DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st July 2009
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Wink mobile client to ipsec gateway

Hello,

I'm trying to do an ipsec tunnel using openbsd and client software : "Shrew Vpn client" (Windows xp) ; in first time i try it on my local network (not over internet). I ve also read man pages of ipsec.conf ; isakmpd ; ipsecctl

Here what i ve done :
On the openbsd (4.5) gateway (vpn.my.domain) ip: 192.168.0.111:
**rc.conf.local :
ipsec=YES
isakmpd="-K"
**ipsec.conf :
ike dynamic from any to any \
main auth hmac-sha1 enc aes group modp1024
quick auth hmac-sha1 enc aes psk 123456A
**pf is disable

On the client side :
Windows XP SP3
Shrew Vpn Client vers : 2.1.4
What i have done :
**Remote host : 192.168.0.111 port 500
Auto config ike config pull
** Local Host : use a virtual adapter
10.0.0.1/24
** Client
Nat disable
**Name resolution
all is disable
**Auth
Local host : auto ip address
Remote : auto ip address
Credential : mutual PSK and entry the preshared key (123456A).
**Phase 1
Exchange type : main
**Phase 2
Exchange type : esp-aes
**Policy
Obtain automatically...

When i try to connect i have the following message :
"config loaded for site '192.168.0.111'
configuring client settings ...
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
pre-shared key configured
bringing up tunnel ...
invalid message from gateway
tunnel disabled
detached from key daemon . "

I cant open ipsec tunnel, can you help me please ?

Last edited by milo974; 21st July 2009 at 05:34 AM. Reason: something missing
Reply With Quote
  #2   (View Single Post)  
Old 21st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Look for isakmpd negotiation errors in /var/log/daemon.
Reply With Quote
  #3   (View Single Post)  
Old 21st July 2009
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Wink view daemon log

here is deamon log file :
isakmpd[29133] : udp_create : no address configured for "peer defaut"
isakmpd[29133] : exchange transport "udp" for peer default could not be created
;
;
Im looking for isakmpd.conf, i haven't it ...
Can you help me for this please ?
Thank's a lot !
Reply With Quote
  #4   (View Single Post)  
Old 21st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Quote:
Im looking for isakmpd.conf, i haven't it ...
You are using ipsecctl, and will not use an isakmpd.conf file. You are using the "-K" option with isakmpd; your configuration is in ipsec.conf instead. You should read man pages, when you are confused.
Quote:
-K When this option is given, isakmpd does not read the policy con-
figuration file and no keynote(4) policy check is accomplished.
This option can be used when policies for flows and SA establish-
ment are arranged by other programs like ipsecctl(8) or bgpd(8).
The error you are seeing:
Code:
isakmpd[29133] : udp_create : no address configured for "peer defaut"
is related to your ipsec.conf. Let's review it. If what you posted, above, is its exact contents:
Code:
ike dynamic from any to any \
 main auth hmac-sha1 enc aes group modp1024
 quick auth hmac-sha1 enc aes psk 123456A
It is missing a continuation "\" on the second line, preventing the third line from being used, and should have produced an error message when ipsecctl(8) attempted to configure it. It is using dynamic keying, which is inappropriate for gateways. It is using "peer default", which appears to be a problem, also.

Let me guess... you found this configuration in a "howto" somewhere on the Internet?
Reply With Quote
  #5   (View Single Post)  
Old 21st July 2009
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Post ipsec.conf (good)

Hello,

i ve not forgotten the "\".
I don't see why it dosen't work, i need your help...
Reply With Quote
  #6   (View Single Post)  
Old 21st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I have never used Shrew, and cannot assist you with that side of your configuration.
----
Correct your ipsec.conf settings:
  1. dynamic is an incorrect IKE mode. I recommend passive mode. Quoting the ipsec.conf(5) man page, red highlights mine:
    Quote:
    When passive is specified, isakmpd(8) will not immediately start negotiation of this tunnel, but wait for an incoming request from the remote peer. When active or dynamic is specified, negotiation will be started at once. The dynamic mode will additionally enable Dead Peer Detection (DPD) and use the local hostname as the identity of the local peer, if not specified by the srcid parameter. dynamic mode should be used for hosts with dynamic IP addresses like road warriors or dialup hosts.
  2. The addresses in the ike configuration describe IP packets which get placed under ESP or AH protocols. You have described "any to any" but you do not define peers; peers are the tunnel end points.
  3. One of your tunnel end points (peers) is 192.168.0.111. The other is the address of your workstation. The man page says:
    Quote:
    The peer parameter specifies the address or FQDN of the remote end-point. For host-to-host connections where dst is identical to remote, this option is generally not needed as it will be set to dst automatically. If it is not specified or if the keyword any is given, the default peer is used.
    Yours is not a host-to-host connection, it is, instead, any-to-any. Your error message stated
    Quote:
    no address configured for "peer default"
    Try adding a peer parameter to your ike statement.
Reply With Quote
  #7   (View Single Post)  
Old 21st July 2009
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Default passive ike

In my case, "passive ike" is not a good thing, because i want the final use it at home (i ve dynamic ip).
Can you help me ?
Thank's
Reply With Quote
  #8   (View Single Post)  
Old 21st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Have you tried any peer settings, Milo? What else have you tried?

We can't see your console from here. From your posts, it looks like you're not doing any testing, just waiting for someone to tell you what to type in.

Try this ipsec.conf. Use passive, until you get this working, since you are testing this inside your local network. Note that this configuration does not use any-to-any:
Code:
ike passive from any to 192.168.0.111 peer any \
 main auth hmac-sha1 enc aes group modp1024 \
 quick auth hmac-sha1 enc aes psk 123456A

ike passive from 192.168.0.111 to any  \
  main auth hmac-sha1 enc aes group modp1024 \
  quick auth hmac-sha1 enc aes psk 123456A
Try this ipsec.conf. Reset the environment, by stopping isakmpd. After editing ipsec.conf, run isakmpd from the console, so you can see the output. For example:
# pkill isak
# vi /etc/ipsec.conf (edit as above)
# isakmpd -Kvd &
# ipsecctl -f /etc/ipsec.conf
Any error or success messages will appear on your console.
Reply With Quote
  #9   (View Single Post)  
Old 22nd July 2009
milo974 milo974 is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 58
Smile it work's fine !

Hello,

Thank's a lot !
I ve done what you advise me :
Put this in my ipsec.conf
ike passive from any to 192.168.0.111 peer any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk 123456A
ike passive from 192.168.0.111 to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk 123456A

I ve tested tunnel ipsec with GreenBow VPN Client, it works fine !
so thank you very much i will try this over internet.

Last edited by milo974; 22nd July 2009 at 05:20 AM. Reason: missing word
Reply With Quote
Reply

Tags
ipsec, security, vpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mobile Broadband adapa OpenBSD General 3 23rd February 2009 09:09 PM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IM Client schrodinger OpenBSD Packages and Ports 6 16th September 2008 02:09 PM
DDNS Client revzalot OpenBSD Installation and Upgrading 3 12th August 2008 02:21 AM


All times are GMT. The time now is 10:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick