DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Unhappy Negotiation of IPsec SA

hi everyone !
nice to see that there is a forum related to openbsd !...

i have only a basic question about the VPN/IPsec implementation in openbsd 4.x - specially for ISAKMP exchanges in phase 2. it seems that this is different from other OS or vendors.
>> does openbsd accept in phase 2 a remote-subnet, which is not configured as a reachable subnet through vpn ? <<
That means subnet A and B should be reached via vpn. A and B is configured on both sides. The client (ex. netscreen) sends also a subnet C to responder (openbsd), and openbsd agreed subnet C in phase 2 even subnet C is not configured in openbsd as vpn remote-subnet.
Or is this just a problem of the configuration of openbsd, isakmpd.conf... ?
thanks a lot for your answer.
vpn is established by mainmode and preshared key.

Reply With Quote
  #2   (View Single Post)  
Old 6th August 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by xeniades View Post
i have only a basic question about the VPN/IPsec implementation in openbsd 4.x - specially for ISAKMP exchanges in phase 2.
Welcome!

Recognize that the OpenBSD project only supports the two latest releases at any given time. Per Section 5.1 of the project's official FAQ:
Quote:
You will also note that in the above example, the 4.8-stable branch came to an end with 5.0-release, and the 4.9-stable branch came to an end with 5.1-release -- old releases are typically supported up to two releases back. It takes resources and time to support older versions, while we might like to provide ongoing support for old releases, we would rather focus on new features.
Is there a reason you mention 4.x? What precludes upgrading to or installing OpenBSD 5.1 (the latest public release)?
Reply With Quote
  #3   (View Single Post)  
Old 6th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Default

i agree, but this question is more general.
unfortunately i have to use the "openbsd box" as it is. i will do my best to get the latest version if i should decide to use openbsd as vpn gateway and firewall.
if this is a known problem, someone might know which version should be used to fix this.

thanks for support.
Reply With Quote
  #4   (View Single Post)  
Old 6th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

OpenBSD does not use MAJOR.minor release numbering. Instead, the number just increases by 0.1 every six months. 5.0 was half a year after 4.9, as 3.0 was half a year after 2.9.

Which specific release you are running may sometimes be important, even when it is a legacy system such as yours. There have been regular changes to IPSec capabilities over time. And sometimes incompatibilities occur, such as when there were two hash algorithm bug fixes at OpenBSD 4.7 for HMAC-SHA2.

----

There are few IPSec users here. I'm one, but I do not use isakmpd.conf; instead, I use ipsecctl(8) and ipsec.conf(5).
Quote:
does openbsd accept in phase 2 a remote-subnet, which is not configured as a reachable subnet through vpn ?
I'm not sure I understand the question. Is it possible that this OpenBSD Journal article describes what you're looking for?

If not, and if you don't get any useful responses, you might consider posting your question to the misc@ mailing list.
If you decide to post to misc@, I'm sure you will be asked to post your specific release, the specifics of the configuration problem you are trying to solve, as well as both your isakmpd.conf and any captured Phase 2 negotiation logs -- these last two may be safely posted after redacting private information, such as publicly facing IP addresses.
------

Edited to add:

The capabilities described in the Journal article were added to -current in January of 2009, and were included in 4.5-release in April of that year:
Quote:
Add support in isakmpd(8) and ipsecctl(8) to install SAs with a different source network than we have negotiated with a peer

Last edited by jggimi; 6th August 2012 at 09:39 PM. Reason: addendum
Reply With Quote
  #5   (View Single Post)  
Old 7th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Default

hi !
ok, the release is 5.0.
after some investigations, i think that i found the problem and solution.
to be sure that only specific local- and remote subnets are able to connect with vpn/ipsec in openbsd, you have to use the isakmpd.policy. this file contains the allowed subnets, for example:

> remote_ filter_addr_upper == "010.001.000.255" &&
> remote_ filter_addr_lower == "010.001.000.000" &&
> local_ filter_addr_upper == "010.018.000.255" &&
> local_ filter_addr_lower == "010.018.000.000" &&

this file must be parsed by openbsd with keynote. but it is additional effort to create this .policy and you have to install keynote (?)...

by default, isakmpd.policy contains only the pre-shared key and no filters.

what is the advantage of using ipsecctl(8) and ipsec.conf(5) instead of isakmpd.conf / isakmpd.policy ?
Reply With Quote
  #6   (View Single Post)  
Old 7th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'm glad you found the answer
Quote:
Originally Posted by xeniades View Post
what is the advantage of using ipsecctl(8) and ipsec.conf(5) instead of isakmpd.conf / isakmpd.policy ?
Simplicity and ease of use. It was so easy, a third party article was published called "Zero to IPSec in 4 Minutes."

http://www.symantec.com/connect/arti...psec-4-minutes
Reply With Quote
  #7   (View Single Post)  
Old 7th August 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Quote:
Originally Posted by xeniades View Post
to be sure that only specific local- and remote subnets are able to connect with vpn/ipsec in openbsd
Why not just use pf to filter the traffic on enc(4)? It could be a simple 1-liner that gets the job done, with no need for the complexity you described above.

Last edited by denta; 7th August 2012 at 03:12 PM.
Reply With Quote
  #8   (View Single Post)  
Old 7th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Default

yes, this is a workaround.
but this prevents not that a packet can be send from one peer to the other through vpn. and my "vpn-engine" is also unnecessary burdend.
i dont know how many vpn tunnels can be established until the vpn-service crashes...
Reply With Quote
  #9   (View Single Post)  
Old 7th August 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

How is that a workaround? Sorry, I clearly don't understand your problem still, after all these posts.

edit: Also, I have no idea what the network topology is, or where the OpenBSD units are, and what needs to connect to what.

Last edited by denta; 7th August 2012 at 03:58 PM.
Reply With Quote
Old 7th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Default

denat, the question is more general. it does not depent on the topology.

but if you have a simple site-to-site vpn, peer A is openbsd-box, peer B is any other vpn-gateway ( call it Gw-B ). now Gw-B initiates the vpn and a tunnel is established between the two peers. with this tunnel you can send packets - for example - between the two direct connected internal networks. this is the reason of the vpn tunnel.

now the admin of Gw-B configures additional ipsec-SA and did not inform the admin of the openbsd-box. so the openbsd-box will not be changed. the result is, that the openbsd-box accepts these additional ipsec-SA and packets can be send from Gw-B to openbsd-box.
if the openbsd-box has a configured route for these packets, these packets will reach the target. this makes the admin of the openbsd-box nervous, because it is not his intention to receive such (unknown) traffic.

this scenario will happen if you do not use the isakmpd.ipsec. if you use this file, you can filter the ipsec-SAs from Gw-B and the opnbsd-box denies the requests from Gw-B. That means:

- no tunnel can be established for the "unkown" ipsec-SAs from peer B,
- therefore no need for pf. and the best is, that
- only valid ipsec-SAs are terminated on the openbsd-box
- no add burden for isakmpd.

but you have to install keynote on your openbsd-box to get this work and you should know how to use isakmpd.ipsec. it seems a little bit complicated....
but this is the reason that your solution is just a workaround. your kind of configuration did not solve the real problem. but i am sure - it will work.

i have not tested this, it is just a theoretical investigation, but i think this will point to the right way - if not, please let me know. i am still learning in openbsd.

the smarter way to get more and easier ipsec security is to use the configuration files mentioned by jggimi. i think this is more restrictive than isakmpd.conf.
Reply With Quote
Old 7th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I don't know about "more" security. You can do things with isakmpd.conf and isakmpd.policy that are not possible with ipsec.conf. By definition, ipsec.conf is simpler and easier.

Can it do what you want? I don't know, because I'm not clear on your use case.

You might test to see if its a good fit. From what you've posted, it appears you only want to permit clearly defined SAs and flows. From my experience with ipsec.conf, all SAs and flows must be predefined in the configuration file.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec VPN configuration? polken OpenBSD Security 8 29th May 2012 08:48 PM
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 02:18 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick