|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
help with openbsd 6.8 and ipsec site to site connection
Hi all,
Fair warning Total newbie to ipsec here! I would like to establish a connection to a client of ours that has a ipsec server. This would be a site to site connection. They sent me the data regarding the ipsec settings: Address: A.B.C.D PSK: SECRET!!! DPD 5 DPD 20 PH1: AES256-SHA256 AES256-SHA1 DH Group: 5 14 Key Lifetime: x PH2: AES256-SHA256 AES256-SHA1 DH Group: 5 14 Key Liftime: y I searched the net for an ipsec specific site to site connection but im a bit stumped now. I found a post here on demonforums: http://daemonforums.org/showthread.p...ighlight=ipsec used the following manuals: https://community.broadcom.com/syman...brarydocuments (no keys only psk so partial) https://man.openbsd.org/ipsec.conf.5#CRYPTO_TRANSFORMS https://www.openbsd.org/faq/faq17.html#site2site (Connecting to an IKEv1/L2TP VPN part.. should i use site-to-site? don't have keys only psk) If anyone can provide a more recent description i would very much appreciate it as far as i could tell: AES256-SHA256 = hmac-sha2-256 AES256-SHA1 = aes-256 DH Group: 5 14 = modp2048 (or modp1536) I’m not sure about the above at all!!!! so maybe this is the problem? ipsec.conf on client: ----------- ike esp transport from egress to A.B.C.D \ main auth "hmac-sha2-256" enc "aes-256" group modp2048 \ quick auth "hmac-sha2-256" enc "aes-256" group modp2048 \ psk "SECRET!!!" ----------- # ipsecctl -f /etc/ipsec.conf ----not installed for reasons....------- # pkg_add xl2tpd Can't find xl2tpd ----------- # ipsecctl -vnf /etc/ipsec.conf C set [Phase 1]:A.B.C.D=peer-A.B.C.D force C set [peer-A.B.C.D]:Phase=1 force C set [peer-A.B.C.D]:Address=A.B.C.D force C set [peer-A.B.C.D]:Authentication=SECRET!!! force C set [peer-A.B.C.D]:Configuration=phase1-peer-A.B.C.D force C set [phase1-peer-A.B.C.D]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-A.B.C.D]:Transforms=phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048 force C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:AUTHENTICATION_METHOD=PRE_SHARED force C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:HASH_ALGORITHM=SHA2_256 force C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:KEY_LENGTH=256,256:256 force C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:GROUP_DESCRIPTION=MODP_2048 force C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:Life=LIFE_MAIN_MODE force C set [from-em0-to-A.B.C.D]:Phase=2 force C set [from-em0-to-A.B.C.D]:ISAKMP-peer=peer-A.B.C.D force C set [from-em0-to-A.B.C.D]:Configuration=phase2-from-em0-to-A.B.C.D force C set [from-em0-to-A.B.C.D]:Local-ID=from-em0 force C set [from-em0-to-A.B.C.D]:Remote-ID=to-A.B.C.D force C set [phase2-from-em0-to-A.B.C.D]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-em0-to-A.B.C.D]:Suites=phase2-suite-from-em0-to-A.B.C.D force C set [phase2-suite-from-em0-to-A.B.C.D]:Protocols=phase2-protocol-from-em0-to-A.B.C.D force C set [phase2-protocol-from-em0-to-A.B.C.D]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol-from-em0-to-A.B.C.D]:Transforms=phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT force C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:TRANSFORM_ID=AES force C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:KEY_LENGTH=256,256:256 force C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:ENCAPSULATION_MODE=TRANSPORT force C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:GROUP_DESCRIPTION=MODP_2048 force C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:Life=LIFE_QUICK_MODE force C set [from-em0]:ID-type=IPV4_ADDR force C set [from-em0]:Address=em0 force C set [to-A.B.C.D]:ID-type=IPV4_ADDR force C set [to-A.B.C.D]:Address=A.B.C.D force C add [Phase 2]:Connections=from-em0-to-A.B.C.D ----------ok above as far as i can tell....----- # ipsecctl -sa FLOWS: No flows SAD: No entries --------------no good...------------------------ And that’s all folks.... This is a client machine behind a firewall that wants to connect. pf.conf on client: default openbsd 6.8 fw pf.conf: pass out quick on em0 proto tcp from { long list of clients that have internet access } to ! X.Y.0.0/16 nat-to (em0) pass in quick proto tcp from { long list of clients that have internet access } to any pass in quick on em0 proto esp from A.B.C.D to (em0) pass out quick on em0 proto esp from (em0) to A.B.C.D pass in quick on em0 proto udp from A.B.C.D to (em0) port { 500 4500 } pass out quick on em0 proto udp from (em0) to A.B.C.D port { 500 4500 } log msg: Feb 4 00:27:51 testbsd isakmpd[12944]: transport_send_messages: giving up on exchange peer-A.B.C.D, no response from peer A.B.C.D:500 Feb 4 00:29:24 testbsd isakmpd[12944]: sendmsg (16, 0x7f7ffffda248, 0): Permission denied So im a bit stuck here. BTW how do you tcpdump for ipsec enc0? I would like to see if it actually tries to connect or not and would like to see if this passes the fw correctly..... Is the problem on the other side (truth is out there Mulder) or is this on my end?????? Thank you for your 2 cents in advance SimpL |
|
|||
ps.: trying this too...
ikev2 active esp \ from Locallan/8 to localothersidelan/32 \ peer A.B.C.D \ psk "SECRET!!!" log: Feb 4 17:02:05 testbsd isakmpd[27668]: isakmpd: starting Feb 4 17:11:09 testbsd ntpd[59317]: constraints configured but none available |
|
||||
It's not clear to me what you are actually trying, and what is failing. Such as: 1) I cannot tell from your description of the intended connection whether you need L2TP or not. 2) There is not enough information presented in your post to tell you why installation of the xl2tpd package fails. 3) I cannot tell what you decided not install due to "reasons". 4) I cannot tell if you have the isakmpd(8) daemon running, which is necessary for IKEv1.
Symantec's ancient article is still available, and it may help you. |
|
|||
Hi jggimi
https://cdn.openbsd.org/pub/OpenBSD/...-stable/amd64/ in the repo there is no xl2tpd file so i could not install it like they told me in the faq https://www.openbsd.org/faq/faq17.html What I'm trying to do is connect to a site-to-site connection with a psk key only. I don't have anything but the info that i wrote that they sent me and a psk key. They told me this is enough to connect to the server they have. As I told you im a total newbie in ipsec and i only read a bunch of descriptions, and docs and faqs specific to this, but i don't got the jist of what exactly I would have to do here exactly. I told them the exact lan ip of the machine I'm trying to connect from (they asked me for it) and they sent me a lan ip that i would have to connect to too that is the machine that i would like to reach y.y.y.y/32. Lets call these x(our bsd) and y(the bsd in there lan). x(inside our lan that i installed ipsec on)->our firewall(that has the settings to let x out to the internet)->internet->ipsec server/firewall they use(exact setup unknown)->y(the bsd i want to access) So this is what im trying to accomplish... |
|
|||
----not installed for reasons....-------
# pkg_add xl2tpd Can't find xl2tpd ----------- pkg problem solved thx jggimi I set the wrong depo..... The ipsec tunnel still pending connection... |
|
||||
I have never used L2TP, and I have not managed an IPSec VPN in many years, so I am unlikely to be able to provide further assistance.
If no one else joins the conversation, you might consider posting your question to the misc@ mailing list. |
|
|||
In the end it was a firewall problem, because i only allowed tcp connections and not all. After i set the the fw rule to all not just tcp the connection was up. I deleted the above rules and created 4 rows for incoming and outgoing traffic and nat-ed the connection. Bit crude currently but it "works".
They are currently checking if the connection is ok or not. After that i hope it will be ok Thy again jggimi Last edited by SimpL; 8th February 2021 at 10:42 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
The OpenBSD site is offline | hitest | OpenBSD General | 5 | 16th June 2020 02:47 AM |
Help with Home connection site to site vpn setup | badguy | OpenBSD Security | 3 | 25th October 2010 05:15 PM |
connect to an other site using ipsec-nat | wesley | OpenBSD Security | 30 | 23rd September 2009 09:41 AM |
Routing between site-to-site tunnels | docrice | OpenBSD General | 5 | 26th September 2008 09:21 AM |
Bare Minimum Site-to-Site VPN on OpenBSD | ai-danno | Guides | 0 | 20th May 2008 12:45 AM |