DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default need troubleshooting tip for vpn connections

I need help troubleshooting VPN connection. I get the following error messages and I want to know things to check out for when these errors occur.

attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
message_negotiate_sa: no compatible proposal found
dropped message from 1.2.3.4 port 500 due to notification type NO_PROPOSAL_CHOSEN

I believe this has to do with mis matching parameters in the negotiation stage but I am 100% sure I have same parameters as I have copied and pasted all the files I used and not edited manually. Is there any other reason I will get this error? What are things I can do to correct it or what should I check out for?

transport_send_messages: giving up on exchange peer-1.2.3.4, no response from peer 1.2.3.4:500

I have no idea why this comes up.


Should I be able to ping the peer IPs from the VPN machine?
Should I be able to ping the peer IPs from the gateway machine?
Any troubleshooting tips will be appreciated.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 26th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

There was no need to start a new thread.

Troubleshooting tip #1: post your actual configuration files and network topologies rather than saying you understand them.

It appears to me you are using the examples from the widely published and republished "Zero to IPSec ... " where the examples shown use static IP addresses 1.2.3.4 and 5.6.7.8. If you don't have systems with these static addresses, your configuration will not work.

And as discussed in your original thread, you are not planning to use IPv4 addressing.

Use the real addresses of your gateways, or, provision as recommended in your other thread.
Reply With Quote
  #3   (View Single Post)  
Old 26th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Sorry for the multi-post. I just felt this was a different topic so i decided to create another post. This is actually a different project from the previous post as I am using IP add in this but will be using dns names for the second project (previous thread). Do not want you to mix them up.

Let me know if I left out any important config.

Ipsec.conf
#Traffic from A VPN
ike passive esp from 10.3.0.0/16 to 10.1.0.0/16 peer 1.8.64.7
#Traffic from A Network
ike passive esp from 10.2.0.0/16 to 10.1.0.0/16 peer 1.8.64.7

#Traffic to C
ike passive esp from 10.3.0.0/16 to 10.4.0.0/16 peer 1.8.15.3
#Traffic from A Network
ike passive esp from 10.2.0.0/16 to 10.4.0.0/16 peer 1.8.15.3

ike passive esp from 1.8.38.5 to 1.8.64.7
ike passive esp from 1.8.38.5 to 1.8.15.3

pf.conf
ext_ip = "1.8.38.5"
int_ip = "10.2.1.5"
peer_ip= "{1.8.64.7, 1.8.15.3}"

lan_net = "{ 10.2.0.0/16, 10.3.0.0/16}"
peer_net= "{10.1.0.0/16, 10.4.0.0/16}"

admin_ip= "10.0.0.0/8"

set skip on lo0

block log all

pass in on $ext_if proto udp from $peer_ip to $ext_ip port {500, 4500}
pass out on $ext_if proto udp from $ext_ip to $peer_ip port {500, 4500}

pass in on $ext_if proto esp from $peer_ip to $ext_ip
pass out on $ext_if proto esp from $ext_ip to $peer_ip

pass in on enc0 from $peer_ip to $ext_ip keep state (if-bound)
pass out on enc0 from $ext_ip to $peer_ip keep state (if-bound)

pass in on enc0 from $peer_net to $lan_net keep state (if-bound)
pass out on enc0 from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $peer_net to $lan_net keep state (if-bound)
pass in on $int_if from $lan_net to $peer_net keep state (if-bound)

pass in on $int_if proto tcp from $admin_ip to $int_ip port ssh
pass out on $int_if proto tcp from $int_ip to $admin_ip port ssh

pass out on $int_if from $int_ip to $lan_net

hostname em1
inet 1.8.38.5 255.255.254.0 NONE

hostname em3
inet 10.2.1.5 255.255.0.0 NONE

hostname enc0
up

Last edited by badguy; 27th October 2010 at 03:38 PM.
Reply With Quote
  #4   (View Single Post)  
Old 27th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

You're showing only one side's ipsec.conf? I'm already confused by what I've seen, which appears to have cross configured and duplicated subnets.
Reply With Quote
  #5   (View Single Post)  
Old 27th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

VPN 2 - OpenBSD 4.6
Hostname em0

inet 10.4.1.1 255.255.0.0 NONE

hostname em1
inet 1.8.15.3 255.255.255.0 NONE

hostname enc0
up

ipsec.conf
ike esp from 10.4.0.0/16 to 10.1.0.0/16 peer 1.8.64.7
ike esp from 10.4.0.0/16 to 10.2.0.0/16 peer 1.8.38.5
ike esp from 10.4.0.0/16 to 10.3.0.0/16 peer 1.8.38.5

ike esp from 1.8.15.3 to 1.8.38.5
ike esp from 1.8.15.3 to 1.8.64.7

pf.conf
int_if = em0
ext_if = em2

int_ip = 10.4.1.1
ext_ip = 1.8.15.3
peer_ip = "{1.8.64.7, 1.8.38.5}"

lan_net = "10.4.0.0/16"
peer_net = "{10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16}"

set skip on lo0

match in scrub (no-df)

nat on $ext_if from $lan_net to any -> $ext_ip

block in log all

pass in quick on $int_if from $lan_net to any

pass out on $ext_if proto icmp from $ext_ip to any

pass in inet proto tcp from any to $int_if port ssh

pass out on $ext_if proto udp from any to any port 53 keep state

pass in on $ext_if proto udp from $peer_ip to $ext_ip port {500, 4500}
pass out on $ext_if proto udp from $ext_ip to $peer_ip port {500, 4500}

pass in on $ext_if proto esp from $peer_ip to $ext_ip
pass out on $ext_if proto esp from $ext_ip to $peer_ip

pass in on enc0 from $peer_ip to $ext_ip keep state (if-bound)
pass out on enc0 from $ext_ip to $peer_ip keep state (if-bound)

pass in on enc0 from $peer_net to $lan_net keep state (if-bound)
pass out on enc0 from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $peer_net to $lan_net keep state (if-bound)
pass in on $int_if from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $int_ip to $lan_net

antispoof log for $ext_if
antispoof log for $int_if



VPN 3 - OpenBSD
Hostname em0

10.1.1.254 255.255.0.0 NONE

Hostname em1
inet 1.8.64.7 255.255.0.0 NONE

hostname en0
up

ipsec.conf
ike esp from 10.1.0.0/16 to 10.2.0.0/16 peer 1.8.38.5

ike esp from 10.1.0.0/16 to 10.3.0.0/16 peer 1.8.38.5

ike passive esp from 10.1.0.0/16 to 10.4.0.0/16 peer 1.8.15.3

ike esp from 1.8.64.7 to 1.8.38.5
ike passive esp from 1.8.64.7 to 1.8.15.3

pf.conf
ext_if = "em1"
int_if = "em0"

ext_ip = "1.8.64.7"
int_ip = "10.1.1.254"
peer_ip= "{ 1.8.38.5, 1.8.15.3 }"

lan_net = "10.1.0.0/16"
peer_net= "{ 10.2.0.0/16, 10.3.0.0/16, 10.4.0.0/16 }"

admin_ip= "10.0.0.0/8"

set skip on lo0

block log all

pass in on $ext_if proto udp from $peer_ip to $ext_ip port {500, 4500}
pass out on $ext_if proto udp from $ext_ip to $peer_ip port {500, 4500}

pass in on $ext_if proto esp from $peer_ip to $ext_ip
pass out on $ext_if proto esp from $ext_ip to $peer_ip

pass in on enc0 from $peer_ip to $ext_ip keep state (if-bound)
pass out on enc0 from $ext_ip to $peer_ip keep state (if-bound)

pass in on enc0 from $peer_net to $lan_net keep state (if-bound)
pass out on enc0 from $lan_net to $peer_net keep state (if-bound)

pass out on $int_if from $peer_net to $lan_net keep state (if-bound)
pass in on $int_if from $lan_net to $peer_net keep state (if-bound)

pass in on $int_if proto tcp from $admin_ip to $int_ip port ssh
pass out on $int_if proto tcp from $int_ip to $admin_ip port ssh

pass in on $ext_if proto tcp from any to $ext_ip port ssh
pass out on $ext_if proto tcp from $ext_ip to any port ssh
pass out on $int_if from $int_ip to $lan_net
Reply With Quote
  #6   (View Single Post)  
Old 27th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I started to draw a picture of your complex environment, before asking my next questions. But then I noted that you have a 4.6 box in this mix. 4.6 and 4.7 are using partially incompatible versions of IPSec. From the 4.7 Upgrade Guide:
Quote:
IPsec HMAC-SHA2 incompatibility:
Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility with the HMAC-SHA-256/384/512 hash algorithms with previous versions of OpenBSD and other IPsec implementations sharing the bugs. In particular the default authentication algorithm HMAC-SHA-256 is affected. Upgrade both sides together, or switch to another authentication algorithm during the transition.
This could be part of your problem (if not all of it).

What you have shown here, if I understand what you've posted, is a 3-way VPN, attempting to tie three networks together.

Have you tried interconnecting just the gateways as IPSec peers, without the RFC1918 subnets? Establishing SAs and Flows between just the OpenBSD routers? If not, do that first. That will at least prove the peers can establish interconnects. Start small, then make incremental additions until you've reached your desired configuration.

Your ipsec.conf files all show a 10.3/16 subnet, but it doesn't appear to exist. Did you miss a configuration file, or are you planning some sort of BiNAT?

Last edited by jggimi; 18th September 2012 at 12:01 AM.
Reply With Quote
  #7   (View Single Post)  
Old 27th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Diagram is on point and Yes it is a 3way VPN

It’s a 4.5 and 4.6 mix. Unnamed box is 4.5, VPN2 is 4.6 and VPN 3 is 4.5

Ignore the 10.3 subnet. That’s just some design flaw that will be removed from the configs

Right now 3 and 2 are peering fine with each other. I am trying to get unnamed box to peer with both 3 and 2 (unsuccessful so far)

Have you tried interconnecting just the gateways as IPSec peers, without the RFC1918 subnets? Establishing SAs and Flows between just the OpenBSD routers? If not, do that first.

Are you saying i should modify ipsec.conf for unnamed box and leave only
ike passive esp from 1.8.38.5 to 1.8.64.7
ike passive esp from 1.8.38.5 to 1.8.15.3

Dont want to mess with the other 2 now because they are fine and have been up for ages. I know the problem is from the unnamed box i am trying to add.
Reply With Quote
  #8   (View Single Post)  
Old 27th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I'm suggesting adding your new (unnamed) box in to the VPN network, and ONLY adding the peer-to-peer configurations. Select one to be passive.

e.g.: On the unnamed box:
Code:
ike esp from 1.8.38.x to 1.8.15.x
ike esp from 1.8.15.x to 1.8.38.x
and on VPN 2:
Code:
ike passive esp from 1.8.15.x to 1.8.38.x
ike passive esp from 1.8.38.x to 1.8.15.x
Nothing fancier. See if you can get SA and Flow established just like that. Worry about your 10.x.x.x networks later.
Reply With Quote
  #9   (View Single Post)  
Old 27th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Here's a real world example of peer-to-peer VPN only. Actual use is for a WiFi connection:
Code:
ike passive esp from 192.168.1.1 to 192.168.2.51 \
   srcid jggimi.jggimi.homeip.net dstid netbook.jggimi.homeip.net \
   tag ipsec
This is sufficient to set up bi-directional SAs and Flows. Works with -current's (and 4.8's) ACPI sleep mode on the netbook, too.
Reply With Quote
Old 28th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

So I used only the peers - peer configs and ran ipsectl -sa and was able to get SADs and flows, however when I try to ping an ip behind that subnet over the VPN i get a ttl expired in transit. Doing a trace shows a loop half way thus the ttl expired.
Reply With Quote
Old 28th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Sounds like a routing issue -- can you ping those devices without the VPN in place?
Reply With Quote
Old 28th October 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

The device I am trying to ping is one of the rfc1918 (devices on the 10.1/16)
I cannot ping the peer IP (1.8.64.x). Should I be able to ping the ip I am trying to peer with before I peer with it?
Reply With Quote
Old 28th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

One would think it would be helpful. It is possible that PF may be getting in the way through either gateway. I haven't examined your PF configurations at all.

The VPN setup, key change management, and VPN teardown is done by isakmpd(8), all via UDP, on port 500 by default. The ESP tunnels don't change routing. So to reach a 10.4 address from a 10.2 address, routing must be established end-to-end.

PF can then be used to restrict traffic to VPN only, if desired.
Reply With Quote
Old 9th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Is there any thing wrong with setting both sides of a vpn to active instead of having one side passive and the other side active? Will it fail if it is done this way?

eg
Side A
ike esp from 1.2.3.4 to 5.6.7.8
Side B
ike esp from 5.6.7.8 to 1.2.3.4

instead of
Side A
ike esp from 1.2.3.4 to 5.6.7.8
Side B
ike passive esp from 5.6.7.8 to 1.2.3.4
Reply With Quote
Old 9th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It should not fail, but there will be higher levels of UDP traffic whenever links break, as each side attempts to reach the other.
Reply With Quote
Old 9th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

I can establsih a connection with my peer. I verified this with ipsecctl -sa. However I am not able to ping the internal network. I can ping the external network. What might be the cause of this. My logs do not show me any error for now.

i tried using the following to troubleshoot and see if i can get any clue
tcpdump -e -i pflog0
tcpdump -nvs1400 -r /var/run/isakmpd.pcap
tcpdump -i enc0

is there any other troubleshooting tip with tcpdump you can provide or should i provide my log/capture file? thanks
Reply With Quote
Old 10th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I said it way back in post#11, and I'll say it again. It looks like you need to add routes. You haven't published your routing tables, but follow along with me, and see if it makes sense.

Without any VPN:

A machine on the 10.1 network wants to send a packet to a machine on the 10.2 network. Oh, that's easy. It's not on this subnet, so I'll route it to my default route. Which happens to be one of the OpenBSD routers.

The router than says to itself, I don't know where the 10.2 network is, so I'll use my default route. Your ISP sees a packet come for a 10.x address and drops it.

----

Now, add back in the VPN. ESP appears AFTER the IP header. So routing must be established between 10.1 and 10.2 by the gateways. Otherwise, the packets are still going to go to your ISP destined for 10.2 and be dropped.

The router in front of 10.1 needs to have routes to 10.2. and 10.3, the router at 10.2 needs routes added for 10.1 and 10.3, etc.

Unless I'm bonkers (and of course, I might be). But you've been mucking about for weeks, perhaps a month, and getting nowhere.

Try establishing routes between the subnets.
Reply With Quote
Old 10th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I guess my memory was playing tricks, and I have mistated the probable cause. From http://tools.ietf.org/html//rfc4303
Code:
   In tunnel mode, the "inner" IP header carries the ultimate (IP)
   source and destination addresses, while an "outer" IP header contains
   the addresses of the IPsec "peers", e.g., addresses of security
   gateways.  Mixed inner and outer IP versions are allowed, i.e., IPv6
   over IPv4 and IPv4 over IPv6.  In tunnel mode, ESP protects the
   entire inner IP packet, including the entire inner IP header.  The
   position of ESP in tunnel mode, relative to the outer IP header, is
   the same as for ESP in transport mode.  The following diagram
   illustrates ESP tunnel mode positioning for typical IPv4 and IPv6
   packets.

                 BEFORE APPLYING ESP
            ----------------------------
      IPv4  |orig IP hdr  |     |      |
            |(any options)| TCP | Data |
            ----------------------------

                 AFTER APPLYING ESP

            -----------------------------------------------------------
      IPv4  | new IP hdr* |     | orig IP hdr*  |   |    | ESP   | ESP|
            |(any options)| ESP | (any options) |TCP|Data|Trailer| ICV|
            -----------------------------------------------------------
                                |<--------- encryption --------->|
                          |<------------- integrity ------------>|
Reply With Quote
Old 10th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default

Ok so lets say 10.4 can not reach 10.2, for example

from the 10.2/16 i shd add
route add -net 10.4.0.0/16 1.8.38.5

and on the 10.4/16 I should add
route add -net 10.2.0.0/16 1.8.15.3

Also just wondering (not arguing with you)
I did not add routes from the 10.2/16 to the 10.1/16 and it works.
Reply With Quote
Old 10th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

It works on the existing VPN because esp in tunnel mode is working. See the diagram I posted. The 10.x destination is fully encapsulated.

On the VPN where it is NOT working, there is something wrong with the tunnnel. Compare the outputs of the SA and Flow reports from ipsecctl(8).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Machine not responding to incoming connections vi5in FreeBSD General 9 27th October 2009 10:17 PM
Serial connections JMJ_coder General software and network 9 25th July 2008 03:28 PM
Problems with multiple ISP connections ebzzry FreeBSD General 2 1st July 2008 11:32 PM
More tcp connections tad1214 FreeBSD General 8 5th June 2008 03:05 PM
OpenVPN - Problem with connections MME General software and network 2 26th May 2008 06:42 PM


All times are GMT. The time now is 11:25 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick