DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Thanked 0 Times in 0 Posts
Default isakmp to ipsec

I am trying to convert from isakmp.conf/iskmpd.policy to ipsec.conf and I am using preshared keys.
Here are the configs. I want to use ipsec.conf as I can’t seem to get it to work with isakmp.conf. Can I get a little assistance with this? The whole idea is to allow remote clients (spokes) use the greenbow vpn client to connect to an openbsd box that is at the office (hub). Thanks

Right now I get this error -->
Nov 16 15:12:29 vpnKim isakmpd[8569]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Nov 16 15:12:29 vpnKim isakmpd[8569]: message_negotiate_sa: no compatible proposal found
Nov 16 15:12:29 vpnKim isakmpd[8569]: dropped message from 9.2.9.2 port 51717 due to notification type NO_PROPOSAL_CHOSEN

# cat /etc/isakmpd/isakmpd.conf
[General]
Retransmits= 3

[Phase 1]
default = thegreenbowP1

[Phase 2]
Passives-connections= thegreenbowP2

[thegreenbowP1]
Phase= 1
Transport= udp
Address= 0.0.0.0 # change this
Configuration= Default-main-mode
Authentication= seriously?

[thegreenbowP2]
Phase= 2
ISAKMP-peer= thegreenbowP1
Configuration= Default-quick-mode
Local-ID= network_corporate
Remote-ID= client_thegreenbow

[network_corporate]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.0.0.0

[client_thegreenbow]
ID-type= IPV4_ADDR
Address= 10.3.100.1

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE

# cat /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Example of configuration between TheGreenBow VPN client and OpenBSD
Authorizer: "POLICY"
Licensees: "passphrase: seriously?"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "aes" &&
esp_auth_alg == "hmac-sha" -> "true";


GREENBOW CONF
[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
8.8.8.6 = tgbtest-P1

[tgbtest-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA-GRP2

[tgbtest-P1]
Phase = 1
Address = 8.8.8.6
Transport = udp
Configuration = tgbtest-main-mode
Authentication = "seriously?""

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = tgbtest-tgbtest-P2

[tgbtest-tgbtest-P2]
Phase = 2
ISAKMP-peer = tgbtest-P1
Local-ID = tgbtest-local-addr
Remote-ID = tgbtest-remote-addr
Configuration = tgbtest-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[tgbtest-local-addr]
ID-type = IPV4_ADDR
Address = 10.3.1.2

[tgbtest-remote-addr]
ID-type = IPV4_ADDR_SUBNET
Network = 10.0.0.0
Netmask = 255.0.0.0

# ==================== TRANSFORMS ====================

[tgbtest-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = tgbtest-quick-mode-suite

[tgbtest-quick-mode-suite]
Protocols = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN

[TGBQM-ESP-AES128-SHA-PFSGRP2-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF

[TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF]
TRANSFORM_ID = AES
KEY_LENGTH = 128,128:256
AUTHENTICATION_ALGORITHM = HMAC_SHA
GROUP_DESCRIPTION = MODP_1024
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================
Reply With Quote
  #2   (View Single Post)  
Old 17th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

This is your 3rd thread on IPSec in OpenBSD in as many weeks. In none of the previous cases have you reported any success, though in one of them you were already using ipsec.conf.

I can't help you with the Greenbow client, having neither used nor provisioned it. I cannot help with isakmpd.conf or isakmpd.policy configurations, having used neither.

I have set up "road warrior" configurations in the past, but am not using any currently, so have no working examples to share. From memory, it's can be nothing more complicated than something like:
Code:
ike passive esp from any to <nic> psk <string>
What have you tried, and what was the outcome?

For further help with isakmpd configuration files, or your constantly evolving use of IPSec on OpenBSD, I recommend the misc@ mailing list.
Reply With Quote
  #3   (View Single Post)  
Old 17th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Thanked 0 Times in 0 Posts
Default

I figured out the previous one. for some reason I had to make ike active on both sides before i was able to peer both lans. Not sure why that solved, it but you probably know better.

Yet to try out the fqdn connection but should do that this weekend so no update on that yet.

Yes I kind of like the "constantly evolving use of IPSec on OpenBSD" ...... its fun isnt it, and I am learning a lot from it. And thanks to you i dont get stuck for too long (whenever I do)

I think this line is all I needed. (Hopefully)
Code:
ike passive esp from any to <nic> psk <string>
The "any" keyword is what i actually needed to confirm.
Reply With Quote
  #4   (View Single Post)  
Old 17th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Thanked 0 Times in 0 Posts
Default

ok so ran into another problem.

Seems like the any to any is not helping out. I read this thread and basically i am expirencing same problem.

The solution from greebbow site does not make much sense to me.

i get an error on the BSD box saying
responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.3.1.2, responder id 10.0.0.0/255.0.0.0

and on the VPN client saying i get wrong remote ids and the errors show in the pic.

basically I want anyone with the right creditials to be able to connect thus the any. not sure what the remote id means.

Greenbow says
Remote ID is the identity the VPN Client is expecting to receive during
Phase 1 from the VPN gateway. This identity can be:
· an IP address (type = IP address), for example: 80.2.3.4
· a domain name (type = DNS), e.g. gateway.mydomain.com
· an email address (type = Email), e.g. admin@mydomain.com
· a string (type = KEY ID), e.g. 123456
· a certificate issuer (type=DER ASN1 DN) (see Certificates
configuration) If this identity is not set, VPN gateway's IP address is
used.

Any thoughts as to the issue. Thanks
Attached Images
File Type: jpg vpn.jpg (114.8 KB, 69 views)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
dhcpd, dhcrelay, and ipsec VPN dontek OpenBSD General 2 22nd May 2010 08:52 PM
connect to an other site using ipsec-nat wesley OpenBSD Security 30 23rd September 2009 09:41 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 03:25 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick