DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th March 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default ipsec/isakmpd tunnels dropping after upgrade

We recently upgraded to 5.0 on our main firewall. This upgrade had been postponed for a long time, mainly due to the changes that made newer versions of ipsec incompatible with older versions.

Our main firewall is the passive end of a series of tunnels that terminate in five other locations, and we have multiple tunnels to connect different subnets at each end in many cases.

When we finally took the plunge and upgraded the main firewall, we knew we were going to have to upgrade the remote ends at the same time. In fact, the newer remote end units were configured over a year ago: they are at 4.8

We built the 5.0 system on a new PC, and replaced our old Soekris 4801s with PC Engine Alixs running 4.8 as mentioned.

When we brought the new firewall online, we had some issues with some redirection rules we had, but we didn't touch the rules for the tunnels and all the tunnels came up the first time. Then, over the next few days, we started noticing that the tunnels would drop for a while, then reconnect.

I looked at the ipsec.conf files on both ends and at the man pages and decided that they needed to be cleaned up. For each point-to-point set, they've been reduced to:

ike esp from $local_gw to $remote_gw_a
ike esp from $local_net1 to $remote_net1 peer $remote_gw_a
ike esp from $local_net2 to $remote_net2 peer $remote_gw_a

The main firewall's config also has the "passive" keyword for all the tunnels. The tunnels are initiated from the remote ends.

Even after I did that we are seeing drop outs. The local end's daemon log is full of "isakmpd quick mode as responder" logs.

We're trying to get the people looking after the network infrastructure at the site where we're seeing the most dropouts to check the integrity of their connections, but since this started with our upgrade to 5.0 locally and 4.8 remotely, I suspect the new stuff we've put in.

What can I do to troubleshoot these intermittant dropouts?

thx
kmb
Reply With Quote
  #2   (View Single Post)  
Old 28th March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The IPSec change (around 4.7 or so) was a change to HMAC-SHA2 algorithms used for authentication between nodes. As long as your nodes are using a different authentication, you avoid the authentication compatibility issue.

IIRC, the "quick auth" uses HMAC-SHA2 by default, and that is the only default that needs to be altered to allow nodes before and after the change to interoperate.

Since you were in this interoperability mode, but are no longer, did you return to the default HMAC-SHA2-256 default for quick mode authentication in both directions?

---

I don't know much about IPSec under the covers. I'm just a user, and I upgraded my nodes simultaneously and never needed to switch authentication technologies. But since your log is filled with errors associated with quick authentications, I would look to quick auth misconfigurations between nodes.
Reply With Quote
  #3   (View Single Post)  
Old 28th March 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

In all cases we've used the default authentication method.

My understanding was that this was originally HMAC-SHA2 and is now HMAC-SHA2-256.

If that is correct, that means that delaying the upgrade wasn't necessary; we could have just changes the authentication mode.

kmb
Reply With Quote
  #4   (View Single Post)  
Old 28th March 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'd thought SHA2 was inclusive of SHA256 and SHA512. But I could be wrong ... and often am.

There are few IPSec users here; I'm going to quote Ocicat. He often provides excellent advice:
Quote:
The number of people who regularly answer OpenBSD questions on this site can be counted on one hand....If you feel you can thoroughly articulate the problem, & can provide all relevant information, you might consider posting on misc@.
Reply With Quote
  #5   (View Single Post)  
Old 28th March 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

There was a bug causing problems like this around last summer. Seeing the versions you are running, you just might be affected by it. It was discussed briefly here

http://www.daemonforums.org/showthread.php?t=6299
Reply With Quote
  #6   (View Single Post)  
Old 28th March 2012
daemonfowl daemonfowl is offline
bsdstudent
 
Join Date: Jan 2012
Location: DaemonLand
Posts: 834
Default

Quote:
.If you feel you can thoroughly articulate the problem, & can provide all relevant information, you might consider posting on misc@.
I'm looking forward to learning this ..
Reply With Quote
  #7   (View Single Post)  
Old 4th April 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

Based on denta's comment and link to the bug report, I've upgraded all five remote sites to 5.0 with no other changes. We'll see what happens over the next week or so.

kmb
Reply With Quote
  #8   (View Single Post)  
Old 8th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

It's been several weeks now, and my users aren't flagging me on any loss of connectivity to the remote sites. I still see lots of "quick mode" negotiation entries in the log files and I'm not sure if that is normal or not, but the links are staying up.

Thanks for all your help.

kmb
Reply With Quote
  #9   (View Single Post)  
Old 8th May 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

From "How IPSec Works" part 4:
Quote:
IKE phase 2 has one mode, called quick mode. Quick mode occurs after IKE has established the secure tunnel in phase 1. It negotiates a shared IPSec policy, derives shared secret keying material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode exchanges nonces that provide replay protection. The nonces are used to generate new shared secret key material and prevent replay attacks from generating bogus SAs.

Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. Base quick mode is used to refresh the keying material used to create the shared secret key based on the keying material derived from the Diffie-Hellman exchange in phase 1.
Reply With Quote
Old 8th May 2012
kbeaucha kbeaucha is offline
Port Guard
 
Join Date: May 2008
Posts: 36
Default

So, normal.

There are a few other error messages - some "invalid cookie" and "no route to host" but I believe I saw instances of those before that last round of upgrades.

Thanks.
kmb
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
Routing between site-to-site tunnels docrice OpenBSD General 5 26th September 2008 09:21 AM
Dropping an install on a fujitsu b142 Azeitonense OpenBSD Installation and Upgrading 6 2nd May 2008 08:23 PM


All times are GMT. The time now is 07:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick