DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default IPSec VPN configuration?

sparky im new to all of this thinks to i have just put a configuration over Ipser VPN server the clients its a cisco im wondering if u can help me out with configuration im lost becose the cisco connect and the ip phone works ok but the phone its on net 192.168. and there is another ip device with another ip 172.1. but i can not reach the 172 ips over the cisco side so im not sure if there can only pass one network over on vpn tunnel

FLOWS IN
ip device
172.1.... ??-----> |------172.1.0.x
ip device ===>CISCO====>OBSD--+------192.1.0.x
192.168.. OK---->
NET
10.0.0... OK---->

FLOWS OUT
ping 172.1.100.7
no reply
ip device
172.1<<--XXX FAIL |------172.1.0.x
ip device ===>CISCO====>OBSD--+------192.1.0.x
192.168.. ?<----
NET
10.0.0... ?<----

ipsec.conf
ike passive esp from any to {192.168.0.0/16, 10.0.0.0/16, 172.1.0.0/16} peer any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 psk 1234ABCDEEF

ike passive from {192.168.0.0/16, 10.0.0.0/16, 172.1.0.0/16} to any \
main auth hmac-sha1 enc aes-128 group modp1024 \
quick auth hmac-sha1 enc aes-128 psk 1234ABCDEEF

sorry to ask but i have asked misc before and they just kick my ass
Reply With Quote
  #2   (View Single Post)  
Old 25th May 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default

Quote:
sorry to ask but i have asked misc before and they just kick my ass
No need to be sorry at all! I totally understand


Ok judging by the information you provided it seems like some kind of routing issue....

Have you configured "Static" or "Dynamic" routing between the systems?


I personally recommend configuring OSPF between them!

Additionally are you using standard ipsec or GRE??


GRE is a better solution in my opinion however, is much more difficult to setup.

Have a look at the link I posted at the beginning of this thread as that will describe the methodology that I used.

I do also think that the psk <passphrase> should be put in "" another words:

Code:
psk "pass1234"

In order to debug, I would first run a traceroute between machines and see where things are going wrong.

Additionally look at the routing tables of each system:

Cisco:
Code:
sh ip route
OBSD:
Code:
netstat -r

Start with that then let me know how you got on!
Reply With Quote
  #3   (View Single Post)  
Old 25th May 2012
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Discussion has been split from its parent thread.

polken, we respectfully ask members to not change subjects within threads; this is explicitly stated in the forum rules. Since a majority of our members use this site for searching through archived threads, keeping threads on a single subject helps others find information. It also helps with preserving clarity.

The goal in technical discussions is to be clear. With anything else, readers simply move on to the next thread.

Finally, I find your diagram confusing. vBulletin doesn't alway honor the spacing placed into messages, so I can only assume this is the reason for the lack of clarity. You can either re-edit your message to compensate for the loss of spacing (which I grant can be time-consuming...), or you can upload a diagram hosted elsewhere. As it is now, what you are trying to accomplish is not totally clear.
Reply With Quote
  #4   (View Single Post)  
Old 25th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

how sorry i touch the wrong button sorry sorry not happen again
Reply With Quote
  #5   (View Single Post)  
Old 25th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

sparky am not at the cisco side i have not set up the gre ar any other just ipsec what im wondering it is if i need the gre to route packets between the networks

CISCO LAN SIDE
172.1.0.0/16
ip device 172.1.100.12
192.168.0.0/16
ip phone 192.168.30.23
10.0.0.0/16

the ip phone connects correct to the voice GW over the vpn tunnel but in the Openbsd LAN side they ping to 172.1.100.12 and no answer
Reply With Quote
  #6   (View Single Post)  
Old 26th May 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
 
Join Date: Mar 2012
Posts: 73
Default

In order to perform routing you will need to use GRE....


The company I work recently discovered that when the IP phones at our remote branch offices kept going down; either the branches would get internet or their phones would work but it more hit-and-miss then anything else.


Provided that the Cisco gets the PSK key setting up is easy. I've done it home using OpenBSD 5 as mentioned in VBOX however, 5.1 was being a bit strange??


I am willing to share notes as the config is fairly straight forward.


The Cisco side is quite easy too as is just standard IPSEC with an additionally Tunnel interface.
Reply With Quote
  #7   (View Single Post)  
Old 27th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

ok now i have a good point to start with GRE now the other it seems that u have just answer becose IPSEC+GRE with CISCO client it should work, now help me with your notes thanks and best regards!
Reply With Quote
  #8   (View Single Post)  
Old 28th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

sparky how can we share the notes that u told me on the other post?
Reply With Quote
  #9   (View Single Post)  
Old 29th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

sparky there is something that i can figure out it is the client vpn endpoints are running DInamic Public IP address so how can i set up GRE tunnels?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 08:13 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick