# OpenIKED



## abishai (Jan 23, 2017)

I've noticed that OpenIKED was ported to FreeBSD, so I wanted to try it if I can migrate from Strongswan

I generated sample ca and nessesary keys, however both tests (OpenIKED <> OpenIKED and OpenIKED <> Strongswan) failed.

1. OpenIKED - OpenIKED. I couldn't even try to connect to the server!
Log I got 

```
ca_privkey_serialize: type RSA_KEY length 1193
ca_pubkey_serialize: type RSA_KEY length 270
pledge: pid 60429 promises: stdio cpath unix
ca_reload: loaded ca file vpn-ca.crt
pledge: pid 60430 promises: stdio inet recvfd
ca_reload: loaded crl file vpn-ca.crl
ca_reload: **************** root 
CA/emailAddress=********
ca_reload: loaded 1 ca certificate
/usr/local/etc/iked.conf: 1 policy; 0 users
ca_reload: loaded cert file a888888888.crt
udp_bind: failed to get UDP socket: Address family not supported by protocol family
udp_bind: failed to get UDP socket: Address family not supported by protocol family
pledge: pid 60421 promises: stdio rpath proc dns inet route sendfd exec
config_setapply: action=0
ikev2 "policy1" active esp inet from 192.168.0.0/16 to 0.0.0.0/0 local any peer ****** ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid ********
lifetime 10800 bytes 536870912 rsa
config_setapply: action=2
config_free_flows: free 0x802096280
config_free_proposals: free 0x802082050
config_free_proposals: free 0x8020820a0
config_getpfkey: received pfkey fd 3
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getapply: action=0
config_getpolicy: received policy
config_getapply: action=2
ca_validate_cert: ******************** ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_policy_load_flows: "policy1": loading flow 0x802096280
pfkey_flow: flow with policy id 0x0
ikev2_policy_load_flows: flow 0x802096280 loaded
ikev2_init_ike_sa: "policy1": initiating
ikev2_policy2id: srcid FQDN/sphinx.abinet.ru length 20
ikev2_add_proposals: length 116
ikev2_next_payload: length 120 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe2a561e9d6ea90e5 0x0000000000000000 any
ikev2_init_ike_sa_peer: closing SA
sa_free: ispi 0xe2a561e9d6ea90e5 rspi 0x0000000000000000
ikev2_init_ike_sa: failed to initiate with peer 5.2.75.89
```
Absolutely not informative error. On server side there are no packets at all.
Config is 

```
ikev2 active esp \
   from 192.168.0.0/16 to 0.0.0.0/0 \
   peer ******** \
   srcid sphinx.abinet.ru
```

2. The second attempt was with Strongswan on client side.
Results are better, at least Strongswan tries to do something
Here is logs from server side:

```
abishai@vpn:~ % doas iked -d -vvv
ca_privkey_serialize: type RSA_KEY length 1190
ca_pubkey_serialize: type RSA_KEY length 270
ca_reload: loaded ca file vpn-ca.crt
pledge: pid 1156 promises: stdio cpath unix
ca_reload: loaded crl file vpn-ca.crl
pledge: pid 1157 promises: stdio inet recvfd
ca_reload: ******* root CA/emailAddress=********
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file vpn.*********.crt
ca_validate_cert: ****************** ok
ca_reload: local cert type X509_CERT
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
create_ike: unknown address family
/usr/local/etc/iked.conf: 1 policy; 0 users
pledge: pid 1154 promises: stdio rpath proc dns inet route sendfd exec
config_setapply: action=0
ikev2 "policy1" passive esp inet from 0.0.0.0/0 to 192.168.0.0/16 from 0.0.0.0/0 to 10.0.0.0/8 local ******** peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 srcid vpn.******** lifetime 10800 bytes 536870912 rsa tag "IKED"
config_setapply: action=2
config_free_flows: free 0x80209e500
config_free_flows: free 0x80209e280
config_free_proposals: free 0x802081050
config_free_proposals: free 0x8020810a0
config_getocsp: ocsp_url none
config_getpfkey: received pfkey fd 3
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getapply: action=0
config_getpolicy: received policy
config_getapply: action=2
ikev2_recv: IKE_SA_INIT request from initiator 217.118.78.113:46528 to *******:500 policy 'policy1' id 0, 1156 bytes
ikev2_recv: ispi 0x2cd04a899ca4d3d5 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/vpn.******** length 17
ikev2_pld_parse: header ispi 0x2cd04a899ca4d3d5 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 1156 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 612
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_3072
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 392
ikev2_pld_ke: dh group MODP_3072 reserved 0
98a76d4f 029b4ed7 2cd8f338 a7c96ce0 4674ab06 615f2d7d c93857d5 66895845
snip
33f9fe0c f86893d0 2933c70d 588b60b2 943dda80 c3e6937c 7cfe2e52 4ef67577
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
46256968 6331b31b bcc0933d f931ddd0 c602f780 3a0314ff 129334a7 04428165
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
0c93bc5f ceb21501 7d12ab12 cb01c484 3530392e
ikev2_nat_detection: peer source 0x2cd04a899ca4d3d5 0x0000000000000000 217.118.78.113:46528
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP encapsulation
6fa6bac0 c12fbf9f ac35c2d4 12b7eb9f 1c004d25
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
490df9d2 7e63e0cc 12309f2c fd4da863 c0360a10
ikev2_nat_detection: peer destination 0x2cd04a899ca4d3d5 0x0000000000000000 *******:500
490df9d2 7e63e0cc 12309f2c fd4da863 c0360a10
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type <UNKNOWN:16430>
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00010002 00030004
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_match_proposals: xform 1 <-> 1 (7): ENCR AES_CBC (keylength 128 <-> 0) 128
ikev2_match_proposals: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)
ikev2_sa_negotiate: score 0
ikev2_sa_responder: no proposal chosen
ikev2_resp_recv: failed to get IKE SA keys
sa_state: SA_INIT -> CLOSED from 217.118.78.113 to ******** policy 'policy1'
config_free_proposals: free 0x8020810f0
```
Slightly better, however not very understandable. They didn't negotiate about auth-enc-pfr-dh proto, however who is wrong ? 

```
ikev2_match_proposals: xform 1 <-> 1 (7): ENCR AES_CBC (keylength 128 <-> 0) 128
ikev2_match_proposals: xform 1 <-> 1 (1): INTEGR HMAC_SHA2_256_128 (keylength 0 <-> 0)
ikev2_match_proposals: xform 1 <-> 1 (1): PRF HMAC_SHA2_256 (keylength 0 <-> 0)
```
This proposals are from remote side (strongswan), however those 0 <-> 0 looks tricky for me.

Anyone familiar with OpenIKED ?


----------

