Thread: iked, NAT-T and keep alive
View Single Post
  #1   (View Single Post)  
Old 14th October 2015
igy01 igy01 is offline
Port Guard
  
Join Date: Jan 2011
Posts: 20
Default iked, NAT-T and keep alive
I am testing iked on OpenBSD phobos 5.7 GENERIC#738 i386, I think there is keep-alive problem when use NAT-T
Configs are as follows:

Phobos LAN vr3 = 172.30.10.1/24
Phobos WAN vr0 = 13.13.14.2

Mars vr2 = 13.13.14.1
match out on vr3 inet from 13.13.14.0/24 to any nat-to 13.13.15.1
Mars vr3 = 13.13.15.1

Deimos WAN vr0 = 13.13.15.2
Deimos LAN vr3 = 172.30.20.1/24

routing & ping withouht IPsec are OK, there is no pf on Phobos & Deimos, detailed config are:


Quote:
phobos /etc>cat iked.conf
# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
set active
ikev2 "proba1" active esp \
from 172.30.10.0/24 to 172.30.20.0/24 \
local 13.13.14.2 peer 13.13.15.2 \
psk "abcd1234"
phobos /etc>

deimos /etc>cat iked.conf
# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
set passive
ikev2 "proba1" passive esp \
from 172.30.20.0/24 to 172.30.10.0/24 \
local 13.13.15.2 peer any \
psk "abcd1234"
deimos /etc>

mars /etc>cat pf_mars.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $

set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

if_admin ="vr0"
if_winxp ="vr1"
if_phobos="vr2"
if_deimos="vr3"

ip_phobos="13.13.14.1"
ip_deimos="13.13.15.1"

set reassemble yes
set block-policy return
set loginterface egress

set skip on lo
set skip on $if_admin
set skip on $if_winxp

#
# pass on phobos side (inside)
#
pass on $if_phobos all

#
# nat from phobos to deimos (outside)
#
block in log on $if_deimos all
block out log on $if_deimos all

match out on $if_deimos from 13.13.14.0/24 to any nat-to $ip_deimos
pass out on $if_deimos from any to any keep state

pass in on $if_deimos proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on $if_deimos proto esp

pass on $if_deimos proto tcp from any to any port 22
pass on $ip_deimos inet proto icmp

mars /etc>

mars /etc>pfctl -sr
pass on vr2 all flags S/SA
block return in log on vr3 all
block return out log on vr3 all
match out on vr3 inet from 13.13.14.0/24 to any nat-to 13.13.15.1
pass in on vr3 proto udp from any to any port = 500
pass in on vr3 proto udp from any to any port = 4500
pass in on vr3 proto esp all
pass out on vr3 all flags S/SA
pass on vr3 proto tcp from any to any port = 22 flags S/SA
pass on 13.13.15.1 inet proto icmp all
mars /etc>
I started iked daemons on Phobos & Deimos, and SAD is almost imidiately here:

Quote:
phobos /etc>iked
phobos /etc>
phobos /etc>
phobos /etc>ipsecctl -sa
FLOWS:
flow esp in from 172.30.20.0/24 to 172.30.10.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type use
flow esp out from 172.30.10.0/24 to 172.30.20.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 13.13.14.2 to 13.13.15.2 spi 0x368db98f auth hmac-sha2-256 enc aes-256
esp tunnel from 13.13.15.2 to 13.13.14.2 spi 0x9756665c auth hmac-sha2-256 enc aes-256
phobos /etc>
we can see ike on mars:

Quote:
mars /etc>tcpdump -ni vr3 not port ssh
tcpdump: listening on vr3, link-type EN10MB
22:04:37.795565 13.13.15.1.56019 > 13.13.15.2.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 2763677be11c7acb->0000000000000000 msgid: 00000000 len: 520
22:04:39.245045 13.13.15.2.500 > 13.13.15.1.56019: isakmp v2.0 exchange IKE_SA_INIT
cookie: 2763677be11c7acb->226fdff2dbff07a7 msgid: 00000000 len: 432
22:04:39.972229 13.13.15.1.52215 > 13.13.15.2.4500:udpencap: isakmp v2.0 exchange IKE_AUTH
cookie: 2763677be11c7acb->226fdff2dbff07a7 msgid: 00000001 len: 256
22:04:39.976740 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: isakmp v2.0 exchange IKE_AUTH
cookie: 2763677be11c7acb->226fdff2dbff07a7 msgid: 00000001 len: 224
ping from LAN1 to LAN2 is OK, oposite direction is also OK.

Quote:
phobos /etc>ping -I 172.30.10.1 172.30.20.1
PING 172.30.20.1 (172.30.20.1): 56 data bytes
64 bytes from 172.30.20.1: icmp_seq=0 ttl=255 time=1.675 ms
64 bytes from 172.30.20.1: icmp_seq=1 ttl=255 time=1.245 ms
................
64 bytes from 172.30.20.1: icmp_seq=9 ttl=255 time=1.373 ms
64 bytes from 172.30.20.1: icmp_seq=10 ttl=255 time=1.202 ms
--- 172.30.20.1 ping statistics ---
11 packets transmitted, 11 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.189/1.272/1.675/0.139 ms
phobos /etc>

mars /etc>tcpdump -ni vr3 not port ssh
22:05:31.784391 13.13.15.1.52215 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 2 len 136
22:05:31.785038 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: esp 13.13.15.2 > 13.13.15.1 spi 0x9756665c seq 2 len 136
22:05:32.791487 13.13.15.1.52215 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 3 len 136
................etc
pf states on mars are:

Quote:
mars /etc>pfctl -ss
all tcp 13.13.14.1:45590 -> 13.13.14.2:22 ESTABLISHED:ESTABLISHED
all tcp 13.13.15.1:36759 -> 13.13.15.2:22 ESTABLISHED:ESTABLISHED
all udp 13.13.15.2:4500 <- 13.13.14.2:4500 MULTIPLE:MULTIPLE
all udp 13.13.15.1:52215 (13.13.14.2:4500) -> 13.13.15.2:4500 MULTIPLE:MULTIPLE
all udp 13.13.15.2:500 <- 13.13.14.2:500 SINGLE:MULTIPLE
all udp 13.13.15.1:56019 (13.13.14.2:500) -> 13.13.15.2:500 MULTIPLE:SINGLE
mars /etc>
UDP states in pf will not last very long, only 15 minutes:

Quote:
mars /etc>pfctl -ss -vv
.....
all udp 13.13.15.2:4500 <- 13.13.14.2:4500 MULTIPLE:MULTIPLE
age 00:22:07, expires in 00:14:56, 285:31 pkts, 46604:4916 bytes, rule 0

so, after 15 minutes...

mars /etc>pfctl -ss -vv
all tcp 13.13.14.1:45590 -> 13.13.14.2:22 ESTABLISHED:ESTABLISHED
[3412585257 + 17376] wscale 3 [1442684952 + 16336] wscale 3
age 00:51:11, expires in 23:35:20, 562:532 pkts, 40377:54841 bytes, rule 0
id: 561da44900000097 creatorid: 511e69a1
all tcp 13.13.15.1:36759 -> 13.13.15.2:22 ESTABLISHED:ESTABLISHED
[2703832638 + 17376] wscale 3 [2214895039 + 16152] wscale 3
age 00:50:28, expires in 23:36:56, 316:305 pkts, 23909:31881 bytes, rule 8
id: 561da44900000098 creatorid: 511e69a1
mars /etc>
and ping is no more working:

Quote:
phobos /etc>ping -I 172.30.10.1 172.30.20.1
PING 172.30.20.1 (172.30.20.1): 56 data bytes
--- 172.30.20.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
phobos /etc>
tcpdump on mars NAT:

Quote:
mars /etc>tcpdump -ni vr3 not port ssh
tcpdump: listening on vr3, link-type EN10MB
22:35:06.368671 13.13.15.1.50017 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 27 len 136
22:35:06.369267 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: esp 13.13.15.2 > 13.13.15.1 spi 0x9756665c seq 30 len 136
22:35:06.369367 13.13.15.1 > 13.13.15.2: icmp: 13.13.15.1 udp port 52215 unreachable
22:35:07.371077 13.13.15.1.50017 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 28 len 136
22:35:07.371546 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: esp 13.13.15.2 > 13.13.15.1 spi 0x9756665c seq 31 len 136
22:35:07.371643 13.13.15.1 > 13.13.15.2: icmp: 13.13.15.1 udp port 52215 unreachable
.....
But, IPsec flow and SAD still there:

Quote:
phobos /etc>ipsecctl -sa
FLOWS:
flow esp in from 172.30.20.0/24 to 172.30.10.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type use
flow esp out from 172.30.10.0/24 to 172.30.20.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 13.13.14.2 to 13.13.15.2 spi 0x368db98f auth hmac-sha2-256 enc aes-256
esp tunnel from 13.13.15.2 to 13.13.14.2 spi 0x9756665c auth hmac-sha2-256 enc aes-256
phobos /etc>
So, what is solution? I think, iked need some kind of "keep alive", but I can't find it in iked.conf configuration. Or, do I need to send a ping from crontab, every few minutes? Some other idea?

Igy
Reply With Quote