DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th December 2016
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default Help with IPSEC

I have an active ipsec tunel between the company I work for and a client.
I added rules for the esp, ipencap protocol in the enc0 interface and also isakmp.
I found it strange, but the client uses the network 200.185.190.0/24 and needs to access the hosts on this network through the tunnel.
How do I make my network access hosts on the network 200.185.190.0/24 if I can not add route using the enc0 interface?
Thanks!!
Reply With Quote
  #2   (View Single Post)  
Old 6th December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It is unclear what the networks look like. It is unclear if the client subnet you are asking about is completely separate from your gateway connections, such as:
Code:
[Your company gateway at IP address a.a.a.a] - { the Internet} 

[Your client gateway at IP address b.b.b.b] - {the Internet}

[The 200.185.190/24 subnet somewhere in Brazil] - {the Internet}
If that is accurate, then you would need a gateway device on that client subnet.

But, perhaps the client subnet includes the gateway?
Code:
[Your company gateway at IP address a.a.a.a] - { the Internet} 

[Your client gateway at 200.186.190.x] - {the Internet}
If so, you need only ensure the subnet is included in the ipsec.conf(5) configuration. An example of two subnets tunnelled between two gateways was used in Symantec's article Zero to IPSec in 4 Minutes.
Reply With Quote
  #3   (View Single Post)  
Old 7th December 2016
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

jggimi,

I am using the configuration as this site http://www.openbsdsupport.org/vpn-ipsec.html and my tunnel is up.
What's the difference between using it or a configuration in the ipsec.conf file?
I'm confused...
Reply With Quote
  #4   (View Single Post)  
Old 7th December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The "how to" you are following does not use ipsec.conf(5) and ipsecctl(8), which were designed to replace the complexities of isakmpd.conf(5) and isakmpd.policy(5) with simple configurations.

OpenBSD's ipsec.conf configuration provides a much simpler configuration and management interface to the ISAKMP/Oakly Security Policy Database. It was so simple, Symantec published an article stating that it only took them 4 minutes to configure and establish an IPSEC VPN between two gateways and their underlying networks.

The ipsec.conf(5) simplification has been available in OpenBSD since 3.8, released in 2005. I cannot explain why your third party "how to" author declined to deploy it for that 2009-era "how to" you used. There does not appear to be any unique provisioning in the "how to" that cannot be managed with ipsec.conf(5).

Since 2005, the only reason to use isakmpd.conf/isakmpd.policy files is to deploy a configuration that cannot be provisioned with ipsec.conf directly.
Reply With Quote
  #5   (View Single Post)  
Old 7th December 2016
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

jggimi,

As I had found this howto using the isakmpd.conf I went for it. But there's no problem. I'm already configuring ipsec.conf
The client gave me the following pre-shared key

Quote:
<deleted>
When I load ipsec.conf with the ipsecctl -f /etc/ipsec.conf command, it shows the following error:

Quote:
root@gw:~# ipsecctl -n -f /etc/ipsec.conf
/etc/ipsec.conf: 34: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
I searched a lot about and found nothing. I was trying to remove some characters and the command loaded the file.
Is there a limitation on characters when using the password?

Last edited by ocicat; 8th December 2016 at 09:05 AM. Reason: Removed published private key.
Reply With Quote
  #6   (View Single Post)  
Old 8th December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It appears you have published your client's private key on the Internet. Inform your customer you have inadvertently done so and instruct your client to change this key immediately.

Strings containing special characters should be escaped. The most common way to do this is inside two double-quote characters (") such as ... psk "my string"

Please note: best practice is to use pre-shared keys for testing, but not in production. For production, best practice is to use either public key authentication or certificates.

Last edited by jggimi; 8th December 2016 at 12:25 AM. Reason: clarity, typos
Reply With Quote
  #7   (View Single Post)  
Old 8th December 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by jggimi View Post
It appears you have published your client's private key on the Internet. Inform your customer you have inadvertently done so and instruct your client to change this key immediately.
christianoliberato, I have deleted reference to your client's private key, but as jggimi has already stated, you should consider it to be compromised. It should be regenerated.

Last edited by ocicat; 8th December 2016 at 09:04 AM. Reason: Clarity
Reply With Quote
  #8   (View Single Post)  
Old 11th December 2016
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

jggimi / ocicat

The key I posted was not valid. We use it only for testing.
The scenario is as follows:

Tunnel Parameters
Company: 200.200.10.10
Client: 200.200.20.20
Authentication algorithm: MD5
Encryption: 3DES
Pre-shared key: 1q2w3e (not true)

Host / network settings
Client: 200.200.30.0/24
Company: 10.20.30.252/30

The configuration I'm doing in ipsec.conf is:
Ike esp from 200.200.10.10 to 200.200.20.20 \
Main auth hmac-md5 enc 3des \
Quick auth hmac-md5 enc 3des \
Psk 1q2w3e

This IP 10.20.30.252/30 is not mine and I understood that in my firewall will be created an interface with it after connecting
And to reach 200.200.30.0/24 you will need to create a static route using the IP 10.20.30.252/30 as gateway.
I questioned the client if this network was correct 200.200.30.0/24 and said that it is right.
I have never set up ipsec and would like to know if this is the case.
Reply With Quote
  #9   (View Single Post)  
Old 11th December 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

For clarity, I will recreate your ipsec.conf configuration file wrapped in [code] and [/code] tags.
Code:
ike esp from 200.200.10.10 to 200.200.20.20 \
main auth hmac-md5 enc 3des \
quick auth hmac-md5 enc 3des \
psk 1q2w3e
You are only establishing an IPSec Security Association ("SA") between the two gateways, and at their local subnet addresses, not at their addresses on the Internet. Perhaps you misunderstood the examples in the Zero to IPSec in 4 minutes article I linked to in post #2 above. Let me restate their example configuration. The two gateway devices each support a local subnet. One gateway routes traffic for 10.1.1.0/24, the other gateway routes traffic for 10.2.2.0/24:
Code:
{10.1.1.0/24} - [IPSec gateway] - 1.2.3.4 {internet} 

{internet} - 5.6.7.8 [IPSec gateway] - {10.2.2.0/24}
And here is an example ipsec.conf configuration from that article.
Code:
ike esp from 10.1.1.0/24 to 10.2.2.0/24 peer 5.6.7.8
ike esp from 1.2.3.4 to 10.2.2.0/24 peer 5.6.7.8 
ike esp from 1.2.3.4 to 5.6.7.8
  1. The first line establishes an SA between the two subnets, and uses the peer parameter to define the remote gateway.
  2. The second line establishes an SA between the local gateway and the remote subnet, also using the peer parameter to define the remote gateway.
  3. The third line establishes an SA between the two gateways.

Last edited by jggimi; 11th December 2016 at 05:05 PM. Reason: typos, clarity
Reply With Quote
Old 20th April 2017
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

Hi jggimi,

I did not continue this post because this access would no longer be necessary. But now I need to close the tunnel with another client. The data sent by it (I changed the IP and password) are:
Quote:
Phase1:
IKE V1
Remote gateway: 200.200.200.10
Method of negotiation: MAIN
Encryption: AES-256
Hash: SHA256
DH: 2
Life time: 86400
NAT-T: disabled
DPD (Dead peer detection): disabled
PASSWORD: abc123

Phase2:
Remote network: 192.168.31.0/24
Encryption: AES 128
Hash: SHA1
PFS: 2
Life time: 3600
In none of the examples is the Phase1 and Phase2 data mentioned.
How would this configuration be?
Thanks!!

Last edited by roggy; 24th April 2017 at 06:41 PM.
Reply With Quote
Old 20th April 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Phase 1 and Phase 2 are defined in ipsec.conf(5) with mode and quick automatic keying parameters. I would refer to the ipsec.conf(5) man page for specifics.
Reply With Quote
Old 24th April 2017
roggy roggy is offline
Port Guard
 
Join Date: Nov 2013
Posts: 41
Default

jggimi,

I made the settings like this

Quote:
ike esp from 100.100.100.10 to 200.200.200.10 \
main auth hmac-sha2-256 enc aes-256 lifetime 86400 \
quick auth hmac-sha1 enc aes-128 lifetime 3600 \
psk abc123.,2333

ike esp from 192.168.10.0/24 to 192.168.31.0/24 peer 200.200.200.10
ike esp from 100.100.100.10 to 192.168.31.0/24 peer 200.200.200.10
ike esp from 100.100.100.10 to 200.200.200.10
When I try to load the settings with ipsecctl -f /etc/ipsec.conf it shows the following error

Quote:
root@server~# ipsecctl -f /etc/ipsec.conf
/etc/ipsec.conf: 33: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
Is there a character limitation to set in the password?
Reply With Quote
Old 24th April 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Your error is in line number 33, which you did not show. I do not know if there are any string length maximum, but I do know that if your string has special characters, it will need to be escaped with quotes.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Some help with IPSEC / VPN Daffy OpenBSD Security 1 9th November 2013 12:45 PM
IPSec VPN configuration? polken OpenBSD Security 8 29th May 2012 08:48 PM
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM


All times are GMT. The time now is 05:36 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick