DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th August 2012
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default ipsec, x509 and more than one interface

I have one OpenBSD box and two network card, cards are connected to different networks:
xl0 IP=10.10.10.1/24
rl0 IP=192.168.1.1/24

Now I want to configure multiple isakmpd/IPsec connections. Some IPsec connections are against hosts from first network, some of them are in second network, i.e. I need protected traffic between:
10.10.10.1 <==> 10.10.10.2
10.10.10.1 <==> 10.10.10.3
192.168.1.1 <==> 192.168.1.2
192.168.1.1 <==> 192.168.1.3

Everything is clear and simple, except how to configure x509 certificates? For me, there are two scenarios:

first scenario:
1. create only one local.key
2. create two crt: 10.10.10.1.crt and 192.168.1.1.crt in /etc/isakmpd/certs/
3. in /etc/ipsec.conf configure two different kind of lines:
ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth ....
ike esp from ... to ... local 192.168.1.1 peer 192.168.1.2 main auth ....

second scenario:
1. create one local.key
2. create only one crt: 10.10.10.1.crt (or only 192.168.1.1.crt)
3. in /etc/ipsec.conf configure:
ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth ....
ike esp from ... to ... local 10.10.10.1 peer 192.168.1.2 main auth ....

So, in second scenario, IPsec is "finished" on OpenBSD box,
but not on interface conencted to network 192.168.1.0

Which scenario is appropriate and why? Some other idea?
Reply With Quote
  #2   (View Single Post)  
Old 29th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

I don't use X.509 certificates, I just use RSA public/private key pairs established with each FQDN. So I cannot answer certificate deployment questions. But ... I do not understand how your second scenario would possibly have correct SAs and Flows, as this would never establish them with 192.168.1.1.

Have you tested either scenario?
Reply With Quote
  #3   (View Single Post)  
Old 29th August 2012
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi
But ... I do not understand how your second scenario would possibly have correct SAs and Flows, as this would never establish them with 192.168.1.1.

Have you tested either scenario?
Yes, I have tested both, and both scenario works (at least in lab).
Second scenario is strange to me also. That is reason for my question

In this scenario (second), tcpdump on interface rl0=192.168.1.1 I gave ESP packets, source addr=10.10.10.1 dest addr=192.168.1.2. So, on 192.168.1.1 there are passing out packet with source addr different than 192.168.1.1??? Is it ok?

Last edited by ocicat; 29th August 2012 at 12:18 PM. Reason: Please use [quote] & [/quote] tags when directly quoting others.
Reply With Quote
  #4   (View Single Post)  
Old 29th August 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,674
Thanked 214 Times in 189 Posts
Default

Quote:
Is it ok?
I don't know. This is a good question to ask on the misc@ mailing list.
Reply With Quote
  #5   (View Single Post)  
Old 30th August 2012
denta denta is offline
Fdisk Soldier
 
Join Date: Nov 2009
Posts: 73
Thanked 0 Times in 0 Posts
Default

Are you sure you want/need x.509 certs?
Reply With Quote
  #6   (View Single Post)  
Old 30th August 2012
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by denta View Post
Are you sure you want/need x.509 certs?
Yes I know, everything work fine with passphrases or priv/pub key. But, right now, I prefer to use x590 certificates.

My question is not here only because IPsec "must instantly work" for me. It is also conundrum, mental challenge. :-)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf / Which interface ? xinform3n OpenBSD Security 3 8th March 2010 06:23 PM
Web interface for rTorrent Beastie FreeBSD Ports and Packages 0 24th August 2009 11:53 AM
CARP interface with DHClient xinform3n OpenBSD General 5 22nd July 2009 12:41 PM
NAT with only one interface zapov General software and network 4 16th February 2009 03:45 AM
Web interface for pf? windependence OpenBSD Security 4 20th May 2008 03:58 AM


All times are GMT. The time now is 05:25 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick