I am having issues with setting up highly secure but still high performance IKEv2 tunnels between multiple data centers on OpenBSD nodes, by using very strict security features and allowing the use of a very narrow window of cryptographic algorithms, as seen in my config file below.
For debugging purposes, I have set up two nodes as follows:
# cat /etc/iked.conf
local_gw="[LocalGatewayIPv4]"
local_subnet="10.1.11.0/18"
remote_gw="[RemoteGatewayIPv4]"
remote_subnet="10.1.11.64/18"
set fragmentation
set enforcesingleikesa
set nomobike
ikev2 'IKEv2 VPN' ipcomp esp \
from $local_subnet to $remote_subnet
from $remote_subnet to $local_subnet \
local egress peer $remote_gw \
ikesa \
auth hmac-sha2-512 \
enc aes-256 \
prf hmac-sha2-512 \
group curve25519 \
psk "{a-debugging-only-psk-key-of-128-character-wide-alphanumeric-hash-with-decent-number-of- punctuations-and-symbols}" \
config protected-subnet 0.0.0.0/0 \
config address 10.1.11.66 \ # it is *.65 on the other node
config netmask 255.255.255.192 \
tag "IKEv2"
I have also set the /etc/hostname.enc0
accordingly:
inet 10.1.11.65 255.255.255.192 10.1.11.127 description "IKEv2 VPN Site #1 Subnet"
up
On the other node:
inet 10.1.11.66 255.255.255.192 10.1.11.127 description "IKEv2 VPN Site #2 Subnet"
up
And /etc/sysctl.conf
as follows:
# cat /etc/sysctl.conf
#########################################################
# General NAT #
#########################################################
# Packet forwarding
net.inet.ip.forwarding=1
#########################################################
# VPN #
#########################################################
# Enable AH and ESP protocols for IKEv2
net.inet.ah.enable=1
net.inet.esp.enable=1
# Enable packet compression
net.inet.ipcomp.enable=1
The issue
As for the iked.conf manual (if I have concluded correctly) OpenIKED should activate the specified ones in the config files, under the ikesa
option and disable the default ones:
Possible values for auth, enc, prf, group, and the default proposals are described below in CRYPTO TRANSFORMS. If omitted, iked(8) will use the default proposals for the IKEv2 protocol.
But when I invoke iked -dv
for debugging purposes, I receive the following output:
# iked -dv
ikev2 "IKEv2 VPN" passive ipcomp tunnel esp inet from 10.1.11.0/18 to 10.1.11.64/18 local
10.1.11.0/18 peer 10.1.11.64/18 ikesa enc aes-128-gcm,aes-256-gcm prf hmac-sha2-256,hmac-
sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,
modp2048,modp1536,modp1024 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-
sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1
group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa
enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-
256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 signature
In other words, it does not remove the default ones from use. I have also set set enforcesingleikesa
, but as far as I am concerned it is being completely ignored.
Why is this happening?
If you could help me: may my gratitude chase you forever.