[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-misc
Subject: Re: how to debug iked failures?
From: Ryan Slack <ryan () evine ! ca>
Date: 2014-09-27 2:48:40
Message-ID: CAAusF_EXNZwtqoTr82sj8fwzej=7jnNA7ffqeLDoNrrjGn-N-w () mail ! gmail ! com
[Download RAW message or body]
The iked.conf, output/logs from iked running -v, and a description of
client setup would help.
Don't forget to include your PSK. >:-)
On Thu, Sep 25, 2014 at 1:09 AM, Artem Falcon <lomka@gero.in> wrote:
> Markus Wernig <listener@wernig.net>:
>
> > ...
> > But the client is unable to connect to the VPN GW, and I just can't find
> > out what's going wrong. Unfortunately there are two ways it is failing:
> >
> > 1) Client sends IKEv2 msg IKE_SA_INIT on Port 500, VPN GW replies with
> > IKE_SA_INIT and CertReq, *then client sends IKE_AUTH. But to this packet
> > the VPN GW never replies, and the client resends until it times out*. I
> > see in the client log that it is selecting and sending the john@doe.com
> > certificate. In the VPN GW logs I get:
> >
> > Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_SA_INIT from
> > initiator A.B.C.D:34276 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048
> bytes
> > Aug 9 08:40:35 tunnel iked[18255]: ikev2_msg_send: IKE_SA_INIT from
> > 10.x.y.z:500 to A.B.C.D:34276, 457 bytes
> > Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
> > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
> > Aug 9 08:40:39 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
> > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
> > Aug 9 08:40:46 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
> > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
> > Aug 9 08:40:59 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
> > A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
> > ...
>
> Hi, folks!
>
> I have the same failing scenario when using BlackBerry 10 client.
> OpenIKED is from -current. Ikeauth mode is PSK (yeah, insecure).
>
> Any ideas what it may be and how to fix it?
> Thanks.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic