DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th March 2018
toprank toprank is offline
Fdisk Soldier
 
Join Date: Feb 2018
Posts: 54
Default L2TP IPSEC VPN connectivity

I'm able to connect to the VPN with the following setup, but am unable to reach the Internet through the VPN.

/etc/rc.conf.local

Code:
isakmpd_flags="-K"
ipsec=YES
npppd_flags=""
/etc/ipsec.conf

Code:
ike passive esp tunnel \
        from sub.domain.tld to any \
        main group "modp1024" \
        quick group "modp1024" \
        psk "key"
/etc/npppd/npppd-users

Code:
$user:\
        :password=$passwd:
/etc/pf.conf

Code:
pubIF = "vio0"
vpnIF = "pppx"
vpnNET = "10.0.0.0/24"
pass in on $pubIF proto esp
pass in on $pubIF proto udp to port { isakmp, ipsec-nat-t }
pass on enc0 keep state (if-bound)
pass on $vpnIF from $vpnNET
pass on $vpnIF to $vpnNET
match out on $pubIF from $vpnNET nat-to ($pubIF) set prio (3,4)
Starting daemons:

Code:
# /etc/rc.d/isakmpd start                                                                                                                                                                 
isakmpd(ok)
root@vpx:~# ipsecctl -f /etc/ipsec.conf
root@vpx:~# sysctl net.pipex.enable=1
net.pipex.enable: 0 -> 1
root@vpx:~# sysctl net.pipex.enable   
net.pipex.enable=1
root@vpx:~# /etc/rc.d/npppd start                                                                                                                                                                   
npppd(ok)
I then configure the Mac client and connect to the VPN.

ifconfig shows client is connected.

Code:
root@vpx:~# ifconfig 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 4 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
vio0: flags=208843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6> mtu 1500
        lladdr mac
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet pubIP netmask 0xfffffe00 broadcast gateway
        inet6 ip6ip%vio0 prefixlen 64 scopeid 0x1

<snip(inet6)>

vio1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        lladdr mac
        index 2 priority 0 llprio 3
        media: Ethernet autoselect
        status: no carrier
enc0: flags=0<>
        index 3 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33172
        index 5 priority 0 llprio 3
        groups: pflog
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1360
        description: $user
        index 6 priority 0 llprio 3
        groups: pppx
        inet 10.0.0.1 --> 10.0.0.73 netmask 0xffffffff
tcpdump shows nothing on pf interface despite successful connection and attempts to browse client side:

Code:
root@vpx:~# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
^C
0 packets received by filter
0 packets dropped by kernel
ipsec key exchanges:

Code:
root@vpx:~# ipsecctl -m
sadb_delflow: satype esp vers 2 len 16 seq 6 pid 47859
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type require direction out
        src_flow: VPN port 1701
        dst_flow: client port 56642
sadb_delflow: satype esp vers 2 len 16 seq 6 pid 47859
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type require direction out
        src_flow: VPN port 1701
        dst_flow: client port 56642
sadb_delete: satype esp vers 2 len 10 seq 7 pid 47859
        sa: spi 0x... auth none enc none
                state larval replay 0 flags 0<>
        address_src: VPN
        address_dst: client
sadb_delete: satype esp vers 2 len 10 seq 7 pid 47859
        sa: spi 0x... auth none enc none
                state larval replay 0 flags 0<>
        address_src: VPN
        address_dst: client
sadb_delflow: satype esp vers 2 len 16 seq 8 pid 47859
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type use direction in
        src_flow: client port 56642
        dst_flow: VPN port 1701
sadb_delflow: satype esp vers 2 len 16 seq 8 pid 47859
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type use direction in
        src_flow: client port 56642
        dst_flow: VPN port 1701
sadb_delete: satype esp vers 2 len 10 seq 9 pid 47859
        sa: spi 0x... auth none enc none
                state larval replay 0 flags 0<>
        address_src: client
        address_dst: VPN
sadb_delete: satype esp vers 2 len 10 seq 9 pid 47859
        sa: spi 0x... auth none enc none
                state larval replay 0 flags 0<>
        address_src: client
        address_dst: VPN
sadb_getspi: satype esp vers 2 len 10 seq 10 pid 47859
        address_src: client
        address_dst: VPN
        spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 10 pid 47859
        sa: spi 0x... auth none enc none
                state mature replay 0 flags 0<>
        address_src: client
        address_dst: VPN
sadb_add: satype esp vers 2 len 51 seq 11 pid 47859
        sa: spi 0x... auth hmac-sha1 enc aes
                state mature replay 16 flags 0x200<udpencap>
        lifetime_hard: alloc 0 bytes 0 add 3600 first 0
        lifetime_soft: alloc 0 bytes 0 add 3240 first 0
        address_src: VPN
        address_dst: client
        key_auth: bits 160: hash
        key_encrypt: bits 256: hash
        identity_src: type prefix id 0: vpn/32
        identity_dst: type prefix id 0: 10.0.0.37/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type unknown direction out
        src_flow: VPN port 1701
        dst_flow: client port 64265
        udpencap: udpencap port 4500
sadb_add: satype esp vers 2 len 42 seq 11 pid 47859
        sa: spi 0x... auth hmac-sha1 enc aes
                state mature replay 16 flags 0x200<udpencap>
        lifetime_hard: alloc 0 bytes 0 add 3600 first 0
        lifetime_soft: alloc 0 bytes 0 add 3240 first 0
        address_src: VPN
        address_dst: client
        identity_src: type prefix id 0: VPN/32
        identity_dst: type prefix id 0: 10.0.0.37/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type unknown direction out
        src_flow: VPN port 1701
        dst_flow: client port 64265
        udpencap: udpencap port 4500
sadb_update: satype esp vers 2 len 51 seq 12 pid 47859
        sa: spi 0x... auth hmac-sha1 enc aes
                state mature replay 16 flags 0x200<udpencap>
        lifetime_hard: alloc 0 bytes 0 add 3600 first 0
        lifetime_soft: alloc 0 bytes 0 add 3240 first 0
        address_src: client
        address_dst: VPN
        key_auth: bits 160: hash
        key_encrypt: bits 256: hash
        identity_src: type prefix id 0: 10.0.0.37/32
        identity_dst: type prefix id 0: VPN/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type unknown direction in
        src_flow: client port 64265
        dst_flow: VPN port 1701
        udpencap: udpencap port 4500
sadb_update: satype esp vers 2 len 42 seq 12 pid 47859
        sa: spi 0x... auth hmac-sha1 enc aes
                state mature replay 16 flags 0x200<udpencap>
        lifetime_hard: alloc 0 bytes 0 add 3600 first 0
        lifetime_soft: alloc 0 bytes 0 add 3240 first 0
        address_src: client
        address_dst: VPN
        identity_src: type prefix id 0: 10.0.0.37/32
        identity_dst: type prefix id 0: VPN/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type unknown direction in
        src_flow: client port 64265
        dst_flow: VPN port 1701
        udpencap: udpencap port 4500
sadb_addflow: satype esp vers 2 len 28 seq 13 pid 47859
        address_dst: client
        identity_src: type prefix id 0: VPN/32
        identity_dst: type prefix id 0: 10.0.0.37/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type require direction out
        src_flow: VPN port 1701
        dst_flow: client port 64265
sadb_addflow: satype esp vers 2 len 28 seq 13 pid 47859
        address_dst: client
        identity_src: type prefix id 0: VPN/32
        identity_dst: type prefix id 0: 10.0.0.37/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type require direction out
        src_flow: VPN port 1701
        dst_flow: client port 64265
sadb_addflow: satype esp vers 2 len 28 seq 14 pid 47859
        address_dst: client
        identity_src: type prefix id 0: VPN/32
        identity_dst: type prefix id 0: 10.0.0.37/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type use direction in
        src_flow: client port 64265
        dst_flow: VPN port 1701
sadb_addflow: satype esp vers 2 len 28 seq 14 pid 47859
        address_dst: client
        identity_src: type prefix id 0: VPN/32
        identity_dst: type prefix id 0: 10.0.0.37/32
        src_mask: 255.255.255.255 port 65535
        dst_mask: 255.255.255.255 port 65535
        protocol: proto 17 flags 0
        flow_type: type use direction in
        src_flow: client port 64265
        dst_flow: VPN port 1701
^C
ipsec active rules and entries:

Code:
root@vpx:~# ipsecctl -s all
FLOWS:
flow esp in proto udp from client port 61418 to VPN port l2tp peer client srcid VPN/32 dstid 10.0.0.37/32 type use
flow esp out proto udp from VPN port l2tp to client port 61418 peer client srcid VPN/32 dstid 10.0.0.37/32 type require

SAD:
esp transport from VPN to client spi 0x... auth hmac-sha1 enc aes-256
esp transport from client to VPN spi 0x... auth hmac-sha1 enc aes-256
pf rules:

Code:
root@vpx:~# pfctl -s rules
block drop log quick from <vilain_bruteforce> to any
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
pass in on vio0 proto udp from any to any port = 500
pass in on vio0 proto udp from any to any port = 4500
pass in on vio0 proto esp all
pass on enc0 all flags S/SA keep state (if-bound)
pass on pppx inet from 10.0.0.0/24 to any flags S/SA
pass on pppx inet from any to 10.0.0.0/24 flags S/SA
match out on vio0 inet from 10.0.0.0/24 to any set ( prio(3, 4) ) nat-to (vio0) round-robin
root@vpx:~#

Last edited by toprank; 30th March 2018 at 04:05 PM.
Reply With Quote
  #2   (View Single Post)  
Old 30th March 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Is IP forwarding enabled?
Reply With Quote
  #3   (View Single Post)  
Old 30th March 2018
toprank toprank is offline
Fdisk Soldier
 
Join Date: Feb 2018
Posts: 54
Default

I don't know how I overlooked that! Thanks, jggimi. It is now lol
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSEC/L2TP VPN with Android joker72 OpenBSD General 1 13th August 2017 11:27 AM
L2TP/IPSEC configuration error chigurh OpenBSD Security 8 1st December 2016 02:41 PM
ipv6 connectivity 22decembre OpenBSD General 3 11th October 2015 08:59 AM
OpenBSD L2TP/IPSec VPN for road warriors / mobiles bsdnut82 Guides 0 12th August 2015 09:48 PM
Connectivity Drop alpha202ej OpenBSD Security 1 19th April 2012 04:58 PM


All times are GMT. The time now is 08:01 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick