 3 length 80 response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
spi=0xd5f403b2c665646e: send INFORMATIONAL res 3 peer 192.168.1.109:500 local 192.168.8.2:500, 80 bytes
ikev2_recv: closing SA
spi=0xd5f403b2c665646e: sa_free: received delete
config_free_proposals: free 0x212b5bd0c00
config_free_proposals: free 0x212b5bf4300
^Cparent_sig_handler: stopping iked
config_getreset: flushing policies
ca_dispatch_parent: config reset
config_free_proposals: free 0x212b5bd0f80
config_free_proposals: free 0x212b5c0b080
config_free_proposals: free 0x212b5bf3f00
config_free_proposals: free 0x212b5bf4b80
config_free_flows: free 0x212b5c06000
config_free_flows: free 0x212b5c04000
config_getreset: flushing SAs
config_getreset: flushing users
ca_reload: loaded ca file ca.crt
ikev2 exiting, pid 39542
control exiting, pid 10641
ca_reload: loaded crl file ca.crl
ca_reload: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN CA/emailAddress=***@domain.local
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 192.168.8.2.crt
ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=192.168.8.2/emailAddress=***@domain.local ok
ca_reload: local cert type X509_CERT
ca exiting, pid 41593
parent terminating
While the VPN was connected on the Windows machine :
$ doas ipsecctl -sa
FLOWS:
No flows
SAD:
esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x1436a680 auth hmac-sha1 enc aes-256
esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6cab2e28 auth hmac-sha1 enc aes-256
And after it was disconnected :
tp-fw-epu-01$ doas ipsecctl -sa
FLOWS:
No flows
SAD:
No entries