Re: Iked <-> Strongswan

Hi,

this doesn't look like an IKE problem if the handshake succeeds.
Try comparing the kernel SAs and flows (ipsecctl -sa on OpenBSD).
I think strongswan for some errors deletes child SAs right after
the handshake, maybe the charon log contains more information.

- Tobias

On Wed, Jul 29, 2020 at 11:17:22PM +0200, Stephan Mending wrote:
> Hi *,
>
> I've been trying to a longer time now to setup a connection between a strongswan server and an openbsd client. Which as
> turns out isn't as straightforward as I thought. Doesn't matter how I setup the strongswan config I'm running into the
> same problem.
>
> The connection is successfully established. When pinging the endpoint behinde the strongswan router I see icmp packets
> entering enc0. When listening for packets exiting the tunnel on the strongswan side it seems like there aren't any. And
> I don't see a trace of what could have happend to these packets. Neither in the firewall logs nor in the IPS logfiles.
> It's driving me nuts.
>
> I've put you in CC tobias@ because I know you're successfully running such a setup.
>
> My configs:
>
> $ cat /etc/iked.conf
> set fragmentation
> ikev2 'randomID' active esp \
> from 0.0.0.0/0 to 10.0.3.100/32 \
> local <local-public-addr> peer <public-ip-of-strongswan-router> \
> ikesa auth hmac-sha2-512 enc aes-256 prf hmac-sha2-512 group curve25519 \
> childsa enc aes-256-gcm prf hmac-sha2-512 group curve25519 \
> srcid <id-of-local-endpoint> dstid <id-of-strongswan> \
> ikelifetime 7200 lifetime 3600
>
> $ cat ipsec.conf
> conn randomID
> left=%defaultroute
> leftsubnet=10.0.3.100/32
> leftfirewall=yes
> lefthostaccess=yes
> right=185.165.169.190
> leftcert=/var/storage/certs/hostcert.pem
> rightcert=/var/storage/certs/<iked-endpoint>.pem
> leftid="<id-of-strongswan>"
> rightid="<id-of-iked>""
> type=tunnel
> ike=chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-sha2_512-curve25519,aes256gcm128-sha2_512-curve448,aes256gcm128-sha2_512-modp4096,aes256gcm128-sha2_512-modp3072,aes256gcm128-sha2_512-modp2048,aes256gcm128-sha2_256-curve25519,aes256gcm128-sha2_256-curve448,aes256gcm128-sha2_256-modp4096,aes256gcm128-sha2_256-modp3072,aes256gcm128-sha2_256-modp2048,aes256gcm96-sha2_512-curve25519,aes256gcm96-sha2_512-curve448,aes256gcm96-sha2_512-modp4096,aes256gcm96-sha2_512-modp3072,aes256gcm96-sha2_512-modp2048,aes256gcm96-sha2_256-curve25519,aes256gcm96-sha2_256-curve448,aes256gcm96-sha2_256-modp4096,aes256gcm96-sha2_256-modp3072,aes256gcm96-sha2_256-modp2048,aes256gcm64-sha2_512-curve25519,aes256gcm64-sha2_512-curve448,aes256gcm64-sha2_512-modp4096,aes256gcm64-sha2_512-modp3072,aes256gcm64-sha2_512-modp2048,aes256gcm64-sha2_256-curve25519,aes256gcm64-sha2_256-curve448,aes256gcm64-sha2_256-modp4096,aes256gcm64-sha2_256-modp3072,aes256gcm64-sha2_256-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-sha2_512-curve25519,aes192gcm128-sha2_512-curve448,aes192gcm128-sha2_512-modp4096,aes192gcm128-sha2_512-modp3072,aes192gcm128-sha2_512-modp2048,aes192gcm128-sha2_256-curve25519,aes192gcm128-sha2_256-curve448,aes192gcm128-sha2_256-modp4096,aes192gcm128-sha2_256-modp3072,aes192gcm128-sha2_256-modp2048,aes192gcm96-sha2_512-curve25519,aes192gcm96-sha2_512-curve448,aes192gcm96-sha2_512-modp4096,aes192gcm96-sha2_512-modp3072,aes192gcm96-sha2_512-modp2048,aes192gcm96-sha2_256-curve25519,aes192gcm96-sha2_256-curve448,aes192gcm96-sha2_256-modp4096,aes192gcm96-sha2_256-modp3072,aes192gcm96-sha2_256-modp2048,aes192gcm64-sha2_512-curve25519,aes192gcm64-sha2_512-curve448,aes192gcm64-sha2_512-modp4096,aes192gcm64-sha2_512-modp3072,aes192gcm64-sha2_512-modp2048,aes192gcm64-sha2_256-curve25519,aes192gcm64-sha2_256-curve448,aes192gcm64-sha2_256-modp4096,aes192gcm64-sha2_256-modp3072,aes192gcm64-sha2_256-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-sha2_512-curve25519,aes128gcm128-sha2_512-curve448,aes128gcm128-sha2_512-modp4096,aes128gcm128-sha2_512-modp3072,aes128gcm128-sha2_512-modp2048,aes128gcm128-sha2_256-curve25519,aes128gcm128-sha2_256-curve448,aes128gcm128-sha2_256-modp4096,aes128gcm128-sha2_256-modp3072,aes128gcm128-sha2_256-modp2048,aes128gcm96-sha2_512-curve25519,aes128gcm96-sha2_512-curve448,aes128gcm96-sha2_512-modp4096,aes128gcm96-sha2_512-modp3072,aes128gcm96-sha2_512-modp2048,aes128gcm96-sha2_256-curve25519,aes128gcm96-sha2_256-curve448,aes128gcm96-sha2_256-modp4096,aes128gcm96-sha2_256-modp3072,aes128gcm96-sha2_256-modp2048,aes128gcm64-sha2_512-curve25519,aes128gcm64-sha2_512-curve448,aes128gcm64-sha2_512-modp4096,aes128gcm64-sha2_512-modp3072,aes128gcm64-sha2_512-modp2048,aes128gcm64-sha2_256-curve25519,aes128gcm64-sha2_256-curve448,aes128gcm64-sha2_256-modp4096,aes128gcm64-sha2_256-modp3072,aes128gcm64-sha2_256-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048!
> esp=chacha20poly1305-sha2_512-curve25519,chacha20poly1305-sha2_512-curve448,chacha20poly1305-sha2_512-modp4096,chacha20poly1305-sha2_512-modp3072,chacha20poly1305-sha2_512-modp2048,chacha20poly1305-sha2_256-curve25519,chacha20poly1305-sha2_256-curve448,chacha20poly1305-sha2_256-modp4096,chacha20poly1305-sha2_256-modp3072,chacha20poly1305-sha2_256-modp2048,aes256gcm128-curve25519,aes256gcm128-curve448,aes256gcm128-modp4096,aes256gcm128-modp3072,aes256gcm128-modp2048,aes256gcm96-curve25519,aes256gcm96-curve448,aes256gcm96-modp4096,aes256gcm96-modp3072,aes256gcm96-modp2048,aes256gcm64-curve25519,aes256gcm64-curve448,aes256gcm64-modp4096,aes256gcm64-modp3072,aes256gcm64-modp2048,aes256-sha2_512-curve25519,aes256-sha2_512-curve448,aes256-sha2_512-modp4096,aes256-sha2_512-modp3072,aes256-sha2_512-modp2048,aes256-sha2_256-curve25519,aes256-sha2_256-curve448,aes256-sha2_256-modp4096,aes256-sha2_256-modp3072,aes256-sha2_256-modp2048,aes192gcm128-curve25519,aes192gcm128-curve448,aes192gcm128-modp4096,aes192gcm128-modp3072,aes192gcm128-modp2048,aes192gcm96-curve25519,aes192gcm96-curve448,aes192gcm96-modp4096,aes192gcm96-modp3072,aes192gcm96-modp2048,aes192gcm64-curve25519,aes192gcm64-curve448,aes192gcm64-modp4096,aes192gcm64-modp3072,aes192gcm64-modp2048,aes192-sha2_512-curve25519,aes192-sha2_512-curve448,aes192-sha2_512-modp4096,aes192-sha2_512-modp3072,aes192-sha2_512-modp2048,aes192-sha2_256-curve25519,aes192-sha2_256-curve448,aes192-sha2_256-modp4096,aes192-sha2_256-modp3072,aes192-sha2_256-modp2048,aes128gcm128-curve25519,aes128gcm128-curve448,aes128gcm128-modp4096,aes128gcm128-modp3072,aes128gcm128-modp2048,aes128gcm96-curve25519,aes128gcm96-curve448,aes128gcm96-modp4096,aes128gcm96-modp3072,aes128gcm96-modp2048,aes128gcm64-curve25519,aes128gcm64-curve448,aes128gcm64-modp4096,aes128gcm64-modp3072,aes128gcm64-modp2048,aes128-sha2_512-curve25519,aes128-sha2_512-curve448,aes128-sha2_512-modp4096,aes128-sha2_512-modp3072,aes128-sha2_512-modp2048,aes128-sha2_256-curve25519,aes128-sha2_256-curve448,aes128-sha2_256-modp4096,aes128-sha2_256-modp3072,aes128-sha2_256-modp2048!
> keyexchange=ikev2
> ikelifetime=3h
> keylife=1h
> dpdaction=clear
> dpddelay=30
> dpdtimeout=120
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> auto=add
> rightsourceip=
> fragmentation=yes
>
> I'd appreciate it SO MUCH if you could help me in any way.
>
> Best regards,
> Stephan