Wednesday, January 31, 2018

Re: iked: how to request a virtual IP when running as a road warrior

Hello

On 01/30/18 22:00, Peter Müller wrote:
> Hello *,
>
> I am trying to set up an IPsec connection between OpenBSD 6.2
> and an IPFire firewall, while the OpenBSD is a road warrior.
> There, I use "iked", while the firewall is running "strongswan".
>
> After struggling with some cryptography issues (curve25519 and
> brainpool512 did not work, neither did aes-gcm), the IKE
> connection is now established, but the firewall requires a
> request for a virtual IP:
>
> [log snippet from "iked" @ OpenBSD:]
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 12
> ikev2_pld_notify: protoid NONE spisize 0 type AUTH_LIFETIME
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type FAILED_CP_REQUIRED
>
> [log snippet from "strongswan" @ IPFire:]
> 21:45:26 charon: 07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(FAIL_CP_REQ) ]
> 21:45:26 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
> 21:45:26 charon: 07[IKE] configuration payload negotiation failed, no CHILD_SA built
> 21:45:26 charon: 07[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED
>
> Until now, I tried inserting the following directives to my
> /etc/iked.conf - without luck, they didn't seem to change anything:
>
> (1) config address 10.XXX.XXX.XXX
>
> (2) config address 10.XXX.XXX.XXX/24
>
> (3) config address 10.XXX.XXX.XXX\
> config address 10.XXX.XXX.XXX/24
>
> How do I configure "iked" to request a virtual IP?
>
> Any help is highly appreciated, since I am flying blind here.
>
> Thanks and best regards,
> Peter Müller
>

Last time I looked, OpenIKED was not yet able to request a config
payload, only reply to one. Looking at the source code of iked confirms
this.

/src/sbin/iked/ikev2.c
========================
ssize_t
ikev2_add_cp(struct iked *env, struct iked_sa *sa, struct ibuf *buf)
{
...
switch (sa->sa_cp) {
case IKEV2_CP_REQUEST:
cp->cp_type = IKEV2_CP_REPLY;
break;
case IKEV2_CP_REPLY:
case IKEV2_CP_SET:
case IKEV2_CP_ACK:
/* Not yet supported */ <===!!!
return (-1);
}
...

Cheers Kim

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)