[iked] differentiating policies by dstid

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[iked] differentiating policies by dstid

Alexander Mischke
Hello,
I am currently setting up an Internet facing OpenBSD IPsec (IKEv2) gateway (with a public IP - no NAT).
The box is running OpenBSD 6.4.

This is supposed to be a roadwarrior setup with multiple Windows 10 Clients. Authentication is done via client certificates (= Machine Certificates issued by my CA - used ikectl for this).

I can connect fine using a single client, however using more than one client breaks the connection for clientA while clientB is able to connect. I've been testing this with two clients behind the SAME DSL modem, so to the server they both appear to be comeing from the same IP.

(SInce i am using NAT-T the server sees different ports on the remote side and thus correctly installs the flows with different SPIs)

==> I also used the registry setting to force usage of NAT-T since this seems to be a common bummer
(see https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows)
The virtual address range used by the clients is 10.75.0.0/16
I try to hand out static virtual IPs to the clients:

clientA = 10.75.2.25
clientB = 10.75.2.26

In my understanding "dstid" should help me selecting the right policy, but iked always uses the first policy, although the CN of the presented client certificate doesn't match.

So to me it _seems_ the policy is selected by the "local" and "remote" peer settings and the "dstid" has no part in this?
This is my config (substituted my public IP with "1.2.3.4")
####################################
set mobike

ikev2 'clientA' quick passive ipcomp esp
 from 172.22.1.0/24 to 10.75.0.0/16
 from 10.21.0.0/16 to 10.75.0.0/16
 from 192.168.0.0/16 to 10.75.0.0/16
 peer 0.0.0.0/0 local 1.2.3.4
 ikesa enc aes-256 group modp2048
 childsa enc aes-256-gcm group modp2048
 srcid 1.2.3.4 dstid "client1.example.com"
 ikelifetime 480m
 lifetime 60m
 config address 10.75.2.25
 config netmask 255.255.255.252
 config name-server 10.21.0.1
 config name-server 10.21.0.2
 config name-server 10.21.0.4
 config protected-subnet 0.0.0.0/0
 tag "$name-$id"
ikev2 'clientB' quick passive ipcomp esp
 from 172.22.1.0/24 to 10.75.0.0/16
 from 10.21.0.0/16 to 10.75.0.0/16
 from 192.168.0.0/16 to 10.75.0.0/16
 peer 0.0.0.0/0 local 1.2.3.4
 ikesa enc aes-256 group modp2048
 childsa enc aes-256-gcm group modp2048
 srcid 1.2.3.4 dstid "client2.example.com"
 ikelifetime 480m
 lifetime 60m
 config address 10.75.2.26
 config netmask 255.255.255.252
 config name-server 10.21.0.1
 config name-server 10.21.0.2
 config name-server 10.21.0.4
 config protected-subnet 0.0.0.0/0
 tag "$name-$id"
####################################
Best regards,

Alex
Reply | Threaded
Open this post in threaded view
|

Re: [iked] differentiating policies by dstid

Tobias Heider-2
Hi Alexander,

On Fri, Jul 12, 2019 at 02:03:08PM +0000, Alexander Mischke wrote:
> I can connect fine using a single client, however using more than one client breaks the connection for clientA while clientB is able to connect. I've been testing this with two clients behind the SAME DSL modem, so to the server they both appear to be comeing from the same IP.

As far as i can tell your server config does not contain any obvious errors
and I failed to reproduce what you're reporting with two iked clients.

Your servers iked log (e.G. by running iked with -dv) and the output of
`ipsecctl -s all` after the second client has connected would be helpful

Regards,
Tobias

Reply | Threaded
Open this post in threaded view
|

Re: [iked] differentiating policies by dstid

Alexander Mischke
In reply to this post by Alexander Mischke
Hello Tobias,
thank you very much for your reply.
Below is the output of ipsecctl -s all
and the verbose output of iked
#--------------------------------
When the first client connects:
(1.2.3.4 is the servers public IP, 5.6.7.8 is the public IP of the DSL modem)
FLOWS:
flow esp in from 10.75.0.0/16 to 10.21.0.0/16 peer 5.6.7.8 type use
flow esp in from 10.75.0.0/16 to 172.22.1.0/24 peer 5.6.7.8 type use
flow esp in from 10.75.0.0/16 to 192.168.0.0/16 peer 5.6.7.8 type use
flow esp out from 10.21.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require
flow esp out from 172.22.1.0/24 to 10.75.0.0/16 peer 5.6.7.8 type require
flow esp out from 192.168.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x5c684cc6 enc aes-256-gcm
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x6e88e50f enc aes-256-gcm
Now, when the second client connects:
FLOWS:
flow esp in from 10.75.0.0/16 to 10.21.0.0/16 peer 5.6.7.8 type use
flow esp in from 10.75.0.0/16 to 172.22.1.0/24 peer 5.6.7.8 type use
flow esp in from 10.75.0.0/16 to 192.168.0.0/16 peer 5.6.7.8 type use
flow esp out from 10.21.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require
flow esp out from 172.22.1.0/24 to 10.75.0.0/16 peer 5.6.7.8 type require
flow esp out from 192.168.0.0/16 to 10.75.0.0/16 peer 5.6.7.8 type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x7e6472b8 enc aes-256-gcm
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x8dd119e5 enc aes-256-gcm
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0xb4a852b3 enc aes-256-gcm
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0xb558afcc enc aes-256-gcm
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0xc6147a48 enc aes-256-gcm
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0xefc8b43d enc aes-256-gcm
Additionally I found out that the connection only works
when the public key of the client certificates lies under
/etc/iked/pubkeys/fqdn/<CN>

(Where <CN> is the common name in the client certificate)
#--------------------------------

The complete log (iked -dvv) of both events

#--------------------------------
Jul 15 11:06:43 server iked[77044]: set_policy_auth_method: using rsa for peer /etc/iked/pubkeys/fqdn/client1.example.com
Jul 15 11:06:43 server iked[77044]: set_policy: found pubkey for /etc/iked/pubkeys/fqdn/client1.example.com
Jul 15 11:06:43 server iked[77044]: set_policy: could not find pubkey for /etc/iked/pubkeys/fqdn/client2.example.com
Jul 15 11:06:43 server iked[77044]: set_policy_auth_method: using rfc7427 for peer /etc/iked/pubkeys/fqdn/client2.example.com
Jul 15 11:06:43 server iked[77044]: /etc/iked.conf: loaded 2 configuration rules
Jul 15 11:06:43 server iked[77044]: ca_privkey_serialize: type RSA_KEY length 1192
Jul 15 11:06:43 server iked[77044]: ca_pubkey_serialize: type RSA_KEY length 270
Jul 15 11:06:43 server iked[36135]: ca_privkey_to_method: type RSA_KEY method RSA_SIG
Jul 15 11:06:43 server iked[12701]: config_getpolicy: received policy
Jul 15 11:06:43 server iked[36135]: ca_getkey: received private key type RSA_KEY length 1192
Jul 15 11:06:43 server iked[36135]: ca_getkey: received public key type RSA_KEY length 270
Jul 15 11:06:43 server iked[36135]: ca_dispatch_parent: config reset
Jul 15 11:06:43 server iked[12701]: config_getpolicy: received policy
Jul 15 11:06:43 server iked[12701]: config_getpfkey: received pfkey fd 3
Jul 15 11:06:43 server iked[12701]: config_getcompile: compilation done
Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 4
Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 5
Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 6
Jul 15 11:06:43 server iked[12701]: config_getsocket: received socket fd 7
Jul 15 11:06:43 server iked[12701]: config_getmobike: mobike
Jul 15 11:06:43 server iked[36135]: ca_reload: loaded ca file ca.crt
Jul 15 11:06:43 server iked[36135]: ca_reload: loaded crl file ca.crl
Jul 15 11:06:43 server iked[36135]: ca_reload: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA 2019/emailAddress=[hidden email]
Jul 15 11:06:43 server iked[36135]: ca_reload: loaded 1 ca certificate
Jul 15 11:06:43 server iked[36135]: ca_reload: loaded cert file 1.2.3.4.crt
Jul 15 11:06:43 server iked[36135]: ca_validate_cert: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=1.2.3.4/emailAddress=[hidden email] ok
Jul 15 11:06:43 server iked[36135]: ca_reload: local cert type X509_CERT
Jul 15 11:06:43 server iked[36135]: config_getocsp: ocsp_url none
Jul 15 11:06:43 server iked[12701]: ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
Jul 15 11:06:43 server iked[12701]: ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
Jul 15 11:06:45 server iked[12701]: ikev2_recv: IKE_SA_INIT request from initiator 5.6.7.8:500 to 1.2.3.4:500 policy 'clientA' id 0, 544 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_recv: ispi 0x34e559c5289dff7c rspi 0x0000000000000000
Jul 15 11:06:45 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8
Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 544 response 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: peer source 0x34e559c5289dff7c 0x0000000000000000 5.6.7.8:500
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: peer destination 0x34e559c5289dff7c 0x0000000000000000 1.2.3.4:500
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
Jul 15 11:06:45 server iked[12701]: sa_state: INIT -> SA_INIT
Jul 15 11:06:45 server iked[12701]: ikev2_sa_negotiate: score 4
Jul 15 11:06:45 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: DHSECRET with 256 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SKEYSEED with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: S with 96 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T1 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T2 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T3 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T4 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T5 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T6 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T7 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: Tn with 224 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_d with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_ai with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_ar with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_ei with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_er with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_pi with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_sa_keys: SK_pr with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_add_proposals: length 44
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 48 nextpayload KE
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 264 nextpayload NONCE
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 36 nextpayload NOTIFY
Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: local source 0x34e559c5289dff7c 0x72d3506f27e53f52 1.2.3.4:500
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 28 nextpayload NOTIFY
Jul 15 11:06:45 server iked[12701]: ikev2_nat_detection: local destination 0x34e559c5289dff7c 0x72d3506f27e53f52 5.6.7.8:500
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 28 nextpayload CERTREQ
Jul 15 11:06:45 server iked[12701]: ikev2_add_certreq: type X509_CERT length 21
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 25 nextpayload CERTREQ
Jul 15 11:06:45 server iked[12701]: ikev2_add_certreq: type RSA_KEY length 1
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 5 nextpayload NONE
Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 462 response 1
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25
Jul 15 11:06:45 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 20
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
Jul 15 11:06:45 server iked[12701]: ikev2_pld_certreq: type RSA_KEY length 0
Jul 15 11:06:45 server iked[12701]: ikev2_msg_send: IKE_SA_INIT response from 1.2.3.4:500 to 5.6.7.8:500 msgid 0, 462 bytes
Jul 15 11:06:45 server iked[12701]: config_free_proposals: free 0x159dea7c3200
Jul 15 11:06:45 server iked[12701]: ikev2_recv: IKE_AUTH request from initiator 5.6.7.8:4500 to 1.2.3.4:4500 policy 'clientA' id 1, 2624 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_recv: ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52
Jul 15 11:06:45 server iked[12701]: ikev2_recv: updated SA to peer 5.6.7.8:4500 local 1.2.3.4:4500
Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2624 response 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2596
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: IV length 16
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 2560
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 2560/2560 padding 2
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 169
Jul 15 11:06:45 server iked[12701]: ikev2_pld_id: id ASN1_DN//C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/emailAddress=[hidden email] length 165
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1051
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1046
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 865
Jul 15 11:06:45 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 860
Jul 15 11:06:45 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264
Jul 15 11:06:45 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256
Jul 15 11:06:45 server iked[12701]: sa_state: SA_INIT -> AUTH_REQUEST
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 36
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: type REQUEST length 28
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0x8d09c5c0
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 64
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 2 length 56
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 64
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 2 length 56
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Jul 15 11:06:45 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000
Jul 15 11:06:45 server iked[12701]: policy_lookup: peerid '/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/emailAddress=[hidden email]'
Jul 15 11:06:45 server iked[12701]: ikev2_msg_auth: responder auth data length 542
Jul 15 11:06:45 server iked[12701]: ca_setauth: auth length 542
Jul 15 11:06:45 server iked[12701]: ikev2_msg_auth: initiator auth data length 608
Jul 15 11:06:45 server iked[12701]: ikev2_msg_authverify: method RSA_SIG keylen 1046 type X509_CERT
Jul 15 11:06:45 server iked[12701]: ikev2_msg_authverify: authentication successful
Jul 15 11:06:45 server iked[12701]: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:45 server iked[12701]: ikev2_sa_negotiate: score 3
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:45 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID
Jul 15 11:06:45 server iked[12701]: config_free_proposals: free 0x159d92bc5400
Jul 15 11:06:45 server iked[36135]: ca_getreq: found CA /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA 2019/emailAddress=[hidden email]
Jul 15 11:06:45 server iked[36135]: ca_x509_subjectaltname: IPV4/1.2.3.4
Jul 15 11:06:45 server iked[36135]: ca_getreq: found local certificate /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=1.2.3.4/emailAddress=[hidden email]
Jul 15 11:06:45 server iked[36135]: ca_setauth: auth length 256
Jul 15 11:06:45 server iked[12701]: ikev2_getimsgdata: imsg 20 rspi 0x72d3506f27e53f52 ispi 0x34e559c5289dff7c initiator 0 sa valid type 4 data length 1004
Jul 15 11:06:45 server iked[12701]: ikev2_dispatch_cert: cert type X509_CERT length 1004, ok
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:45 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID
Jul 15 11:06:45 server iked[12701]: ikev2_getimsgdata: imsg 25 rspi 0x72d3506f27e53f52 ispi 0x34e559c5289dff7c initiator 0 sa valid type 1 data length 256
Jul 15 11:06:45 server iked[12701]: ikev2_dispatch_cert: AUTH type 1 len 256
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:45 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID
Jul 15 11:06:45 server iked[36135]: ca_validate_pubkey: unsupported public key type ASN1_DN
Jul 15 11:06:45 server iked[36135]: ca_validate_cert: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/emailAddress=[hidden email] ok
Jul 15 11:06:45 server iked[12701]: ikev2_dispatch_cert: peer certificate is valid
Jul 15 11:06:45 server iked[12701]: sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:45 server iked[12701]: sa_state: AUTH_SUCCESS -> VALID
Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:45 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:45 server iked[12701]: ikev2_sa_tag: clientA-CN=client1.example.com (34)
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_negotiate: proposal 1
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_negotiate: key material length 72
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T1 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T2 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: T3 with 32 bytes
Jul 15 11:06:45 server iked[12701]: ikev2_prfplus: Tn with 96 bytes
Jul 15 11:06:45 server iked[12701]: pfkey_sa_getspi: spi 0x7efacb39
Jul 15 11:06:45 server iked[12701]: pfkey_sa_init: new spi 0x7efacb39
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 12 nextpayload CERT
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 1009 nextpayload AUTH
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 264 nextpayload CP
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 60 nextpayload NOTIFY
Jul 15 11:06:45 server iked[12701]: ikev2_add_mobike: done
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 8 nextpayload SA
Jul 15 11:06:45 server iked[12701]: ikev2_add_proposals: length 32
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 36 nextpayload TSi
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 56 nextpayload TSr
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 56 nextpayload NONE
Jul 15 11:06:45 server iked[12701]: ikev2_msg_encrypt: decrypted length 1501
Jul 15 11:06:45 server iked[12701]: ikev2_msg_encrypt: padded length 1504
Jul 15 11:06:45 server iked[12701]: ikev2_msg_encrypt: length 1502, padding 2, output length 1536
Jul 15 11:06:45 server iked[12701]: ikev2_next_payload: length 1540 nextpayload IDr
Jul 15 11:06:45 server iked[12701]: ikev2_msg_integr: message length 1568
Jul 15 11:06:45 server iked[12701]: ikev2_msg_integr: integrity checksum length 16
Jul 15 11:06:45 server iked[12701]: ikev2_pld_parse: header ispi 0x34e559c5289dff7c rspi 0x72d3506f27e53f52 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1568 response 1
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1540
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: IV length 16
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 1504
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded
Jul 15 11:06:45 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 2
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12
Jul 15 11:06:45 server iked[12701]: ikev2_pld_id: id IPV4/1.2.3.4 length 8
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1009
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1004
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 264
Jul 15 11:06:45 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 60
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: type REPLY length 52
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
Jul 15 11:06:45 server last message repeated 2 times
Jul 15 11:06:45 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 8
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
Jul 15 11:06:45 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
Jul 15 11:06:45 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0x7efacb39
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
Jul 15 11:06:45 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:45 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 56
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 3 length 48
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 56
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: count 3 length 48
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 10.21.0.0 end 10.21.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:45 server iked[12701]: ikev2_pld_ts: start 172.22.1.0 end 172.22.1.255
Jul 15 11:06:45 server iked[12701]: ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:4500 msgid 1, 1568 bytes, NAT-T
Jul 15 11:06:45 server iked[12701]: pfkey_sa_add: update spi 0x7efacb39
Jul 15 11:06:45 server iked[12701]: pfkey_sa: udpencap port 4500
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0x7efacb39
Jul 15 11:06:45 server iked[12701]: pfkey_sa_add: add spi 0x8d09c5c0
Jul 15 11:06:45 server iked[12701]: pfkey_sa: udpencap port 4500
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0x8d09c5c0
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159d73b64400
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159da9a0d800
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e392c1800
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e392c1c00
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159da9a0c000
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159d683de400
Jul 15 11:06:45 server iked[12701]: ikev2_childsa_enable: remember SA peer 5.6.7.8:4500
Jul 15 11:06:45 server iked[12701]: sa_state: VALID -> ESTABLISHED from 5.6.7.8:4500 to 1.2.3.4:4500 policy 'clientA'
Jul 15 11:06:49 server iked[12701]: ikev2_recv: IKE_SA_INIT request from initiator 5.6.7.8:60 to 1.2.3.4:500 policy 'clientA' id 0, 544 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_recv: ispi 0x8a6401ca230f832f rspi 0x0000000000000000
Jul 15 11:06:49 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8
Jul 15 11:06:49 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 544 response 0
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
Jul 15 11:06:49 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
Jul 15 11:06:49 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
Jul 15 11:06:49 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 52
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: peer source 0x8a6401ca230f832f 0x0000000000000000 5.6.7.8:60
Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload VENDOR critical 0x00 length 28
Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: peer destination 0x8a6401ca230f832f 0x0000000000000000 1.2.3.4:500
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 24
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload VENDOR critical 0x00 length 20
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload VENDOR nextpayload NONE critical 0x00 length 24
Jul 15 11:06:49 server iked[12701]: sa_state: INIT -> SA_INIT
Jul 15 11:06:49 server iked[12701]: ikev2_sa_negotiate: score 4
Jul 15 11:06:49 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000
Jul 15 11:06:49 server iked[12701]: sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: DHSECRET with 256 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SKEYSEED with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: S with 96 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T1 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T2 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T3 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T4 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T5 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T6 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: T7 with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_prfplus: Tn with 224 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_d with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_ai with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_ar with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_ei with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_er with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_pi with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_sa_keys: SK_pr with 32 bytes
Jul 15 11:06:49 server iked[12701]: ikev2_add_proposals: length 44
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 48 nextpayload KE
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 264 nextpayload NONCE
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 36 nextpayload NOTIFY
Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: local source 0x8a6401ca230f832f 0xfb7ec7c3268b8596 1.2.3.4:500
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 28 nextpayload NOTIFY
Jul 15 11:06:49 server iked[12701]: ikev2_nat_detection: local destination 0x8a6401ca230f832f 0xfb7ec7c3268b8596 5.6.7.8:60
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 28 nextpayload CERTREQ
Jul 15 11:06:49 server iked[12701]: ikev2_add_certreq: type X509_CERT length 21
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 25 nextpayload CERTREQ
Jul 15 11:06:49 server iked[12701]: ikev2_add_certreq: type RSA_KEY length 1
Jul 15 11:06:49 server iked[12701]: ikev2_next_payload: length 5 nextpayload NONE
Jul 15 11:06:49 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 462 response 1
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
Jul 15 11:06:49 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
Jul 15 11:06:49 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
Jul 15 11:06:49 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
Jul 15 11:06:49 server iked[12701]: ikev2_pld_ke: dh group MODP_2048 reserved 0
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
Jul 15 11:06:49 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload CERTREQ critical 0x00 length 25
Jul 15 11:06:49 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 20
Jul 15 11:06:49 server iked[12701]: ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
Jul 15 11:06:49 server iked[12701]: ikev2_pld_certreq: type RSA_KEY length 0
Jul 15 11:06:49 server iked[12701]: ikev2_msg_send: IKE_SA_INIT response from 1.2.3.4:500 to 5.6.7.8:60 msgid 0, 462 bytes
Jul 15 11:06:49 server iked[12701]: config_free_proposals: free 0x159dea7c3280
Jul 15 11:06:50 server iked[12701]: ikev2_recv: IKE_AUTH request from initiator 5.6.7.8:1083 to 1.2.3.4:4500 policy 'clientA' id 1, 2464 bytes
Jul 15 11:06:50 server iked[12701]: ikev2_recv: ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596
Jul 15 11:06:50 server iked[12701]: ikev2_recv: updated SA to peer 5.6.7.8:1083 local 1.2.3.4:4500
Jul 15 11:06:50 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 2464 response 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 2436
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: IV length 16
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 2400
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 2400/2400 padding 2
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 169
Jul 15 11:06:50 server iked[12701]: ikev2_pld_id: id ASN1_DN//C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/emailAddress=[hidden email] length 165
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1051
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1046
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 705
Jul 15 11:06:50 server iked[12701]: ikev2_pld_certreq: type X509_CERT length 700
Jul 15 11:06:50 server iked[12701]: ikev2_policy2id: srcid IPV4/1.2.3.4 length 8
Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264
Jul 15 11:06:50 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256
Jul 15 11:06:50 server iked[12701]: sa_state: SA_INIT -> AUTH_REQUEST
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CP critical 0x00 length 8
Jul 15 11:06:50 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload SA critical 0x00 length 36
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: type REQUEST length 28
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NBNS 0x0004 length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SERVER 0x5ba0 length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_ADDRESS 0x0008 length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_DNS 0x000a length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP6_SERVER 0x5ba1 length 0
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
Jul 15 11:06:50 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0x844224ca
Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
Jul 15 11:06:50 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 64
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 2 length 56
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 64
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 2 length 56
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV6_ADDR_RANGE protoid 0 length 40 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start :: end ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Jul 15 11:06:50 server iked[12701]: sa_stateok: SA_INIT flags 0x0000, require 0x0000
Jul 15 11:06:50 server iked[12701]: policy_lookup: peerid '/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/emailAddress=[hidden email]'
Jul 15 11:06:50 server iked[12701]: ikev2_msg_auth: responder auth data length 542
Jul 15 11:06:50 server iked[12701]: ca_setauth: auth length 542
Jul 15 11:06:50 server iked[12701]: ikev2_msg_auth: initiator auth data length 608
Jul 15 11:06:50 server iked[12701]: ikev2_msg_authverify: method RSA_SIG keylen 1046 type X509_CERT
Jul 15 11:06:50 server iked[12701]: ikev2_msg_authverify: authentication successful
Jul 15 11:06:50 server iked[12701]: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:50 server iked[12701]: ikev2_sa_negotiate: score 3
Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:50 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID
Jul 15 11:06:50 server iked[12701]: config_free_proposals: free 0x159dea7c3880
Jul 15 11:06:50 server iked[36135]: ca_getreq: found CA /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=VPN CA 2019/emailAddress=[hidden email]
Jul 15 11:06:50 server iked[36135]: ca_x509_subjectaltname: IPV4/1.2.3.4
Jul 15 11:06:50 server iked[36135]: ca_getreq: found local certificate /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=1.2.3.4/emailAddress=[hidden email]
Jul 15 11:06:50 server iked[36135]: ca_setauth: auth length 256
Jul 15 11:06:50 server iked[12701]: ikev2_getimsgdata: imsg 20 rspi 0xfb7ec7c3268b8596 ispi 0x8a6401ca230f832f initiator 0 sa valid type 4 data length 1004
Jul 15 11:06:50 server iked[12701]: ikev2_dispatch_cert: cert type X509_CERT length 1004, ok
Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:50 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID
Jul 15 11:06:50 server iked[12701]: ikev2_getimsgdata: imsg 25 rspi 0xfb7ec7c3268b8596 ispi 0x8a6401ca230f832f initiator 0 sa valid type 1 data length 256
Jul 15 11:06:50 server iked[36135]: ca_validate_pubkey: unsupported public key type ASN1_DN
Jul 15 11:06:50 server iked[12701]: ikev2_dispatch_cert: AUTH type 1 len 256
Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:50 server iked[12701]: sa_state: cannot switch: AUTH_SUCCESS -> VALID
Jul 15 11:06:50 server iked[36135]: ca_validate_cert: /C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/emailAddress=[hidden email] ok
Jul 15 11:06:50 server iked[12701]: ikev2_dispatch_cert: peer certificate is valid
Jul 15 11:06:50 server iked[12701]: sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:50 server iked[12701]: sa_state: AUTH_SUCCESS -> VALID
Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:50 server iked[12701]: sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
Jul 15 11:06:50 server iked[12701]: ikev2_sa_tag: clientA-CN=client2.example.com (34)
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_negotiate: proposal 1
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_negotiate: key material length 72
Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: T1 with 32 bytes
Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: T2 with 32 bytes
Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: T3 with 32 bytes
Jul 15 11:06:50 server iked[12701]: ikev2_prfplus: Tn with 96 bytes
Jul 15 11:06:50 server iked[12701]: pfkey_sa_getspi: spi 0xf999bff1
Jul 15 11:06:50 server iked[12701]: pfkey_sa_init: new spi 0xf999bff1
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 12 nextpayload CERT
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 1009 nextpayload AUTH
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 264 nextpayload CP
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 60 nextpayload NOTIFY
Jul 15 11:06:50 server iked[12701]: ikev2_add_mobike: done
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 8 nextpayload SA
Jul 15 11:06:50 server iked[12701]: ikev2_add_proposals: length 32
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 36 nextpayload TSi
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 56 nextpayload TSr
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 56 nextpayload NONE
Jul 15 11:06:50 server iked[12701]: ikev2_msg_encrypt: decrypted length 1501
Jul 15 11:06:50 server iked[12701]: ikev2_msg_encrypt: padded length 1504
Jul 15 11:06:50 server iked[12701]: ikev2_msg_encrypt: length 1502, padding 2, output length 1536
Jul 15 11:06:50 server iked[12701]: ikev2_next_payload: length 1540 nextpayload IDr
Jul 15 11:06:50 server iked[12701]: ikev2_msg_integr: message length 1568
Jul 15 11:06:50 server iked[12701]: ikev2_msg_integr: integrity checksum length 16
Jul 15 11:06:50 server iked[12701]: ikev2_pld_parse: header ispi 0x8a6401ca230f832f rspi 0xfb7ec7c3268b8596 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1568 response 1
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1540
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: IV length 16
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: encrypted payload length 1504
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity checksum length 16
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: integrity check succeeded
Jul 15 11:06:50 server iked[12701]: ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 2
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 12
Jul 15 11:06:50 server iked[12701]: ikev2_pld_id: id IPV4/1.2.3.4 length 8
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1009
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cert: type X509_CERT length 1004
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 264
Jul 15 11:06:50 server iked[12701]: ikev2_pld_auth: method RSA_SIG length 256
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 60
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: type REPLY length 52
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 4
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_NETMASK 0x0002 length 4
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 4
Jul 15 11:06:50 server last message repeated 2 times
Jul 15 11:06:50 server iked[12701]: ikev2_pld_cp: INTERNAL_IP4_SUBNET 0x000d length 8
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
Jul 15 11:06:50 server iked[12701]: ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
Jul 15 11:06:50 server iked[12701]: ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0xf999bff1
Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
Jul 15 11:06:50 server iked[12701]: ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
Jul 15 11:06:50 server iked[12701]: ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 56
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 3 length 48
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.75.0.0 end 10.75.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 56
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: count 3 length 48
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 10.21.0.0 end 10.21.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 192.168.0.0 end 192.168.255.255
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
Jul 15 11:06:50 server iked[12701]: ikev2_pld_ts: start 172.22.1.0 end 172.22.1.255
Jul 15 11:06:50 server iked[12701]: ikev2_msg_send: IKE_AUTH response from 1.2.3.4:4500 to 5.6.7.8:1083 msgid 1, 1568 bytes, NAT-T
Jul 15 11:06:50 server iked[12701]: pfkey_sa_add: update spi 0xf999bff1
Jul 15 11:06:50 server iked[12701]: pfkey_sa: udpencap port 1083
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0xf999bff1
Jul 15 11:06:50 server iked[12701]: pfkey_sa_add: add spi 0x844224ca
Jul 15 11:06:50 server iked[12701]: pfkey_sa: udpencap port 1083
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded CHILD SA spi 0x844224ca
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159d73b64400 with 0x159e392c1400
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e392c1400
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159da9a0d800 with 0x159e00d70c00
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e00d70c00
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159e392c1800 with 0x159e00d70800
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e00d70800
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159e392c1c00 with 0x159e35526400
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e35526400
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159da9a0c000 with 0x159e00d70000
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e00d70000
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: replaced old flow 0x159d683de400 with 0x159e35526c00
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: loaded flow 0x159e35526c00
Jul 15 11:06:50 server iked[12701]: ikev2_childsa_enable: remember SA peer 5.6.7.8:1083
Jul 15 11:06:50 server iked[12701]: sa_state: VALID -> ESTABLISHED from 5.6.7.8:1083 to 1.2.3.4:4500 policy 'clientA'
Reply | Threaded
Open this post in threaded view
|

Re: [iked] differentiating policies by dstid

Tobias Heider-2
Hi Alexander,

the log tells us that both times the handshake ends in the successful
establishment of an IKE SA. Like you reported both match the policy 'clientA'
instead of A and B:

> Jul 15 11:06:45 server iked[12701]: sa_state: VALID -> ESTABLISHED from 5.6.7.8:4500 to 1.2.3.4:4500 policy 'clientA'
> Jul 15 11:06:50 server iked[12701]: sa_state: VALID -> ESTABLISHED from 5.6.7.8:1083 to 1.2.3.4:4500 policy 'clientA'

The reason seems to be this:
> Jul 15 11:06:45 server iked[12701]: ikev2_pld_id: id ASN1_DN//C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/emailAddress=[hidden email] length 165
> Jul 15 11:06:50 server iked[12701]: ikev2_pld_id: id ASN1_DN//C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/emailAddress=[hidden email] length 165
The iked server tries to match these IDs with the strings in the dstid
configuration field, in your case: "client1.example.com" and
"client1.example.com", which fails for obvious reasons.

You could try the following:
Set the dstid values to the full ASN1_DN strings:
/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client1.example.com/emailAddress=[hidden email]
/C=DE/ST=Lower Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=client2.example.com/emailAddress=[hidden email]

If this does not work (I'm not sure the format of the identity payloads is
compatible) try setting the srcid explicitly to client1.example.com and
client2.example.com with type FQDN in the client configurations (and leave the
server dstid as it was before).

Regards,
Tobias

Reply | Threaded
Open this post in threaded view
|

Re: [iked] differentiating policies by dstid

Alexander Mischke
In reply to this post by Alexander Mischke
Hello Tobias,
thanks a lot, that solved the question for me (at least on the server :) ).

Using ASN1 ids iked detects the matching policy. However, it then uses RFC7427 for auth (SIG), but the Windows 10 clients use RSA_SIG. This causes a mismatch and the connection can't be established. (Yet, Windows 10 is lacking support for aforementioned RFC).

So, I have to find another way, but thank you very much.

Best regards,

Alex