# OpenBSD: cat /etc/iked.confikev2 "opensbd <-> opnsense" active esp \ from 10.1.1.2/30 to 10.1.1.1/30 \ from 10.1.1.2/30 to 192.168.1.2 \ from 192.168.1.1 to 10.1.1.1/30 \ peer 192.168.1.2 \ psk "password"
# Konfiguration OPNsensePHASE 1-------General information Connection method: default Key Exchange version: V2 Internet Protocol: IPv4 Interface: LAN Remote gateway: 192.168.1.2 Phase 1 proposal (Authentication) Authentication method: Mutual PSK My identifier: IP address 192.168.1.1 Peer identifier: IP address 192.168.1.2 Pre-Shared Key: passwordPhase 1 proposal (Algorithms) Encryption algorithm: AES 128 Hash algorithm: 14 (2048 bits) Lifetime: 28800Advanced Options NAT Traversal: disable MOBIKE: disablePHASE 2-------General information full Mode: Tunnel IPv4 Local Network Type: Address Adress: 10.1.1.1/32 Remote Network Type: Address Address: 10.1.1.2/32 Phase 2 proposal (SA/Key Exchange) Protocol: ESP Hash algorithms: SHA256 PFS key group: 14 (2048 bits) Lifetime: 3600
# iked -dvvv -f /etc/iked.confset_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/192.168.1.1ikev2 "opensbd <-> opnsense" active tunnel esp inet from 10.1.1.2/30 to 192.168.1.1 from 10.1.1.2/30 to 1.1.1.1/30 from 192.168.1.2 to 10.1.1.2/30 local any peer 192.168.1.1 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 psk 0x746573747465737474657374/etc/iked.conf: loaded 1 configuration rulesca_privkey_serialize: type RSA_KEY length 1770ca_pubkey_serialize: type RSA_KEY length 398ca_privkey_to_method: type RSA_KEY method RSA_SIGca_getkey: received private key type RSA_KEY length 1770config_getpolicy: received policyca_getkey: received public key type RSA_KEY length 398ca_dispatch_parent: config resetconfig_getpfkey: received pfkey fd 3config_getcompile: compilation doneconfig_getsocket: received socket fd 4config_getsocket: received socket fd 5config_getsocket: received socket fd 6config_getsocket: received socket fd 7config_getmobike: mobikeconfig_getfragmentation: no fragmentationconfig_getnattport: nattport 4500ca_reload: local cert type RSA_KEYconfig_getocsp: ocsp_url noneikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0ikev2_init_ike_sa: initiating "opensbd <-> opnsense"ikev2_policy2id: srcid FQDN/openbsd length 18ikev2_add_proposals: length 156ikev2_next_payload: length 160 nextpayload KEikev2_next_payload: length 40 nextpayload NONCEikev2_next_payload: length 36 nextpayload NOTIFYikev2_nat_detection: local source 0xbeb20699912acab9 0x0000000000000000 0.0.0.0:500ikev2_next_payload: length 28 nextpayload NOTIFYikev2_nat_detection: local destination 0xbeb20699912acab9 0x0000000000000000 192.168.1.1:500ikev2_next_payload: length 28 nextpayload NOTIFYikev2_next_payload: length 14 nextpayload NONEikev2_pld_parse: header ispi 0xbeb20699912acab9 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 334 response 0ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE spisize 0 xforms 17 spi 0ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DESikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 40ikev2_pld_ke: dh group CURVE25519 reserved 0f5f980c7 915f8e81 e23f3371 e0f6bf01 43bdf744 ead993c6 e5a20599 0bfe2b70ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36786dfb68 e21a4037 f9871a5a e4464481 8635889f fdd0d20b 5ec026cb 447c1ef2ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP73eb3105 a443c698 e87db77c aaa2cdf1 967dc6b7ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IPcba4b3e9 3ea081a6 cddf1126 a2ee3db5 a47d1db4ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS00020003 0004spi=0xbeb20699912acab9: send IKE_SA_INIT req 0 peer 192.168.1.1:500 local 0.0.0.0:500, 334 bytesspi=0xbeb20699912acab9: sa_state: INIT -> SA_INITspi=0xbeb20699912acab9: recv IKE_SA_INIT res 0 peer 192.168.1.1:500 local 192.168.1.2:500, 38 bytes, policy 'opensbd <-> opnsense'ikev2_recv: ispi 0xbeb20699912acab9 rspi 0x0000000000000000ikev2_recv: updated SA to peer 192.168.1.1:500 local 192.168.1.2:500ikev2_pld_parse: header ispi 0xbeb20699912acab9 rspi 0x0000000000000000 nextpayload NOTIFY version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 38 response 1ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 10ikev2_pld_notify: protoid NONE spisize 0 type INVALID_KE_PAYLOAD000eikev2_handle_notifies: responder selected DH group 14spi=0xbeb20699912acab9: sa_state: SA_INIT -> CLOSED from 192.168.1.1:500 to 192.168.1.2:500 policy 'opensbd <-> opnsense'ikev2_recv: closing SAspi=0xbeb20699912acab9: sa_free: reinitiating with new DH groupikev2_init_ike_sa: initiating "opensbd <-> opnsense"ikev2_policy2id: srcid FQDN/openbsd length 18ikev2_add_proposals: length 156ikev2_next_payload: length 160 nextpayload KEikev2_next_payload: length 264 nextpayload NONCEikev2_next_payload: length 36 nextpayload NOTIFYikev2_nat_detection: local source 0xd6cb201c319ec2db 0x0000000000000000 0.0.0.0:500ikev2_next_payload: length 28 nextpayload NOTIFYikev2_nat_detection: local destination 0xd6cb201c319ec2db 0x0000000000000000 192.168.1.1:500ikev2_next_payload: length 28 nextpayload NOTIFYikev2_next_payload: length 14 nextpayload NONEikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 558 response 0ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 160ikev2_pld_sa: more 0 reserved 0 length 156 proposal #1 protoid IKE spisize 0 xforms 17 spi 0ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DESikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264ikev2_pld_ke: dh group MODP_2048 reserved 0b4883255 1872588d 3ac96b29 a6e2ae31 6d589662 53e141b0 1c4dea36 f4ca26a7e6225459 920a271d f0fc72d1 4dbdc2b3 9cf98930 743af0d0 ad469f03 facdd67c47d18bf4 a27354c1 50a0903c cd362594 a2d2eb69 60f4995e 0ed2fe86 c0649c7ccf315edc 18c41a97 aa9bd2d6 11b3a703 f22cd7ff 09e11abe 03fc133f 974e268707fa573c 2169927b fdd734c6 08705389 aeafaef1 0bfb6c83 b717def2 ef59c6ad029b2fac ee11788d d8bf69f1 7b0ec7ec 8b6d5e2e abfa11bd 0c96875c f31c7dac803c1374 8d20a378 c7837cf3 daf2a42a aae92616 4d0d74f1 d12b7b66 5925e322112b2f9b b135a989 a5081ec6 0eff2f70 06c0dd47 1392c942 5b2a1cd9 b95fda28ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36936934be 6466ba6e c40ed978 65141239 f6b59c54 78d2ca81 b29e61c5 c989d4b2ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP6346b2b4 421d61e6 99b04d1d ed4636fd 1ee8ef56ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IPc7be7640 612e8577 777e90c8 c2497711 fbc17351ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS00020003 0004spi=0xd6cb201c319ec2db: send IKE_SA_INIT req 0 peer 192.168.1.1:500 local 0.0.0.0:500, 558 bytesspi=0xd6cb201c319ec2db: sa_state: INIT -> SA_INITspi=0xd6cb201c319ec2db: recv IKE_SA_INIT res 0 peer 192.168.1.1:500 local 192.168.1.2:500, 464 bytes, policy 'opensbd <-> opnsense'ikev2_recv: ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0ikev2_recv: updated SA to peer 192.168.1.1:500 local 192.168.1.2:500ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 464 response 1ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264ikev2_pld_ke: dh group MODP_2048 reserved 0431cbf47 529c20fd e5cf3911 d1afe4ff acfe40a4 1976c376 f97ab776 dc32102b6eeb1082 171fa24d 97ff62eb 238b0728 29da5ab9 221e1bea da5cde05 27b1d251d875b59b 2d43e574 371eb3cf e6b0b0c2 f1ba36ce 6ece3565 dc9b3c66 513ecdcdd2e3f3b7 da5a7ef8 4aff4791 56f4c0f4 42315166 23e4bbbd 6e6319b2 31e7127f8e782143 693aab0b f762b363 81b6d78b 295a06c2 2ed16a53 2b4f5121 3d3fbbbe5fedf78d b12477bc a4d1a000 e0373e32 a8dd097f 8048d0ef 4201c29a 213830d4aee5fe6b 25ef750a 0c0f6989 b4e5a2b3 d584b960 39286c11 76ada1be 34d5da5715c1f452 50853c8c cc80243e b5eb971e a755393d fada3477 9fa1dc1f 6696c991ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 361ad4d2fe 3c948aac e43340ab 60af88e9 f1946aa8 4b326cbe ef83f46d 38eef2b0ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IPd309b24f 37588c0d 904a2375 afb78de9 fefaeba9ikev2_nat_detection: peer source 0xd6cb201c319ec2db 0xb21f151b48c8a8b0 192.168.1.1:500d309b24f 37588c0d 904a2375 afb78de9 fefaeba9ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IPbaec5558 9152776e 40f161a5 64f30f09 563472feikev2_nat_detection: peer destination 0xd6cb201c319ec2db 0xb21f151b48c8a8b0 192.168.1.2:500baec5558 9152776e 40f161a5 64f30f09 563472feikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS00020003 00040005ikev2_pld_notify: signature hash SHA2_256 (2)ikev2_pld_notify: signature hash SHA2_384 (3)ikev2_pld_notify: signature hash SHA2_512 (4)ikev2_pld_notify: signature hash <UNKNOWN:5> (5)ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8ikev2_pld_notify: protoid NONE spisize 0 type CHILDLESS_IKEV2_SUPPORTEDikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8ikev2_pld_notify: protoid NONE spisize 0 type MULTIPLE_AUTH_SUPPORTEDproposals_match: xform 1 <-> 1 (7): ENCR AES_CBC (keylength 128 <-> 0) 128proposals_match: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 <-> 0)proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)proposals_match: xform 1 <-> 1 (13): DH MODP_2048 (keylength 0 <-> 0)proposals_negotiate: score 22proposals_negotiate: score 7: ENCR AES_CBC 128proposals_negotiate: score 1: PRF HMAC_SHA2_256proposals_negotiate: score 1: INTEGR HMAC_SHA2_256_128proposals_negotiate: score 13: DH MODP_2048sa_stateok: SA_INIT flags 0x0000, require 0x0008 authspi=0xd6cb201c319ec2db: ikev2_sa_keys: DHSECRET with 256 bytes7e2d4983 2a66063e b329e47e 50ec0b8c 18fc5575 b7403cee 5ea49e99 ad4472bda1ed92f0 87aaa7d2 718582ff fccee9a2 a82580dd dd197d11 da34fe1f 6061c50fe906e4ad 21336008 f7d94d9d b267a214 7777b1ed fe830723 7a53bd71 aec560dfb195572f 4590e5d5 afb57d57 87225380 f5592066 c4a553c0 d27a5229 7eb9017236f59705 b0ed284f 1f16ba26 ff81c509 d48f8d0b 43596a0a 6d5271b2 a0ceee53fc391361 84e6a991 1a32150e df392abc a8dd8986 7a6ff16d 134cb795 f4acbffb1750be6e e6ece6f0 ba1f699b 22f93d1d b49fd56a 4e378c49 f97c3891 cc7cb52d79abf3f8 c3933c0c 14af4b31 618ce3b1 3226b99f 742ec048 5f82d8a3 fe89cd57ikev2_sa_keys: SKEYSEED with 32 bytes868deab3 d70fa612 1e9ba672 fd2a284e 861f4650 498b43e4 a27142cb 768cbf72spi=0xd6cb201c319ec2db: ikev2_sa_keys: S with 80 bytes936934be 6466ba6e c40ed978 65141239 f6b59c54 78d2ca81 b29e61c5 c989d4b21ad4d2fe 3c948aac e43340ab 60af88e9 f1946aa8 4b326cbe ef83f46d 38eef2b0d6cb201c 319ec2db b21f151b 48c8a8b0ikev2_prfplus: T1 with 32 bytesfc31adcc c427cb46 3514a960 27325b2c 360a1c12 c56e89d0 69c08276 10328918ikev2_prfplus: T2 with 32 bytesacf603cb a01ee03c 6500717c 51b11ff4 2b53432f 87077f0e 75943984 3eb2daedikev2_prfplus: T3 with 32 bytesd9434308 f4e379f8 6f72d4f1 7352ffe9 69fce5bf 674e13e0 c8362846 4184be37ikev2_prfplus: T4 with 32 bytes90816cf7 d99fe5e2 00052cba 1e7e3ba0 89bbc595 4861a77f 77f6c714 4e6ebca6ikev2_prfplus: T5 with 32 bytes99036cf1 4b059a8f 98b7b3d1 0a9c632a 7a7263bf fd439fdb fa8fb7c7 6051f8fbikev2_prfplus: T6 with 32 bytese0549914 6f0f8c4a 883caff1 a4a09630 450cb2ee 4005c974 33cb6b29 41dfbf9dikev2_prfplus: Tn with 192 bytesfc31adcc c427cb46 3514a960 27325b2c 360a1c12 c56e89d0 69c08276 10328918acf603cb a01ee03c 6500717c 51b11ff4 2b53432f 87077f0e 75943984 3eb2daedd9434308 f4e379f8 6f72d4f1 7352ffe9 69fce5bf 674e13e0 c8362846 4184be3790816cf7 d99fe5e2 00052cba 1e7e3ba0 89bbc595 4861a77f 77f6c714 4e6ebca699036cf1 4b059a8f 98b7b3d1 0a9c632a 7a7263bf fd439fdb fa8fb7c7 6051f8fbe0549914 6f0f8c4a 883caff1 a4a09630 450cb2ee 4005c974 33cb6b29 41dfbf9dikev2_sa_keys: SK_d with 32 bytesfc31adcc c427cb46 3514a960 27325b2c 360a1c12 c56e89d0 69c08276 10328918ikev2_sa_keys: SK_ai with 32 bytesacf603cb a01ee03c 6500717c 51b11ff4 2b53432f 87077f0e 75943984 3eb2daedikev2_sa_keys: SK_ar with 32 bytesd9434308 f4e379f8 6f72d4f1 7352ffe9 69fce5bf 674e13e0 c8362846 4184be37ikev2_sa_keys: SK_ei with 16 bytes90816cf7 d99fe5e2 00052cba 1e7e3ba0ikev2_sa_keys: SK_er with 16 bytes89bbc595 4861a77f 77f6c714 4e6ebca6ikev2_sa_keys: SK_pi with 32 bytes99036cf1 4b059a8f 98b7b3d1 0a9c632a 7a7263bf fd439fdb fa8fb7c7 6051f8fbikev2_sa_keys: SK_pr with 32 bytese0549914 6f0f8c4a 883caff1 a4a09630 450cb2ee 4005c974 33cb6b29 41dfbf9dikev2_msg_auth: initiator auth data length 622d6cb201c 319ec2db 00000000 00000000 21202208 00000000 0000022e 220000a00000009c 01010011 0300000c 0100000c 800e0100 0300000c 0100000c 800e00c00300000c 0100000c 800e0080 03000008 01000003 03000008 02000005 0300000802000002 03000008 0300000c 03000008 03000002 03000008 0400001f 0300000804000015 03000008 04000014 03000008 04000013 03000008 04000010 030000080400000f 03000008 0400000e 03000008 04000005 00000008 04000002 28000108000e0000 b4883255 1872588d 3ac96b29 a6e2ae31 6d589662 53e141b0 1c4dea36f4ca26a7 e6225459 920a271d f0fc72d1 4dbdc2b3 9cf98930 743af0d0 ad469f03facdd67c 47d18bf4 a27354c1 50a0903c cd362594 a2d2eb69 60f4995e 0ed2fe86c0649c7c cf315edc 18c41a97 aa9bd2d6 11b3a703 f22cd7ff 09e11abe 03fc133f974e2687 07fa573c 2169927b fdd734c6 08705389 aeafaef1 0bfb6c83 b717def2ef59c6ad 029b2fac ee11788d d8bf69f1 7b0ec7ec 8b6d5e2e abfa11bd 0c96875cf31c7dac 803c1374 8d20a378 c7837cf3 daf2a42a aae92616 4d0d74f1 d12b7b665925e322 112b2f9b b135a989 a5081ec6 0eff2f70 06c0dd47 1392c942 5b2a1cd9b95fda28 29000024 936934be 6466ba6e c40ed978 65141239 f6b59c54 78d2ca81b29e61c5 c989d4b2 2900001c 00004004 6346b2b4 421d61e6 99b04d1d ed4636fd1ee8ef56 2900001c 00004005 c7be7640 612e8577 777e90c8 c2497711 fbc173510000000e 0000402f 00020003 00041ad4 d2fe3c94 8aace433 40ab60af 88e9f1946aa84b32 6cbeef83 f46d38ee f2b01ea3 d5161a36 27be8319 2f45ea04 f2aead7c04836a08 48b886ca 5e453502 7427sa_stateok: SA_INIT flags 0x0008, require 0x0008 authikev2_next_payload: length 22 nextpayload AUTHikev2_next_payload: length 40 nextpayload SApfkey_sa_getspi: spi 0xc00ed1e8pfkey_sa_init: new spi 0xc00ed1e8ikev2_add_proposals: length 80ikev2_next_payload: length 84 nextpayload TSiikev2_next_payload: length 40 nextpayload TSrikev2_next_payload: length 56 nextpayload NONEikev2_msg_encrypt: decrypted length 24227000016 02000000 46572d4d 474d2d31 30362d30 39392100 00280200 000060f051b6f594 97d61b41 2dd095ae cfe65d1c 6bd6b087 655bfb5b e3b007cc 8cad2c0000540000 00500103 0407c00e d1e80300 000c0100 000c800e 01000300 000c0100000c800e 00c00300 000c0100 000c800e 00800300 00080300 000c0300 0008030000020300 00080500 00010000 00080500 00002d00 00280200 00000700 00100000ffff0a0a 0ac80a0a 0acb0700 00100000 ffffc0a8 6463c0a8 64630000 0038030000000700 00100000 ffffc0a8 6452c0a8 64520700 00100000 ffff0a0a 0ac80a0a0acb0700 00100000 ffff0a0a 0ac80a0a 0acbikev2_msg_encrypt: padded length 25627000016 02000000 46572d4d 474d2d31 30362d30 39392100 00280200 000060f051b6f594 97d61b41 2dd095ae cfe65d1c 6bd6b087 655bfb5b e3b007cc 8cad2c0000540000 00500103 0407c00e d1e80300 000c0100 000c800e 01000300 000c0100000c800e 00c00300 000c0100 000c800e 00800300 00080300 000c0300 0008030000020300 00080500 00010000 00080500 00002d00 00280200 00000700 00100000ffff0a0a 0ac80a0a 0acb0700 00100000 ffffc0a8 6463c0a8 64630000 0038030000000700 00100000 ffffc0a8 6452c0a8 64520700 00100000 ffff0a0a 0ac80a0a0acb0700 00100000 ffff0a0a 0ac80a0a 0acb57e4 029c025e 8e57a343 ed16d70dikev2_msg_encrypt: length 243, padding 13, output length 288c2743f8b 72df05a2 351d9d23 026c9431 b6b6042c d56a382f 059276e5 148c160888ca8ccf e046a8d6 4a12896c be7171ee 8c7b8cb5 da678eda 8a99b873 3ae6c11e921b07a7 70212b48 acf7da4e 42723d05 bb2225a5 b3eea918 fea8e772 dc0e1aa1723aa248 2ddecaec 51d0d9cc 870b07ee 0cec92de 438f5456 b1f4711b 356c5df954cf92df ba8f52ed edab04b4 17319240 d4e4ed34 1bd40a90 6622071c 19a8e681ab0712fa 54d011f6 0ee719d4 e7e4d0cb 49d439fa aa2bf485 d39eb49a 88c55285ee658188 cf46080d 54358f57 84449bdf 3d536ead 570cffc8 f62b42da abc62ac6e130c63b 4c671b8a 5a539916 77f98887 7065adcb 593b28e6 bf9e08af 2bbd3dcb7d4eaa26 0a10bd01 ed8c7c1d 63377c8c 00000000 00000000 00000000 00000000ikev2_next_payload: length 292 nextpayload IDiikev2_msg_integr: message length 320d6cb201c 319ec2db b21f151b 48c8a8b0 2e202308 00000001 00000140 23000124c2743f8b 72df05a2 351d9d23 026c9431 b6b6042c d56a382f 059276e5 148c160888ca8ccf e046a8d6 4a12896c be7171ee 8c7b8cb5 da678eda 8a99b873 3ae6c11e921b07a7 70212b48 acf7da4e 42723d05 bb2225a5 b3eea918 fea8e772 dc0e1aa1723aa248 2ddecaec 51d0d9cc 870b07ee 0cec92de 438f5456 b1f4711b 356c5df954cf92df ba8f52ed edab04b4 17319240 d4e4ed34 1bd40a90 6622071c 19a8e681ab0712fa 54d011f6 0ee719d4 e7e4d0cb 49d439fa aa2bf485 d39eb49a 88c55285ee658188 cf46080d 54358f57 84449bdf 3d536ead 570cffc8 f62b42da abc62ac6e130c63b 4c671b8a 5a539916 77f98887 7065adcb 593b28e6 bf9e08af 2bbd3dcb7d4eaa26 0a10bd01 ed8c7c1d 63377c8c 00000000 00000000 00000000 00000000ikev2_msg_integr: integrity checksum length 16faa3da56 ec16387c 5bb78bc4 1fbe2d8b 9e31055b dfeedcac 5e63c16d e11ccb90ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 320 response 0ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 292ikev2_msg_decrypt: IV length 16c2743f8b 72df05a2 351d9d23 026c9431ikev2_msg_decrypt: encrypted payload length 256b6b6042c d56a382f 059276e5 148c1608 88ca8ccf e046a8d6 4a12896c be7171ee8c7b8cb5 da678eda 8a99b873 3ae6c11e 921b07a7 70212b48 acf7da4e 42723d05bb2225a5 b3eea918 fea8e772 dc0e1aa1 723aa248 2ddecaec 51d0d9cc 870b07ee0cec92de 438f5456 b1f4711b 356c5df9 54cf92df ba8f52ed edab04b4 17319240d4e4ed34 1bd40a90 6622071c 19a8e681 ab0712fa 54d011f6 0ee719d4 e7e4d0cb49d439fa aa2bf485 d39eb49a 88c55285 ee658188 cf46080d 54358f57 84449bdf3d536ead 570cffc8 f62b42da abc62ac6 e130c63b 4c671b8a 5a539916 77f988877065adcb 593b28e6 bf9e08af 2bbd3dcb 7d4eaa26 0a10bd01 ed8c7c1d 63377c8cikev2_msg_decrypt: integrity checksum length 16faa3da56 ec16387c 5bb78bc4 1fbe2d8bikev2_msg_decrypt: integrity check succeededfaa3da56 ec16387c 5bb78bc4 1fbe2d8bikev2_msg_decrypt: decrypted payload length 256/256 padding 1327000016 02000000 46572d4d 474d2d31 30362d30 39392100 00280200 000060f051b6f594 97d61b41 2dd095ae cfe65d1c 6bd6b087 655bfb5b e3b007cc 8cad2c0000540000 00500103 0407c00e d1e80300 000c0100 000c800e 01000300 000c0100000c800e 00c00300 000c0100 000c800e 00800300 00080300 000c0300 0008030000020300 00080500 00010000 00080500 00002d00 00280200 00000700 00100000ffff0a0a 0ac80a0a 0acb0700 00100000 ffffc0a8 6463c0a8 64630000 0038030000000700 00100000 ffffc0a8 6452c0a8 64520700 00100000 ffff0a0a 0ac80a0a0acb0700 00100000 ffff0a0a 0ac80a0a 0acb57e4 029c025e 8e57a343 ed16d70dikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 22ikev2_pld_id: id FQDN/openbsd length 18ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40ikev2_pld_auth: method SHARED_KEY_MIC length 3260f051b6 f59497d6 1b412dd0 95aecfe6 5d1c6bd6 b087655b fb5be3b0 07cc8cadikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84ikev2_pld_sa: more 0 reserved 0 length 80 proposal #1 protoid ESP spisize 4 xforms 7 spi 0xc00ed1e8ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBCikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESNikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONEikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 40ikev2_pld_ts: count 2 length 32ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535ikev2_pld_ts: start 10.10.10.200 end 10.10.10.203ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535ikev2_pld_ts: start 192.168.1.2 end 192.168.1.2ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 56ikev2_pld_ts: count 3 length 48ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535ikev2_pld_ts: start 192.168.1.1 end 192.168.1.1ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535ikev2_pld_ts: start 10.10.10.200 end 10.10.10.203ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535ikev2_pld_ts: start 10.10.10.200 end 10.10.10.203spi=0xd6cb201c319ec2db: send IKE_AUTH req 1 peer 192.168.1.1:500 local 192.168.1.2:500, 320 bytesconfig_free_proposals: free 0xa109e493c80spi=0xd6cb201c319ec2db: recv IKE_AUTH res 1 peer 192.168.1.1:500 local 192.168.1.2:500, 80 bytes, policy 'opensbd <-> opnsense'ikev2_recv: ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0ikev2_recv: updated SA to peer 192.168.1.1:500 local 192.168.1.2:500ikev2_pld_parse: header ispi 0xd6cb201c319ec2db rspi 0xb21f151b48c8a8b0 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 80 response 1ikev2_pld_payloads: payload SK nextpayload NOTIFY critical 0x00 length 52ikev2_msg_decrypt: IV length 16260e41f6 b2b3ccf2 a88153b7 68028f8cikev2_msg_decrypt: encrypted payload length 168cbef0d1 8f9e70d2 0e183cef 74cd511cikev2_msg_decrypt: integrity checksum length 166eac2bc8 77478891 3a25ae66 9322718fikev2_msg_decrypt: integrity check succeeded6eac2bc8 77478891 3a25ae66 9322718fikev2_msg_decrypt: decrypted payload length 16/16 padding 700000008 00000018 c3a50650 7c73fb07ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8ikev2_pld_notify: protoid NONE spisize 0 type AUTHENTICATION_FAILEDikev2_handle_notifies: AUTHENTICATION_FAILED, closing SAspi=0xd6cb201c319ec2db: sa_state: SA_INIT -> CLOSED from 192.168.1.1:500 to 192.168.1.2:500 policy 'opensbd <-> opnsense'ikev2_recv: closing SAspi=0xd6cb201c319ec2db: sa_free: authentication failed notification from peerconfig_free_proposals: free 0xa10e366ff80
2020-10-01T10:10:43 charon[41922]: 14[JOB] <2> deleting half open IKE_SA with 192.168.1.2 after timeout2020-10-01T10:10:12 charon[41922]: 14[NET] <2> sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (336 bytes)2020-10-01T10:10:12 charon[41922]: 14[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]2020-10-01T10:10:12 charon[41922]: 14[IKE] <2> remote host is behind NAT2020-10-01T10:10:12 charon[41922]: 14[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_20482020-10-01T10:10:12 charon[41922]: 14[IKE] <2> 192.168.1.2 is initiating an IKE_SA2020-10-01T10:10:12 charon[41922]: 14[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]2020-10-01T10:10:12 charon[41922]: 14[NET] <2> received packet: from 192.168.1.2[500] to 192.168.1.1[500] (430 bytes)2020-10-01T10:10:10 charon[41922]: 13[NET] <1> sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (38 bytes)2020-10-01T10:10:10 charon[41922]: 13[ENC] <1> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]2020-10-01T10:10:10 charon[41922]: 13[IKE] <1> DH group CURVE_25519 unacceptable, requesting MODP_20482020-10-01T10:10:10 charon[41922]: 13[IKE] <1> remote host is behind NAT2020-10-01T10:10:10 charon[41922]: 13[CFG] <1> selected proposal: IKE:AES_CBC_1256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_20482020-10-01T10:10:10 charon[41922]: 13[IKE] <1> 192.168.1.2 is initiating an IKE_SA2020-10-01T10:10:10 charon[41922]: 13[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]2020-10-01T10:10:10 charon[41922]: 13[NET] <1> received packet: from 192.168.1.2[500] to 192.168.1.1[500] (334 bytes)
2020-10-02T08:11:43 charon[41922]: 15[NET] <10> sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (80 bytes)2020-10-02T08:11:43 charon[41922]: 15[ENC] <10> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]2020-10-02T08:11:43 charon[41922]: 15[CFG] <10> no matching peer config found2020-10-02T08:11:43 charon[41922]: 15[CFG] <10> looking for peer configs matching 192.168.1.1[%any]...192.168.1.2[OpenBSD]2020-10-02T08:11:43 charon[41922]: 15[ENC] <10> parsed IKE_AUTH request 1 [ IDi AUTH SA TSi TSr ]2020-10-02T08:11:43 charon[41922]: 15[NET] <10> received packet: from 192.168.1.2[500] to 192.168.1.1[500] (272 bytes)2020-10-02T08:11:43 charon[41922]: 15[NET] <10> sending packet: from 192.168.1.1[500] to 192.168.1.2[500] (240 bytes)2020-10-02T08:11:43 charon[41922]: 15[ENC] <10> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]2020-10-02T08:11:43 charon[41922]: 15[IKE] <10> remote host is behind NAT2020-10-02T08:11:43 charon[41922]: 15[CFG] <10> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_255192020-10-02T08:11:43 charon[41922]: 15[IKE] <10> 192.168.1.2 is initiating an IKE_SA2020-10-02T08:11:43 charon[41922]: 15[ENC] <10> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]2020-10-02T08:11:43 charon[41922]: 15[NET] <10> received packet: from 192.168.1.2[500] to 192.168.1.1[500] (222 bytes)
# OpenBSD: cat /etc/iked.confikev2 "opensbd <-> opnsense" active esp \ from 10.1.1.2/30 to 10.1.1.1/30 \ from 10.1.1.2/30 to 192.168.1.2 \ from 192.168.1.1 to 10.1.1.1/30 \ peer 192.168.1.2 \ ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group curve25519 \ childsa auth hmac-sha2-256 enc aes-256 group curve25519 \ psk "password"
charon[41922]: 09[IKE] <24> remote host is behind NAT
Habe versucht es zu ändern, aber auf der OpenBSD-Seite parsed er meine Konfig dann leider nicht. Wo muss ich es bei der OPNsense ändern?Kann es sein, dass ich vielleicht ein Problem mit NAT habe?Quotecharon[41922]: 09[IKE] <24> remote host is behind NAT
+-----------------+ (Netz) +----------------+ | OpenBSD | -------------------------------- | OPNsense | +-----------------+ \ / +----------------+ : \ / : : eth0 (LAN) hn0 (LAN) : : 192.168.1.2 192.168.1.1 : : : : : : 1.1.1.2/30 10.1.1.1/30 : : (vether2) (virtuelles Interface auf hn0) : :......................................................................: VPN-Tunnel (iked -- ipsec)