Thread: Ipsec freebsd openbsd failure
View Single Post
  #1   (View Single Post)  
Old 29th December 2008
kasse kasse is offline
Fdisk Soldier
  
Join Date: Jun 2008
Posts: 67
Default Ipsec freebsd openbsd failure
Hello, I wanted to try and secure my wireless connection on my openbsd laptop via ipsec tunnel to my freebsd desktop. But I seem to get nowhere. So I tried to set up a more simple transport between the two to see if I could figure out what is wrong. But I still get the same errors. I have also tried between them as freebsd freebsd also no success. So here are the configs. I have disabled all the pf in this initial tests just to make sure that they are not the cause.

I want to try a ipsec transport from freebsd 192.168.0.100 to openbsd 192.168.0.103.

On freebsd I have compiled the kernel with ipsec and installed ipsec-tools.
Here is the racoon.conf
Code:
path include "/usr/local/etc/racoon";
path certificates "/usr/local/etc/racoon/certs";

padding 
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen  
{
        isakmp          192.168.0.100 [500];
}

remote  192.168.0.102 [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   asn1dn;
        certificate_type        x509 "192.168.0.100.crt" "192.168.0.100.key";
        peers_certfile  x509 "192.168.0.103.crt";
        
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
        initial_contact on;
        generate_policy off;

                        proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          sha1;
                                authentication_method   rsasig;        
                                lifetime time           30 sec;
                                dh_group                modp1024;
                        }
}

sainfo  (address 192.168.0.100 any address 192.168.0.103 any)    
{                               
        pfs_group       modp1024;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm   deflate;
}
here is the setkey.conf for freebsd

Code:
flush;
spdflush;
spdadd 192.168.0.100 192.168.0.103 any -P out ipsec esp/transport//use;
spdadd 192.168.0.103 192.168.0.100 any -P in ipsec esp/transport//use;
here is the ipsec.conf for openbsd

Code:
main auth hmac-sha1 enc blowfish group modp1024
quick auth hmac-sha2-256 enc blowfish group modp1024
ike esp transport from 192.168.0.103 to 192.168.0.100 peer 192.168.0.100 
ike esp transport from 192.168.0.100 to 192.168.0.103 peer 192.168.0.100
As in http://="http://www.bsdguides.org/gu...ity/ipsec_vpn"
I do
isakmpd -Kdv and then when I try ipsecctl -f /etc/ipsec.conf
I get
Code:
/etc/ipsec.conf: 1: syntax error
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.103-to-192.168.0.100]:Phase=2 force
C set [from-192.168.0.103-to-192.168.0.100]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Configuration=phase2-from-192.168.0.103-to-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Local-ID=from-192.168.0.103 force
C set [from-192.168.0.103-to-192.168.0.100]:Remote-ID=to-192.168.0.100 force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.103]:ID-type=IPV4_ADDR force
C set [from-192.168.0.103]:Address=192.168.0.103 force
C set [to-192.168.0.100]:ID-type=IPV4_ADDR force
C set [to-192.168.0.100]:Address=192.168.0.100 force
C add [Phase 2]:Connections=from-192.168.0.103-to-192.168.0.100
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.100-to-192.168.0.103]:Phase=2 force
C set [from-192.168.0.100-to-192.168.0.103]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Configuration=phase2-from-192.168.0.100-to-192.168.0.103 force
C set [from-192.168.0.100-to-192.168.0.103]:Local-ID=from-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Remote-ID=to-192.168.0.103 force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.100]:ID-type=IPV4_ADDR force
C set [from-192.168.0.100]:Address=192.168.0.100 force
C set [to-192.168.0.103]:ID-type=IPV4_ADDR force
C set [to-192.168.0.103]:Address=192.168.0.103 force
C add [Phase 2]:Connections=from-192.168.0.100-to-192.168.0.103
ipsecctl: Syntax error in config file: ipsec rules not loaded
I cannot understand really what the error is

On the freebsd I run setkey -f /usr/local/etc/racoon/setkey.conf and
/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf but when I look for loaded spd
with setkey -DP I get none. Also I get this same failure when I try freebsd to freebsd
Last edited by kasse; 30th December 2008 at 11:14 AM. Reason: omitted to mention setkey on freebsd part and double / in setkey.conf freebsd
Reply With Quote