DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default Creating a IPSEC VPN Backup Gateway

Hi,

I have a Site to Site IPSEC VPN. Could I know whether it is possible to create a backup of an OpenBSD IPSEC VPN gateway? If so what actions should I follow? I tried copying just the ISAKMPD folder to the backup gateway and tried testing the VPN, it didn't work.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 2nd September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

Please clarify what you mean by "backup." Please explain what "didn't work" means.

My crystal ball and magic hat are currently unavailable.
Reply With Quote
  #3   (View Single Post)  
Old 6th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Hi Jggimi,

1. Backup means another OpenBSD IPSEC VPN Gateway ( New Machine ) to use in case of a failure of the running (Live ) VPN gateway. This backup is configured and kept aside to use in case of a failure.

2. Didn't work meant, when I copy the ISAKMPD folder from the live IPSEC VPN Gateway machine to the New backup Machine and when I connect the Backup IPSEC VPN Machnine to the ISP line by disconnecting the live IPSEC VPN Gateway, My VPN tunnel didn't connect .

Thanks
Reply With Quote
  #4   (View Single Post)  
Old 6th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

If the "backup" machine is intended to be a replacement for the primary gateway, it should have the same network provisioning. IPSec has more provisioning requirements than files located in /etc/isakmpd/.

Two possible differences you may have already considered, are IP addressing and PF configuration. Perhaps your "backup" machine is using the same IP address as the primary gateway. I would not know. Perhaps your "backup" machine is using the same PF configuration. I would not know.

Why wouldn't I know? Because you have not mentioned them. All I am able to understand about your problem is the information you decide to post.

As an example, I can only guess you are using one of the many ways to deploy IKEv1, since you mentioned /etc/isakmpd/, but at the moment that is all I know. "My tunnel didn't connect" is insufficient information for me to provide any real assistance.

I am not an IPSec expert. I have previously been an IPSec user, but am not a user now. When I used it, I deployed both IKEv1 and IKEv2. However, when I deployed IKEv1 I did not provision any files in /etc/isakmpd/, instead I used ipsecctl(8) and ipsec.conf(5).

Without knowing anything about your problem other than likely IKEv1 and your "tunnel didn't connect," all I can recommend is the following.
  1. Ensure your IP configuration is identical.
  2. Ensure your PF configuration is identical, and passing all IPSec related traffic, such as ESP and AH protocols as applicable, IKE key exchange traffic via UDP, and encapsulation traffic.
  3. Log isakmpd(8) messages with -v so you can determine which IKEv1 phase may be failing.
Reply With Quote
  #5   (View Single Post)  
Old 6th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Hi Jggimi,

Sorry about the insufficient information. I'm totally new to OpenBSD.

I kept all the IPs same both the internal interface and the external interface of the two systems. My PF configurations are also identical.

I have no idea, how to check the IKE version and also the way that the IKE has implemented in the live VPN gateway. ( I have heard that we have the TUNNELING mode, but don't know whether that is the information that your are requiring )

Thanks a lot for your information.
Reply With Quote
  #6   (View Single Post)  
Old 6th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

Let us pretend, for a moment, that your problem is not OpenBSD, and not IPSec. Something very simple, that happens to people all the time:
Problem: "I cannot drive my car."
With that much information, someone trying to help you can only guess at what the problem might be.
Guess #1: "Are you out of fuel?"

Guess #2: "Do you have a flat?"

Guess #3: "Does the starter motor turn?"

Guess #4: "Is the battery providing power?"

Guess #5: "Does the engine start?"

Guess #6: ....
Someone can keep guessing. Maybe they will guess correctly, or maybe they will never guess that you cannot find your keys.

----

Now, let's move to your IPSec/OpenBSD problem. My first guess was "different IP address" and my second guess was "different PF configuration." You have told me my guesses are wrong.

Here's Guess #3: "Perhaps the isakmpd daemon is not being started."

How are you starting it? How do you know it is running? If the answer to both my questions is, "I don't know." then perhaps this is a good guess.

If you know it is starting successfully, and have confirmed that it starts, we can then move on to Guess #4.
Reply With Quote
  #7   (View Single Post)  
Old 7th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Yes I have no idea of whether the isakmpd daemon is not being started and if it is not started the method to start it.

Thanks
Reply With Quote
  #8   (View Single Post)  
Old 7th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

Great! Your car isn't running, because you don't know that you need car keys to start it, and you don't know what the car sounds like when it is running.

First, we need to find out what the car keys look like for your primary car, so we can find and use them in the new car.

Your primary system may still be OpenBSD 5.3. At that release, system daemons were started by a pair of Bourne shell script that set variables, /etc/rc.conf and /etc/rc.conf.local. Your prior system administrator should have set isakmpd flag variables in /etc/rc.conf.local, so inspect the contents of this file first. If if it not there, your prior system administrator would have violated best practices and set the variable in /etc/rc.conf instead.

You are looking for the variable isakmpd_flags. It's contents is your key, as it contains the flags used to start isakmpd. It may be blank, or contain values. Because I used ipsec.conf(5) with isakmpd(8), I used the -K flag. My variable setting was isakmpd_flags=-K.

On a modern OpenBSD system, the rc.conf* files are no longer Bourne shell scripts. Instead, they are files which are parsed programmatically. And for ease of administration, we use the program rcctl to configure our rc.conf.local file, which you can read about in the rcctl(8) man page.

If I were to use isakmpd with the -K flag once more, I would issue these rcctl(8) commands:
Code:
# rcctl enable isakmpd
# rcctl set isakmpd flags -K
The first command would create an isakmpd_flags variable in my rc.conf.local file, telling the rc(8) system to start the daemon on boot, the second command would set the value of the variable to -K, so that the daemon would be started with the -K flag.

I could reboot, or I could issue # rcctl start isakmpd to start the daemon. See the rcctl(8) man page on a modern OpenBSD release for more information.

Second, we need to know if the car is running.

The rcctl(8) program has an "ls" option which can list daemons that are started and stopped: # rcctl ls started

But you can check on any program with the pgrep(1) tool. For example, you could use $ pgrep -lf isakmpd on your primary gateway, then on your backup gateway, and discover where this car is currently running, and what the keys look like.

See the pgrep(1) man page for more information. It did exist in OpenBSD 5.3.
Reply With Quote
  #9   (View Single Post)  
Old 7th September 2016
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 425
Default

Hi, just to toss in my 2 cents...

OpenBSD is a policy-based IPSec engine. Since you are considering a separate machine, it is possible to have a redundant connection, however the secondary machine must have a different public IP than the primary, or you have to connect to a separate endpoint on the remote end.

You may also be able to configure sasyncd, but that would require the second machine sharing carp interface groups with the first and the primary IP (either the public endpoint IP on your side or the private IP it is nat'd to) would need to be a floating IP between the machines.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Old 12th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Hi Jggimi,

I checked my live firewall's rc.conf and rc.conf.local files. The "isakmpd_flags" variable hasn't any value and it is in rc.conf file. The two files are (rc.conf , rc.conf.local) attahced.

the command rcctl command is not in the systems ( both the live IPSEC gateway and the newly installed backup )

pgrep -lf isakmpd command on my live system gives the following output

16458 isakmpd
22679 isakmpd: monitor [priv]


pgrep -lf isakmpd command on my backup system gives the output

1251 /sbin/isakmpd
17763 isakmpd: monitor [priv]


Thanks a lot for the support.
Attached Files
File Type: conf rc.conf (4.1 KB, 8 views)
File Type: txt rc.conf.local.txt (38 Bytes, 7 views)

Last edited by Amithapr; 12th September 2016 at 08:57 AM.
Reply With Quote
Old 12th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Hi, Rocket357

Thanks for the information. Currently we are having only two public IPs. both are assigned to create the connection. I will contact you of having a failover link when we get another ISP link. Many thanks for the new idea.
Reply With Quote
Old 12th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

Your primary system is not running OpenBSD 5.3. Certainly, not as 5.3 was released. The/etc/rc.conf file is from OpenBSD 4.1.

The file has some local changes applied manually, such as enabling isakmpd, and adding a line to disable ospf6d, a service added in OpenBSD 4.2. But these changes were not best practice. The prior admin should have edited /etc/rc.conf.local instead. The one line in the "local" file was created during the OpenBSD 4.1 installation, and the file was never revised.

The /etc/rc.conf file also disables sendmail(8) which would have been used to deliver status and security reports to the admin. I will guess that no one has seen any status or security reports since 2007.

At 4.1, OpenBSD used the script /etc/rc.local to start 3rd party daemons, along with any local requirements the admin may have at boot time. You should review the contents of this file, if it exists.

---

To start isakmpd(8) during boot on a modern OpenBSD system, without any flags, all one needs is # rcctl enable isakmpd, as discussed in this thread previously.

Last edited by jggimi; 12th September 2016 at 10:54 AM. Reason: typos, clarity
Reply With Quote
Old 12th September 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,258
Default

To clear up confusion, please provide the output of the following command:

$ sysctl kern.version

Thanks.

Reply With Quote
Old 12th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Hi Ocicat,

The output of sysctl kern.version command is

Code:
kern.version=OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013
    deraadt@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
Reply With Quote
Old 12th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

You have what is commonly referred to by the OpenBSD Project as a "Frankensystem," named after the mad scientist in Mary Shelley's "Frankenstein." Frankenstein's monster was created from parts of several people.

Take a look at the difference between the /etc/rc.conf for 4.1 and the same file for 5.3. You can click here for a color-coded "graphical" comparison, or click here for a Unified diff(1) comparison.
Reply With Quote
Old 12th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Hi jggimi,

Does that means my current live system's backup is hard to create?
Reply With Quote
Old 12th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

So far, all I know are two things:
  • You have a Frankensystem. Your kernel is 5.3-release, without any patches, and your rc.conf(5) is 4.1, edited locally, and with an adjustment for changes to rc(8) that were made at 4.2-release.
  • Your skills with OpenBSD are limited. I have recommended using rcctl(8) to start isakmpd on your "backup" system, but you have not stated anything about testing this, or the results obtained.
Anything else about your system would be guessing. I only know what you have been able to tell me.

Why don't you try using rcctl(8) to enable the isakmpd daemon on your "backup" gateway, and see if you can get it working?

Last edited by jggimi; 12th September 2016 at 05:08 PM. Reason: typos
Reply With Quote
Old 13th September 2016
Amithapr Amithapr is offline
Port Guard
 
Join Date: Dec 2015
Posts: 42
Default

Could I add it using pkg add command? I tried searching the web I couldn't find any link about installing rcctl on OpenBSD 5.3

Clould you assist me please?
Reply With Quote
Old 13th September 2016
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,258
Default

Quote:
Originally Posted by Amithapr View Post
Could I add it using pkg add command?
No, rcctl(8) was introduced in OpenBSD 5.7. You will find this information on the manpage. Likewise, base installation binaries are not installed through pkg_add(1).

What jggimi suggests is enabling isakmpd(8) on a newer installation of OpenBSD, hopefully 6.0, now that you know how to enable the service through rcctl.
Reply With Quote
Old 13th September 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,562
Default

Amithapr, we had a discussion in your prior thread about how 5.3 was unsupported. And whatever collection of parts from 4.1, 4.2, 5.3, or other releases you are running in your production gateway at the moment as "5.3", none of us are able to support you and this system via Q&A in a web forum.

The OpenBSD Project produces two releases every year. They only support the most recent release, and a single previous release. At this time, that is 6.0 and 5.9. The website, www.openbsd.org, has an extremely helpful document set called the FAQ. It is updated twice per year also, and only addresses the most recent release. The 5.9 release is supported for break/fix, but the FAQ documentation has already moved on.

You have 4 choices, as I perceive your situation.
  1. Continue to live with your Frankensystem as it is, without understanding how to manage or maintain it.

    Since it is a collection of various parts, only the person who assembled the system knows what they are. As described in your prior thread, this is not a secure system. And as described in this thread, you would not know if you have previously had, or still have, any security problems, due to how it is configured.
  2. Learn to install, operate, manage, and maintain an up to date OpenBSD system.

    We discussed this in your prior thread. If you install and operate the most recent release, suddenly the FAQ will be useful to you.
  3. Hire a consultancy to provide support.

    www.openbsd.org/support.html lists companies and consultants who may be willing and able to maintain and manage your OpenBSD systems on your behalf.
  4. Replace your OpenBSD gateway with something else.

    Use whatever IPSec gateway is being used at the other locations, or choose equipment or operating systems you already know and understand.
I recommend 2, 3, or 4, rather than option 1. And yes, even 4 is a viable solution. Anything that can be supported and maintained will be better than what you have right now, which is clearly not being maintained, and certainly is not supportable via this web forum.

Last edited by jggimi; 13th September 2016 at 10:47 AM. Reason: clarity
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway J65nko News 0 25th November 2013 09:10 PM
Ipsec and backup link igy01 OpenBSD Security 1 20th December 2012 07:43 PM
mobile client to ipsec gateway milo974 OpenBSD Security 8 22nd July 2009 05:19 AM
backup freeBSD 7.0 using Backup Exec ccc FreeBSD General 2 25th April 2009 09:23 PM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM


All times are GMT. The time now is 02:35 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick