DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default IPSEC VPN to Cisco ISR - ISAKMP Phase-2 invalid ID

Hi,

this is my first posting here and actually seems quite a nice place for a mainly *BSD based forum


I have been working for the last couple days trying to learn OpenBSD and create a router/gateway/firewall/VPN system..... from scratch knowledge wise at least in order to build the ultimate Cisco router killer - as they're soooo underpowered (honest opinion as am Cisco fan + qualified engineer).


Ok so after 3 days I got everything working <brag>


But to be serious now I am having issues interfacing with my Cisco router using IPSEPC over GRE.


Basically what I have done is first attempt OpenBSD<->OpenBSD using IPSEC which worked fine.... routing OSPF over gre0 interface - very nice linear and easy.


However, with Cisco I am getting this as error:

Code:
020025.953079 Default isakmpd: phase 1 done (as responder): initiator id 192.168.0.1, responder id 192.168.0.2, src: 192.168.0.2 dst: 192.168.0.1
020025.963221 Default responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 0.0.0.0/0.0.0.0, responder id 0.0.0.0/0.0.0.0
020025.963708 Default dropped message from 192.168.0.1 port 500 due to notification type INVALID_ID_INFORMATION
020116.068136 Default transport_send_messages: giving up on exchange from-192.168.0.2-to-192.168.0.1, no response from peer 192.168.0.1:500

I ran a: debug crypto isakmp on the Cisco box which to show a portion of it gives this information:


Code:
018494: Mar  6 02:02:59.515: ISAKMP:(0):purging SA., sa=8311A39C, delme=8311A39C
018495: Mar  6 02:02:59.515: ISAKMP:(0): SA request profile is (NULL)
018496: Mar  6 02:02:59.515: ISAKMP: Created a peer struct for 192.168.0.2, peer port 500
018497: Mar  6 02:02:59.515: ISAKMP: New peer created peer = 0x82864880 peer_handle = 0x80000574
018498: Mar  6 02:02:59.515: ISAKMP: Locking peer struct 0x82864880, refcount 1 for isakmp_initiator
018499: Mar  6 02:02:59.515: ISAKMP: local port 500, remote port 500
018500: Mar  6 02:02:59.515: ISAKMP: set new node 0 to QM_IDLE      
018501: Mar  6 02:02:59.515: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8236AA08
018502: Mar  6 02:02:59.515: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
018503: Mar  6 02:02:59.515: ISAKMP:(0):found peer pre-shared key matching 192.168.0.2
018504: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
018505: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-07 ID
018506: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-03 ID
018507: Mar  6 02:02:59.515: ISAKMP:(0): constructed NAT-T vendor-02 ID
018508: Mar  6 02:02:59.515: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Cisco857W(config)#
018509: Mar  6 02:02:59.515: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

018510: Mar  6 02:02:59.519: ISAKMP:(0): beginning Main Mode exchange
018511: Mar  6 02:02:59.519: ISAKMP:(0): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
018512: Mar  6 02:02:59.519: ISAKMP:(0):Sending an IKE IPv4 Packet.
018513: Mar  6 02:02:59.839: ISAKMP (0:2620): received packet from 192.168.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
Cisco857W(config)#
018514: Mar  6 02:03:08.851: ISAKMP (0:2620): received packet from 192.168.0.2 dport 500 sport 500 Global (I) MM_NO_STATE
018515: Mar  6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
018516: Mar  6 02:03:09.519: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
018517: Mar  6 02:03:09.519: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
018518: Mar  6 02:03:09.519: ISAKMP:(0): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) MM_NO_STATE
018519: Mar  6 02:03:09.519: ISAKMP:(0):Sending an IKE IPv4 Packet.

Nothing useful is really shown in the above Cisco debug.


From the more useful OpenBSD logs and debug information and even initial stages of Cisco debug routine.. it seems that ISAKMP Phase-1 is completing without any issues.


I can't figure Phase-2 out though and have tried everything in order to change the ID given by the Cisco or change the way IPSEC on OpenBSD handles that information.


This is Cisco config for site-to-site VPN which works using Cisco<->Cisco without any problems or issues:

Crypto information:

Code:
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secret address 192.168.0.2
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set geo-sync-set-01 esp-3des esp-md5-hmac 
!
crypto ipsec profile geo-sync-profile-01
 set transform-set geo-sync-set-01 
!
!
crypto map geo-sync-01 10 ipsec-isakmp 
 set peer 192.168.0.2
 set transform-set geo-sync-set-01 
 match address 101
Tunnel0 interface:

Code:
interface Tunnel0
 bandwidth 1000000
 ip address 10.255.255.102 255.255.255.252
 ip accounting output-packets
 ip accounting access-violations
 ip rip send version 2
 ip rip receive version 2
 tunnel source BVI2
 tunnel destination 192.168.0.2
 tunnel mode ipsec ipv4
 tunnel flow egress-records
 tunnel protection ipsec profile geo-sync-profile-01

Bridge Virtual Interface:

Code:
interface BVI2
 description Bridge between Vlan2 and Dot11Radio0.2 for wireless network
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip rip send version 2
 ip rip receive version 2
 no ip virtual-reassembly
 no ip route-cache
 crypto map geo-sync-01
Access List 101:

Code:
access-list 101 permit udp any host 192.168.0.2 eq isakmp
access-list 101 permit esp any host 192.168.0.1
access-list 101 permit gre host 10.255.255.101 host 10.255.255.102
access-list 101 permit gre any host 192.168.0.1

This is what I have in /etc/ipsec.conf on OpenBSD:

Code:
ike esp from 192.168.0.2 to 192.168.0.1 peer 192.168.0.1 main auth hmac-md5 enc 3des group modp1536 quick auth hmac-md5 enc 3des srcid 192.168.0.2 dstid 192.168.0.1 psk "secret"

I wasn't quite sure if I needed to add another line defining the Tunnel interface in the ipsec.conf file as my BSD to BSD definition is as follows:


Code:
ike esp transport from 192.168.0.2 to 192.168.0.3
so I attempted with this line:


Code:
#ike esp transport from 10.255.255.101/30 to 10.255.255.102/30 peer 192.168.0.1
but then as can be seen commented it out due to the /etc/hostname.gre1 file containing:

Code:
10.255.255.101 10.255.255.102 netmask 255.255.255.252 link0 up
tunnel 192.168.0.2 192.168.0.1

As I'm still quite unfamiliar with OpenBSD and using Cisco IOS mentality a lot of the time I am pretty sure that I've either misunderstood/interpreted the documentation or don't know about some other way to initiate compatibility between both systems.


The reason for the IP addresses being Local are basically that OpenBSD is setup on Virtual Box with bridged interface to my notebooks NIC, as this is a test bed so WAN IP addresses not really important at this stage!


Can anyone give me a hand??

I'd really appreciate any kind of advise or help as I've been racking my brain trying to figure this thing out constantly reading the man pages and trying to Google the errors but with no-luck.... and additionally (don't know why) but OpenBSD howto guides don't seem to work as well as FreeBSD, Linux or Solaris. Actually they don't work period as I've attempted to try to analyze other peoples claims and configs too......

What happened to good old: dummies guide to LAMP


Anyway thanks for any responses in advance
Reply With Quote
  #2   (View Single Post)  
Old 10th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default

After all this time and no "hello welcome" message let alone support

Nevermind..... <siiiiiigggghhhhh>

Here's the solution incase anyone needs it in the future:


Becasue Cisco ISR routers are primarily meant to be connected to the network WAN edge as gateway or other edge devices it seems that the IOS product groups didn't decide to implament a way to be able to manipulate or alter the ISAKMP Phase-2 header or initiator ID field within the crypto packets.

So using a quick crash-course in Engineering Psych 101; using the P2 header of "ANY to ANY" seemed more efficient and less troublesome.


This means for interoperability that other manufacturers need to have the same ISAKMP implementation mentality or a way to be able to manipulate or adjust the P2 header in order to be able to sync-up with the ISR range.


Since OpenBSD isn't a product but instead a very powerful operating system this feature should definitely be implemented!!


By using the /etc/ipsec.conf configuration parameter string of:

Code:
ike esp from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.0.1 main auth hmac-md5 enc 3des group modp1536 \
quick auth hmac-md5 enc 3des psk "secret"
Coupled with the Cisco Crypto Map stated above in my initial post the P2 headers are a 100% match.

Just for justification purposes; the P2 headers are defined by the "from" and "to" statements.


Once that has been issued the connection then establishes without any further ado!


Please see the attached images for confirmation
Attached Images
File Type: jpg Hammersmith and Fulham-20120309-00020.jpg (158.0 KB, 72 views)
File Type: png Screenshot at 2012-03-08 15:35:00.png (72.9 KB, 68 views)
File Type: png Screenshot at 2012-03-08 15:27:53.png (93.5 KB, 46 views)
File Type: png Screenshot at 2012-03-08 15:26:28.png (77.3 KB, 47 views)

Last edited by ocicat; 10th March 2012 at 04:59 PM. Reason: corrected formatting
Reply With Quote
  #3   (View Single Post)  
Old 10th March 2012
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by sparky View Post
After all this time and no "hello welcome" message let alone support
Hello!

Nice that you got it working. I think the reason for the lack of replies might be that not that many people here have experience with setting up IPsec between OpenBSD and "other" devices. :/
Reply With Quote
  #4   (View Single Post)  
Old 10th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default

Quote:
Nice that you got it working. I think the reason for the lack of replies might be that not that many people here have experience with setting up IPsec between OpenBSD and "other" devices. :/
Yeah..... I know how that goes!

If engineer qualified for company x then always engineer of company x and there's no changing it. I tend to be a bit eclictic in that sense that I learn what I like and/or what I feel is interesting.

But hopefully this posting may help someone further on down the line........

Now off to go bulid a PPPoE server and client to simulate an ISP's PoP server. ....oh did I mention that have been using OpenBSD properly for round 1 week???? haha


P.s. since the tac of this forum don't let me edit my posts would it be kindly possible for a moderator or so to change this malformed line:

Quote:
code
ike esp from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.0.1 main auth hmac-md5 enc 3des group modp1536 \
quick auth hmac-md5 enc 3des psk "secret"
/quote
to [/code] tag instead of [/quote] so that the proper "code" box appears???


Thanks!
Reply With Quote
  #5   (View Single Post)  
Old 10th March 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,904
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by sparky View Post
since the tac of this forum don't let me edit my posts would it be kindly possible for a moderator or so to change this malformed line:
Done, & welcome!

New members to this site are restricted from some features as a security measure against spammers. These restrictions are lifted once members get above a predetermined number of posts. We apologize to new members for the inconvenience, but it is only temporary as credibility is established.
Reply With Quote
  #6   (View Single Post)  
Old 10th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Thanked 0 Times in 0 Posts
Default

Many thanks!

Quote:
New members to this site are restricted from some features as a security measure against spammers. These restrictions are lifted once members get above a predetermined number of posts. We apologize to new members for the inconvenience, but it is only temporary as credibility is established.
I did my homework on this, that's why I asked politely and wasn't offended

Uh I'm so excited now to build this router of mine, basically the hardware I picked can actually route at 10Gbps.... well just under as it seems to be a limitation with x64 architecture but it's nice to see OpenBSD can easily kick Cisco's ASCII

Oh and how cool is it when people ask: "what router have you got?" to just reply with: "I designed and built it myself"

Though am still 3 years away from 1Gbps residential internet and metro ethernet too expensive
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
mount_cd9660 : Invalid argument .. daemonfowl OpenBSD General 5 23rd February 2012 02:40 PM
cat: [file]: Invalid argument pieterverberne OpenBSD General 6 19th November 2011 02:43 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Warning domain_not_set.invalid aleunix OpenBSD General 13 15th December 2009 11:19 AM
Mount DVD - invalid argument. maxrussell FreeBSD General 17 7th January 2009 08:46 AM


All times are GMT. The time now is 09:31 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick