DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th November 2016
chigurh chigurh is offline
Port Guard
 
Join Date: Jul 2014
Posts: 38
Default L2TP/IPSEC configuration error

Hi,

I tried configuring IPSEC road-warriror tunnel between OpenBSD & Android but for some reason it can not establish a connection.

Configuration files listed below -

1. /etc/ipsec.conf
Code:
# cat /etc/ipsec.conf
ext_if="re0"
key="XXXXXXXXXXXXXXX"
ike passive esp transport proto udp from $ext_if to any port 1701 main auth "hmac-sha1" enc "aes" group modp2048 quick auth "hmac-sha1" enc "aes" psk $key
2. /etc/npppd/npppd.conf
Code:
                                                                                                         
authentication LOCAL type local {
        users-file "/etc/npppd/npppd-users"
}

tunnel L2TP protocol l2tp {
        listen on 0.0.0.0
        listen on ::
}

ipcp IPCP {
        pool-address 10.0.0.2-10.0.0.254
        dns-servers 8.8.8.8
}

interface tun0  address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to tun0
3. pf rules
Code:
block drop in quick on egress proto tcp from <sshguard> to any port = 22 label "ssh bruteforce"
match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin
block return all
pass quick proto esp all
pass quick proto ah all
pass in inet proto udp from any to 172.31.38.214 port = 500
pass in inet proto udp from any to 172.31.38.214 port = 4500
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
4. /etc/sysctl.conf
Code:
net.inet.ip.forwarding=1
net.inet.esp.enable=1  
net.inet.ah.enable=1
net.inet.ipcomp.enable=1
5. netstat output (if useful)
Code:
# netstat -f inet -an | grep udp
.
.  
udp          0      0  10.0.0.1.4500          *.*                   
udp          0      0  *.514                  *.*                   
udp          0      0  *.4500                 *.*                   
udp          0      0  *.500                  *.*                   
udp          0      0  10.0.0.1.500           *.*                   
udp          0      0  172.31.38.214.4500     *.*                   
udp          0      0  172.31.38.214.500      *.*                   
udp          0      0  127.0.0.1.4500         *.*                   
udp          0      0  127.0.0.1.500          *.*                   
udp          0      0  *.1701                 *.*
6. /var/log/daemon.log output after connection attempt -
Code:
                                                                                          Nov 29 12:02:50 ireland2 npppd[30421]: Starting npppd pid=30421 version=5.0.0
Nov 29 12:02:50 ireland2 npppd[30421]: pptpd GRE protocol not allowed
Nov 29 12:02:50 ireland2 npppd[30421]: Load configuration from='/etc/npppd/npppd.conf' successfully.
Nov 29 12:02:50 ireland2 npppd[30421]: tun0 Started ip4addr=10.0.0.1
Nov 29 12:02:50 ireland2 npppd[30421]: ipcp=IPCP pool dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32]
Nov 29 12:02:50 ireland2 npppd[30421]: Added 13 routes for new pool addresses
Nov 29 12:02:50 ireland2 npppd[30421]: Loading pool config successfully.
Nov 29 12:02:50 ireland2 npppd[30421]: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP]
Nov 29 12:02:50 ireland2 npppd[30421]: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP]
Nov 29 12:03:01 ireland2 isakmpd[45551]: isakmpd: starting
Nov 29 12:05:02 ireland2 isakmpd[46343]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Nov 29 12:05:02 ireland2 last message repeated 5 times
Nov 29 12:05:02 ireland2 isakmpd[46343]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Nov 29 12:05:02 ireland2 last message repeated 2 times
Nov 29 12:05:02 ireland2 isakmpd[46343]: message_negotiate_sa: no compatible proposal found
Nov 29 12:05:02 ireland2 isakmpd[46343]: dropped message from 176.XXX.XX.XXX port 60878 due to notification type NO_PROPOSAL_CHOSEN
Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=176.XXX.XX.XXX:56419/udp tunnel_id=1/46652 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000
Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd ctrl=1 SendSCCRP
Nov 29 12:05:32 ireland2 npppd[30421]: l2tpd Received from=176.XXX.XX.XXX:56419: bad control message: tunnelId=0 is not found.  mestype=StopCCN
Nov 29 12:05:44 ireland2 npppd[30421]: l2tpd ctrl=1 timeout waiting ack for ctrl packets.
Nov 29 12:05:44 ireland2 npppd[30421]: l2tpd ctrl=1 logtype=Finished
I am able to run OpenVPN without any hassle but just wondering why ipsec isn't working. I can use ipsec on FreeBSD with racoon for same client and it connects.
Reply With Quote
  #2   (View Single Post)  
Old 30th November 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Disclaimer: I don't run L2TP/IPSec, so this may be unintentionally misleading.

There are several more modern "howto" documents floating around the Internet since the first 2012 article on L2TP/IPSec was published at the OpenBSD Journal. This one recommends enc "3des" for your ipsec.conf, and therefore there may be something to it, as isakmpd(8) complains that it was expecting 3DES_CBC in your log.
Reply With Quote
  #3   (View Single Post)  
Old 1st December 2016
chigurh chigurh is offline
Port Guard
 
Join Date: Jul 2014
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
Disclaimer: I don't run L2TP/IPSec, so this may be unintentionally misleading.

There are several more modern "howto" documents floating around the Internet since the first 2012 article on L2TP/IPSec was published at the OpenBSD Journal. This one recommends enc "3des" for your ipsec.conf, and therefore there may be something to it, as isakmpd(8) complains that it was expecting 3DES_CBC in your log.
Made the changes in ipsec.conf but it isn't connecting yet -
Code:
# tail -f /var/log/daemon      
Dec  1 04:13:06 ireland2 npppd[52928]: Starting npppd pid=52928 version=5.0.0
Dec  1 04:13:06 ireland2 npppd[52928]: pptpd GRE protocol not allowed
Dec  1 04:13:06 ireland2 npppd[52928]: Load configuration from='/etc/npppd/npppd.conf' successfully.
Dec  1 04:13:07 ireland2 npppd[52928]: tun0 Started ip4addr=10.0.0.1
Dec  1 04:13:07 ireland2 npppd[52928]: ipcp=IPCP pool dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32] pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32]
Dec  1 04:13:07 ireland2 npppd[52928]: Added 13 routes for new pool addresses
Dec  1 04:13:07 ireland2 npppd[52928]: Loading pool config successfully.
Dec  1 04:13:07 ireland2 npppd[52928]: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP]
Dec  1 04:13:07 ireland2 npppd[52928]: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP]
Dec  1 04:13:17 ireland2 isakmpd[50851]: isakmpd: starting
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 04:13:45 ireland2 last message repeated 5 times
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
Dec  1 04:13:45 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA
Dec  1 04:13:45 ireland2 isakmpd[8721]: message_negotiate_sa: no compatible proposal found
Dec  1 04:13:45 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 743 due to notification type NO_PROPOSAL_CHOSEN
Dec  1 04:14:17 ireland2 npppd[52928]: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=xxx.xxx.xxx.xx:7416/udp tunnel_id=1/35377 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000
Dec  1 04:14:17 ireland2 npppd[52928]: l2tpd ctrl=1 SendSCCRP
Dec  1 04:14:17 ireland2 npppd[52928]: l2tpd Received from=xxx.xxx.xxx.xx:7416: bad control message: tunnelId=0 is not found.  mestype=StopCCN
Dec  1 04:14:29 ireland2 npppd[52928]: l2tpd ctrl=1 timeout waiting ack for ctrl packets.
Dec  1 04:14:29 ireland2 npppd[52928]: l2tpd ctrl=1 logtype=Finished
I got OpenVPN tunnel running but just want to see why ipsec tunnel is dysfunctional on OpenBSD. You can suggest some more and I will give it a try.
Reply With Quote
  #4   (View Single Post)  
Old 1st December 2016
chigurh chigurh is offline
Port Guard
 
Join Date: Jul 2014
Posts: 38
Default

Some progress after minor changes in ipsec.conf but still can't connect -
Code:
ext_if="re0" 
key="XXXXXXX"                                                                        
                               
ike passive esp transport proto udp from $ext_if to any port 1701 main auth "hmac-md5" enc "3des" group modp1024 quick auth "hmac-md5" enc "3des" psk $key
I am getting -
Code:
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 05:07:54 ireland2 last message repeated 17 times
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected MD5
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1024, expected MODP_2048
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected SHA2_256
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got SHA, expected MD5
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA
Dec  1 05:07:54 ireland2 isakmpd[8721]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA2_256
Dec  1 05:07:57 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:07:57 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:00 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:00 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:04 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:04 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:06 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:06 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:09 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:09 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:13 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:13 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:18 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:18 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:19 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:19 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:20 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:20 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:24 ireland2 isakmpd[8721]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.228.247.127, responder id 54.229.xxx.xx
Dec  1 05:08:24 ireland2 isakmpd[8721]: dropped message from xxx.xxx.xxx.xx port 8055 due to notification type INVALID_ID_INFORMATION
Dec  1 05:08:27 ireland2 npppd[52928]: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=xxx.xxx.xxx.xx:8061/udp tunnel_id=4/61333 protocol=1.0 winsize=1 hostname=anonymous vendor=(no vendorname) firm=0000
Dec  1 05:08:27 ireland2 npppd[52928]: l2tpd ctrl=4 SendSCCRP
Dec  1 05:08:27 ireland2 npppd[52928]: l2tpd Received from=xxx.xxx.xxx.xx:8061: bad control message: tunnelId=0 is not found.  mestype=StopCCN
Dec  1 05:08:39 ireland2 npppd[52928]: l2tpd ctrl=4 timeout waiting ack for ctrl packets.
Dec  1 05:08:39 ireland2 npppd[52928]: l2tpd ctrl=4 logtype=Finished
Not sure what this INVALID_ID_INFORMATION is all about or there is some error other than that.
Reply With Quote
  #5   (View Single Post)  
Old 1st December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If you run isakmpd from a shell with -vd, it will log both successful and unsuccessful authentication phases. That might provide some more information. Or not. It's a very complex application, with very complex error and warning messages.

But from the errors logged and shown in the thread I suspect your Android phone wants to use one or more ciphers and hashes that are not currently acceptable for the purpose to isakmpd.
Reply With Quote
  #6   (View Single Post)  
Old 1st December 2016
chigurh chigurh is offline
Port Guard
 
Join Date: Jul 2014
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
If you run isakmpd from a shell with -vd, it will log both successful and unsuccessful authentication phases. That might provide some more information. Or not. It's a very complex application, with very complex error and warning messages.
Good morning to you. I will check it now and report. Jay Garnett from the blog link posted by you asked for some detail with modifications. I am updating those details at the moment and will post on comment section of his blog.

Quote:
But from the errors logged and shown in the thread I suspect your Android phone wants to use one or more ciphers and hashes that are not currently acceptable for the purpose to isakmpd.
Yes, I guess that may be the issue. I am able to use IPSEC with racoon configured on FreeBSD, IPSEC+Libreswan configured on CentOS & Debian with this Motorola device.
Reply With Quote
  #7   (View Single Post)  
Old 1st December 2016
chigurh chigurh is offline
Port Guard
 
Join Date: Jul 2014
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
If you run isakmpd from a shell with -vd, it will log both successful and unsuccessful authentication phases. That might provide some more information. Or not. It's a very complex application, with very complex error and warning messages.
There is a new error now -
Code:
root@ireland2:~ # isakmpd -Kvd                                                                                                                                                              
121149.650921 Default isakmpd: starting [priv]
121230.595132 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
121230.595297 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
121230.595403 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
121230.595486 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
121230.595569 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
121230.595652 Default attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
121230.595735 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
121230.595845 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
121230.595928 Default attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
121230.595994 Default message_negotiate_sa: no compatible proposal found
121230.596057 Default dropped message from xxx.xx.xx.xxx port 301 due to notification type NO_PROPOSAL_CHOSEN
Reply With Quote
  #8   (View Single Post)  
Old 1st December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I don't see anything particularly new, your prior logs posted show the same AES_CBC and PRE_SHARED complaints.
Reply With Quote
  #9   (View Single Post)  
Old 1st December 2016
chigurh chigurh is offline
Port Guard
 
Join Date: Jul 2014
Posts: 38
Default

Quote:
Originally Posted by jggimi View Post
I don't see anything particularly new, your prior logs posted show the same AES_CBC and PRE_SHARED complaints.
Yup, trying different things here, will update the thread.
Reply With Quote
Reply

Tags
android client, ipsec, road-warrior, vpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD L2TP/IPSec VPN for road warriors / mobiles bsdnut82 Guides 0 12th August 2015 09:48 PM
Atheros Wifi Configuration Error Peter_APIIT OpenBSD General 2 27th June 2015 07:59 AM
IPSec VPN configuration? polken OpenBSD Security 8 29th May 2012 08:48 PM
shc unistd.h:239: error: syntax error before '&' token laraaj OpenBSD General 3 11th September 2010 07:21 AM
postfix aliases configuration error xiphias FreeBSD Ports and Packages 5 5th June 2010 05:35 PM


All times are GMT. The time now is 03:13 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick