no flows with my iked vpn

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

no flows with my iked vpn

shadrock uhuru
hi everyone
i have setup iked on my firewall and laptop as a roadwarrior setup
following https://www.openbsd.org/faq/faq17.html
i.ve tested from within the local network
but no flows are started.
could someone have a look at the following files to see where i have
erred.


# my iked config method
http://paste.openstack.org/show/789464/

imhoptep iked logs (responder)
http://paste.openstack.org/show/789465/

pegasus iked logs (initiator)
http://paste.openstack.org/show/789466/

thanks shadrock

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no flows with my iked vpn

Robert Paschedag

sent from my mobile device

Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru <[hidden email]>:

> hi everyone
> i have setup iked on my firewall and laptop as a roadwarrior setup
> following https://www.openbsd.org/faq/faq17.html
> i.ve tested from within the local network
> but no flows are started.
> could someone have a look at the following files to see where i have
> erred.

Looks like your client cert (pegasus) is missing a subjectAltName.

Robert

>
>
> # my iked config method
> http://paste.openstack.org/show/789464/
>
> imhoptep iked logs (responder)
> http://paste.openstack.org/show/789465/
>
> pegasus iked logs (initiator)
> http://paste.openstack.org/show/789466/
>
> thanks shadrock


Mit AquaMail Android
https://www.mobisystems.com/aqua-mail


Reply | Threaded
Open this post in threaded view
|

Re: no flows with my iked vpn

shadrock uhuru
On 13.02.2020 08:43, Robert Paschedag wrote:

>
>sent from my mobile device
>
>Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru <[hidden email]>:
>
>>hi everyone
>>i have setup iked on my firewall and laptop as a roadwarrior setup
>>following https://www.openbsd.org/faq/faq17.html
>>i.ve tested from within the local network
>>but no flows are started.
>>could someone have a look at the following files to see where i have
>>erred.
>
>Looks like your client cert (pegasus) is missing a subjectAltName.
>
>Robert
>
>>
>>
>># my iked config method
>>http://paste.openstack.org/show/789464/
>>
>>imhoptep iked logs (responder)
>>http://paste.openstack.org/show/789465/
>>
>>pegasus iked logs (initiator)
>>http://paste.openstack.org/show/789466/
>>
>>thanks shadrock
>
>
As https://www.openbsd.org/faq/faq17.html does not mention anything
about subjectAltName
i've researched across the net and found the following information :-

IKEv2 VPN server certificate must contain either the server's IP address
or its FQDN as the subjectAltName,
Roadwarriors usually have dynamic IP addresses assigned
by the ISP they are currently attached to.
In order to simplify the routing from
my-net (tissisat.co.uk) back to the roadwarrior (pegasus)
it would be desirable if the roadwarrior
had an inner IP address chosen from a pre-assigned pool.

if this is the way to deal with subjectAltName
what are the steps to achieve this ?

shadrock

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: no flows with my iked vpn

Antonino Sidoti
Hi,

I think you need to look at the PF configuration on your setup. My configuration is as follows,

(Not my full pf.conf)

# Allow iked
pass in quick log on egress proto esp from any to egress label "IKED-ESP"
pass in quick log on egress proto udp from any to egress port $iked_ports label "IKED-IN"

# Block all
block log all

# Pass traffic on interface enc0
pass log on enc0 tagged IKED label "IKED-ENC-TAG"

# Pass out all
pass out

Check the PF traffic using tcpdump, "doas tcpdump -n -e -ttt -I pflog0"


> On 13 Feb 2020, at 10:07 pm, Shadrock Uhuru <[hidden email]> wrote:
>
> On 13.02.2020 08:43, Robert Paschedag wrote:
>>
>> sent from my mobile device
>>
>> Am 12. Februar 2020 15:07:46 schrieb Shadrock Uhuru <[hidden email]>:
>>
>>> hi everyone
>>> i have setup iked on my firewall and laptop as a roadwarrior setup
>>> following https://www.openbsd.org/faq/faq17.html
>>> i.ve tested from within the local network
>>> but no flows are started.
>>> could someone have a look at the following files to see where i have
>>> erred.
>>
>> Looks like your client cert (pegasus) is missing a subjectAltName.
>>
>> Robert
>>
>>>
>>>
>>> # my iked config method
>>> http://paste.openstack.org/show/789464/
>>>
>>> imhoptep iked logs (responder)
>>> http://paste.openstack.org/show/789465/
>>>
>>> pegasus iked logs (initiator)
>>> http://paste.openstack.org/show/789466/
>>>
>>> thanks shadrock
>>
>>
>
> As https://www.openbsd.org/faq/faq17.html does not mention anything
> about subjectAltName i've researched across the net and found the following information :-
>
> IKEv2 VPN server certificate must contain either the server's IP address
> or its FQDN as the subjectAltName,
> Roadwarriors usually have dynamic IP addresses assigned by the ISP they are currently attached to. In order to simplify the routing from my-net (tissisat.co.uk) back to the roadwarrior (pegasus) it would be desirable if the roadwarrior had an inner IP address chosen from a pre-assigned pool.
>
> if this is the way to deal with subjectAltName
> what are the steps to achieve this ?
>
> shadrock