Ipsecctl not show ruleset

[DanBSD]

Hi

I do not understand that when loading the set of rules ipsec.conf. I run:

Code:

ipsecctl -s all

And none ruleset loaded, any error in ipsec.conf. In sysctl.conf i have enabled: esp, ip forward and ip com.

Isakmpd its run in rc.conf with flag "-k".

My ruleset of ipsec.conf is very basic, LAN testing. Do not think we need to show.

Thanks.

[jggimi]

Hello, and welcome.

The output of # ipsecctl -s all shows SAs and Flows that have already been successfully established between systems. This requires successful key exchanges.

After starting isakmpd with the -K option, the ipsec.conf ruleset must be loaded by ipsecctl with the -f option.

It can take a few seconds for both sides to establish SAs and Flows, even if everything is correctly configured. If there is any problem establishing SAs and Flows, the result will be an empty set.

Debugging key exchanges to discover what is happening requires restarting isakmpd with both the -K and the -v option.

From isakmpd(8):

Code:

     -v      Enables verbose logging.  Normally, isakmpd is silent and outputs
             only messages when a warning or an error occurs.  With verbose
             logging isakmpd reports successful completion of phase 1 (Main
             and Aggressive) and phase 2 (Quick) exchanges (Information and
             Transaction exchanges do not generate any additional status
             information).

[DanBSD]

Hello jggimi and thanks for the welcome.

And solve the problem, the from and to were not well reported, and seen by tcpdump the traffic and this encrypt.

Rule:

Code:

ike passive from "localnet" to "localnet" peer "localIP" psk "thekey"

The other system is in active mode. And work.

Regards.

[DanBSD]

Sorry fot two post foldowed.

The test in local Lan work, WAN not working, the rules:

PC1: 192.168.1.0/24

Code:

ike passive esp from 192.168.1.0/24 to 192.168.2.0/24 peer "WAN adrees of PC2" psk "key"

PC1 is my system.

PC2: 192.168.2.0/24

Code:

ike active esp from 192.168.2.0/24 to 192.168.1.0/24 peer "WAN adrees of PC1" psk "key"

Ok, SAs and Flows is already been successfully, example:

PC1:

Code:

FLOWS:
flow esp in from 192.168.2.0/24 to 192.168.1.0/24 peer "WAN adrees PC2" srcid 192.168.1.130/32 dstid 192.168.2.102/32 type use
flow esp out from 192.168.1.0/24 to 192.168.2.0/24 peer "WAN adrees PC2" srcid 192.168.1.130/32 dstid 192.168.2.102/32 type use

SAD:
esp tunnel from 192.168.1.130 to "WAN adrees PC2" spi 0x01010101 auth hmac-sha2-256 enc aes
esp tunnel from "WAN adrees PC2" to 192.168.1.130 spi 0x02020202 auth hmac-sha2-256 enc aes

PC1 is 192.168.1.130, ok when I look packets witch tcpdump any spi found. The packets they are text plain.

Where is the problem? Display the origina SPI?

Thanks again and sorry for my english.

[jggimi]

With this typical VPN requirement:

Code:

[private net A] - [gateway A] - {internet} - [gateway B] - [private net B]

the ipsec.conf(5) man page recommends two lines in each ipsec.conf file.

Code:

ike esp from <gateway A> to <gateway B>
ike esp from <private net A> to <private net B> peer <gateway B>

Code:

ike esp from <gateway B> to <gateway A>
ike esp from <private net B> to <private net A> peer <gateway A>

If I understand your configuration and its results,* you established flows between networks. You also need flows between the gateways. In Symantec's Zero to IPSec in 4 Minutes article, it looks like they have these two lines also, but in my browser they appear as if they were in a single line, which would be incorrect.

----

* It has been several years since I last used ipsec.conf, so I don't have an active working configuration to compare to yours.

[DanBSD]

Hello

Another question, the PC2 i have not activated NAT for private adrees in router for ports {4500 500} could be a problem?

Yes my browser also show a single line.

Thanks again jggimi.

[jggimi]

UDP port 500 is used for key exchanges, and if port 500 was blocked you would not have any SAs or Flows established.

UDP port 4500 is for NAT Traversal, which I have never used.

I understand that NAT Traversal it used when NAT is deployed between gateways. If Gateway A and B are connecting directly without NAT between them -- both are inside the same private network or both have "real" public facing, routable IP addresses -- then NAT Traversal is not used. But my understanding may not be accurate or may not be correct.

[DanBSD]

Hi again.

Established Flows and SAD, now the problem is that the connections are blocked, my pf is disable.

Tcpdump with enc0 show the packets encrypted with its corresponding SPI, out packets, in packets are blocked, output packets only in enc0.

Is the Router Firewall?

Nat I had to turn on the PC1 passive mode.

Regards and thanks for you time.

[jggimi]

Quote:

Originally Posted by DanBSD

Hi again.

Established Flows and SAD, now the problem is that the connections are blocked, my pf is disable.

On OpenBSD, NAT is performed by PF. If PF is disabled, OpenBSD will not perform Network Address Translation. If you need NAT to communicate, PF must be enabled.

I do not know enough about your configuration to answer your remaining questions. And, even if I had that information, I might not be able to assist. I am not currently using IPSec, and I have not used isakmpd(8), and ipsec.conf(5) in several years.

You might consider posting to the misc@ mailing list, it is a much larger community.

[DanBSD]

Ok, thanks.

The connection stays SYN_SENT (TCP), the proto ICMP working, send and receive.

Do not understand why I can not initiate a connection TCP.

Thanks.

[jggimi]

I don't have enough information about your environment to tell you why your ICMP traffic is working and TCP fails.

The enc(4) device can be used with tcpdump(8) to help diagnose IPSec operation. Traffic can be monitored both before and after encapsulation. An example is shown in the enc(4) man page.

[DanBSD]

Ok, and I will show the log when you have.

Sorry for the retard in answer.

Regards.