reyk / openiked Goto Github PK

Hi there,

I got this strange error on a clean OpenBSD 6.3 GENERIC#490 i386 (iked,v 1.6 2018/01/11)

/etc/iked.conf

ikev2 test \
        esp     from 0.0.0.0/0 to 0.0.0.0/0 peer 172.16.0.1 \
        ikesa enc aes-128-gcm group ecp256 \
        srcid jack \
        dstid 172.16.0.1

/sbin/iked -dvv

/etc/iked.conf: 3: aes-128-gcm not a valid transform
ca exiting, pid 374
control exiting, pid 19575
ikev2 exiting, pid 6367
Segmentation fault (core dumped)

any suggestions?

There is some parts of the config format that isn't documented, but is used in the examples. More specifically there is a config directive that seams to allow set DHCP/DNS/IP options, and I guess it's related to MODE_CFG.

It would be nice if it was properly documented, as well as additional examples.

user "test" "password123" 

ikev2 "win7" esp \ 
    from 0.0.0.0/0 to 172.16.2.0/24 \ 
    peer 10.0.0.0/8 local 192.168.56.0/24 \ 
    eap "mschap-v2" \ 
    config address 172.16.2.1 \ # This isn't documented
    tag "$name-$id"

OpenIKED treats the least significant bit of the reserved field of the generic payload header as the critical bit - this is incorrect according to the RFCs and according to a number of other implementations. Fix would involved defining the critical bit as 0x80 or 0x1 << 7.

I had the ikesa and childsa at a different position, and the configuration file failed to parse. It was not obvious this was due to the order of the "sections".

This fails:

ikev2 test esp
from 10.0.1.0/24 to 10.0.2.0/24
local 1.2.3.4 peer 5.6.7.8
srcid foo dstid bar
ikesa enc aes-256 auth hmac-sha2-256 group esp256
childsa enc aes-128-gcm
psk test
tag FOO

but this works:

ikev2 test esp
from 10.0.1.0/24 to 10.0.2.0/24
local 1.2.3.4 peer 5.6.7.8
ikesa enc aes-256 auth hmac-sha2-256 group esp256
childsa enc aes-128-gcm
srcid foo dstid bar
psk test
tag FOO