1

I am having issues with setting up highly secure but still high performance IKEv2 tunnels between multiple data centers on OpenBSD nodes, by using very strict security features and allowing the use of a very narrow window of cryptographic algorithms, as seen in my config file below.

For debugging purposes, I have set up two nodes as follows:

# cat /etc/iked.conf                                                                      
local_gw="[LocalGatewayIPv4]"
local_subnet="10.1.11.0/18"

remote_gw="[RemoteGatewayIPv4]"
remote_subnet="10.1.11.64/18"

set fragmentation
set enforcesingleikesa
set nomobike

ikev2 'IKEv2 VPN' ipcomp esp \
  from $local_subnet to $remote_subnet
  from $remote_subnet to $local_subnet \
  local egress peer $remote_gw \
  ikesa \
    auth hmac-sha2-512 \
    enc aes-256 \
    prf hmac-sha2-512 \
    group curve25519 \
  psk "{a-debugging-only-psk-key-of-128-character-wide-alphanumeric-hash-with-decent-number-of-       punctuations-and-symbols}" \
  config protected-subnet 0.0.0.0/0 \
  config address 10.1.11.66 \ # it is *.65 on the other node
  config netmask 255.255.255.192 \
  tag "IKEv2"

I have also set the /etc/hostname.enc0 accordingly:

inet 10.1.11.65 255.255.255.192 10.1.11.127 description "IKEv2 VPN Site #1 Subnet"
up

On the other node:

inet 10.1.11.66 255.255.255.192 10.1.11.127 description "IKEv2 VPN Site #2 Subnet"
up

And /etc/sysctl.conf as follows:

# cat /etc/sysctl.conf                                                             
#########################################################
# General NAT                                           #
#########################################################

# Packet forwarding
net.inet.ip.forwarding=1


#########################################################
# VPN                                                   #
#########################################################

# Enable AH and ESP protocols for IKEv2
net.inet.ah.enable=1
net.inet.esp.enable=1

# Enable packet compression
net.inet.ipcomp.enable=1

The issue

As for the iked.conf manual (if I have concluded correctly) OpenIKED should activate the specified ones in the config files, under the ikesa option and disable the default ones: Possible values for auth, enc, prf, group, and the default proposals are described below in CRYPTO TRANSFORMS. If omitted, iked(8) will use the default proposals for the IKEv2 protocol.

But when I invoke iked -dv for debugging purposes, I receive the following output:

# iked -dv               
ikev2 "IKEv2 VPN" passive ipcomp tunnel esp inet from 10.1.11.0/18 to 10.1.11.64/18 local
10.1.11.0/18 peer 10.1.11.64/18 ikesa enc aes-128-gcm,aes-256-gcm prf hmac-sha2-256,hmac-
sha2-384,hmac-sha2-512,hmac-sha1 group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,
modp2048,modp1536,modp1024 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-
sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1
group curve25519,ecp521,ecp384,ecp256,modp4096,modp3072,modp2048,modp1536,modp1024 childsa
enc aes-128-gcm,aes-256-gcm esn,noesn childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-
256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 esn,noesn lifetime 10800 bytes 536870912 signature

In other words, it does not remove the default ones from use. I have also set set enforcesingleikesa, but as far as I am concerned it is being completely ignored.

Why is this happening?

If you could help me: may my gratitude chase you forever.

0

You must log in to answer this question.

Browse other questions tagged .