DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 29th December 2008
kasse kasse is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 67
Thanked 0 Times in 0 Posts
Default Ipsec freebsd openbsd failure

Hello, I wanted to try and secure my wireless connection on my openbsd laptop via ipsec tunnel to my freebsd desktop. But I seem to get nowhere. So I tried to set up a more simple transport between the two to see if I could figure out what is wrong. But I still get the same errors. I have also tried between them as freebsd freebsd also no success. So here are the configs. I have disabled all the pf in this initial tests just to make sure that they are not the cause.

I want to try a ipsec transport from freebsd 192.168.0.100 to openbsd 192.168.0.103.

On freebsd I have compiled the kernel with ipsec and installed ipsec-tools.
Here is the racoon.conf
Code:
path include "/usr/local/etc/racoon";
path certificates "/usr/local/etc/racoon/certs";

padding 
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen  
{
        isakmp          192.168.0.100 [500];
}

remote  192.168.0.102 [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   asn1dn;
        certificate_type        x509 "192.168.0.100.crt" "192.168.0.100.key";
        peers_certfile  x509 "192.168.0.103.crt";
        
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
        initial_contact on;
        generate_policy off;

                        proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          sha1;
                                authentication_method   rsasig;        
                                lifetime time           30 sec;
                                dh_group                modp1024;
                        }
}

sainfo  (address 192.168.0.100 any address 192.168.0.103 any)    
{                               
        pfs_group       modp1024;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm   deflate;
}
here is the setkey.conf for freebsd

Code:
flush;
spdflush;
spdadd 192.168.0.100 192.168.0.103 any -P out ipsec esp/transport//use;
spdadd 192.168.0.103 192.168.0.100 any -P in ipsec esp/transport//use;
here is the ipsec.conf for openbsd

Code:
main auth hmac-sha1 enc blowfish group modp1024
quick auth hmac-sha2-256 enc blowfish group modp1024
ike esp transport from 192.168.0.103 to 192.168.0.100 peer 192.168.0.100 
ike esp transport from 192.168.0.100 to 192.168.0.103 peer 192.168.0.100
As in http://="http://www.bsdguides.org/gu...ity/ipsec_vpn"
I do
isakmpd -Kdv and then when I try ipsecctl -f /etc/ipsec.conf
I get
Code:
/etc/ipsec.conf: 1: syntax error
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.103-to-192.168.0.100]:Phase=2 force
C set [from-192.168.0.103-to-192.168.0.100]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Configuration=phase2-from-192.168.0.103-to-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Local-ID=from-192.168.0.103 force
C set [from-192.168.0.103-to-192.168.0.100]:Remote-ID=to-192.168.0.100 force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.103]:ID-type=IPV4_ADDR force
C set [from-192.168.0.103]:Address=192.168.0.103 force
C set [to-192.168.0.100]:ID-type=IPV4_ADDR force
C set [to-192.168.0.100]:Address=192.168.0.100 force
C add [Phase 2]:Connections=from-192.168.0.103-to-192.168.0.100
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.100-to-192.168.0.103]:Phase=2 force
C set [from-192.168.0.100-to-192.168.0.103]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Configuration=phase2-from-192.168.0.100-to-192.168.0.103 force
C set [from-192.168.0.100-to-192.168.0.103]:Local-ID=from-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Remote-ID=to-192.168.0.103 force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.100]:ID-type=IPV4_ADDR force
C set [from-192.168.0.100]:Address=192.168.0.100 force
C set [to-192.168.0.103]:ID-type=IPV4_ADDR force
C set [to-192.168.0.103]:Address=192.168.0.103 force
C add [Phase 2]:Connections=from-192.168.0.100-to-192.168.0.103
ipsecctl: Syntax error in config file: ipsec rules not loaded
I cannot understand really what the error is

On the freebsd I run setkey -f /usr/local/etc/racoon/setkey.conf and
/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf but when I look for loaded spd
with setkey -DP I get none. Also I get this same failure when I try freebsd to freebsd

Last edited by kasse; 30th December 2008 at 11:14 AM. Reason: omitted to mention setkey on freebsd part and double / in setkey.conf freebsd
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) NathanPardoe FreeBSD General 9 21st May 2008 12:00 AM


All times are GMT. The time now is 09:17 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick