|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Ipsec freebsd openbsd failure
Hello, I wanted to try and secure my wireless connection on my openbsd laptop via ipsec tunnel to my freebsd desktop. But I seem to get nowhere. So I tried to set up a more simple transport between the two to see if I could figure out what is wrong. But I still get the same errors. I have also tried between them as freebsd freebsd also no success. So here are the configs. I have disabled all the pf in this initial tests just to make sure that they are not the cause.
I want to try a ipsec transport from freebsd 192.168.0.100 to openbsd 192.168.0.103. On freebsd I have compiled the kernel with ipsec and installed ipsec-tools. Here is the racoon.conf Code:
path include "/usr/local/etc/racoon"; path certificates "/usr/local/etc/racoon/certs"; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } listen { isakmp 192.168.0.100 [500]; } remote 192.168.0.102 [500] { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier asn1dn; certificate_type x509 "192.168.0.100.crt" "192.168.0.100.key"; peers_certfile x509 "192.168.0.103.crt"; lifetime time 8 hour; passive off; proposal_check obey; initial_contact on; generate_policy off; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method rsasig; lifetime time 30 sec; dh_group modp1024; } } sainfo (address 192.168.0.100 any address 192.168.0.103 any) { pfs_group modp1024; lifetime time 36000 sec; encryption_algorithm blowfish; authentication_algorithm hmac_sha256; compression_algorithm deflate; } Code:
flush; spdflush; spdadd 192.168.0.100 192.168.0.103 any -P out ipsec esp/transport//use; spdadd 192.168.0.103 192.168.0.100 any -P in ipsec esp/transport//use; Code:
main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha2-256 enc blowfish group modp1024 ike esp transport from 192.168.0.103 to 192.168.0.100 peer 192.168.0.100 ike esp transport from 192.168.0.100 to 192.168.0.103 peer 192.168.0.100 I do isakmpd -Kdv and then when I try ipsecctl -f /etc/ipsec.conf I get Code:
/etc/ipsec.conf: 1: syntax error C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force C set [peer-192.168.0.100]:Phase=1 force C set [peer-192.168.0.100]:Address=192.168.0.100 force C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force C set [from-192.168.0.103-to-192.168.0.100]:Phase=2 force C set [from-192.168.0.103-to-192.168.0.100]:ISAKMP-peer=peer-192.168.0.100 force C set [from-192.168.0.103-to-192.168.0.100]:Configuration=phase2-from-192.168.0.103-to-192.168.0.100 force C set [from-192.168.0.103-to-192.168.0.100]:Local-ID=from-192.168.0.103 force C set [from-192.168.0.103-to-192.168.0.100]:Remote-ID=to-192.168.0.100 force C set [phase2-from-192.168.0.103-to-192.168.0.100]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-192.168.0.103-to-192.168.0.100]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force C set [from-192.168.0.103]:ID-type=IPV4_ADDR force C set [from-192.168.0.103]:Address=192.168.0.103 force C set [to-192.168.0.100]:ID-type=IPV4_ADDR force C set [to-192.168.0.100]:Address=192.168.0.100 force C add [Phase 2]:Connections=from-192.168.0.103-to-192.168.0.100 C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force C set [peer-192.168.0.100]:Phase=1 force C set [peer-192.168.0.100]:Address=192.168.0.100 force C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force C set [from-192.168.0.100-to-192.168.0.103]:Phase=2 force C set [from-192.168.0.100-to-192.168.0.103]:ISAKMP-peer=peer-192.168.0.100 force C set [from-192.168.0.100-to-192.168.0.103]:Configuration=phase2-from-192.168.0.100-to-192.168.0.103 force C set [from-192.168.0.100-to-192.168.0.103]:Local-ID=from-192.168.0.100 force C set [from-192.168.0.100-to-192.168.0.103]:Remote-ID=to-192.168.0.103 force C set [phase2-from-192.168.0.100-to-192.168.0.103]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-192.168.0.100-to-192.168.0.103]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force C set [from-192.168.0.100]:ID-type=IPV4_ADDR force C set [from-192.168.0.100]:Address=192.168.0.100 force C set [to-192.168.0.103]:ID-type=IPV4_ADDR force C set [to-192.168.0.103]:Address=192.168.0.103 force C add [Phase 2]:Connections=from-192.168.0.100-to-192.168.0.103 ipsecctl: Syntax error in config file: ipsec rules not loaded On the freebsd I run setkey -f /usr/local/etc/racoon/setkey.conf and /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf but when I look for loaded spd with setkey -DP I get none. Also I get this same failure when I try freebsd to freebsd Last edited by kasse; 30th December 2008 at 11:14 AM. Reason: omitted to mention setkey on freebsd part and double / in setkey.conf freebsd |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Securing wifi networks with ipsec/ssh and openbsd | Oko | OpenBSD Security | 4 | 16th April 2009 07:32 AM |
openBSD IPSEC gateway w/WINDOWS XP roadwarrior | s2scott | OpenBSD Security | 7 | 13th January 2009 11:01 AM |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) | NathanPardoe | FreeBSD General | 9 | 21st May 2008 12:00 AM |