|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Ipsec freebsd openbsd failure
Hello, I wanted to try and secure my wireless connection on my openbsd laptop via ipsec tunnel to my freebsd desktop. But I seem to get nowhere. So I tried to set up a more simple transport between the two to see if I could figure out what is wrong. But I still get the same errors. I have also tried between them as freebsd freebsd also no success. So here are the configs. I have disabled all the pf in this initial tests just to make sure that they are not the cause.
I want to try a ipsec transport from freebsd 192.168.0.100 to openbsd 192.168.0.103. On freebsd I have compiled the kernel with ipsec and installed ipsec-tools. Here is the racoon.conf Code:
path include "/usr/local/etc/racoon"; path certificates "/usr/local/etc/racoon/certs"; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } listen { isakmp 192.168.0.100 [500]; } remote 192.168.0.102 [500] { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier asn1dn; certificate_type x509 "192.168.0.100.crt" "192.168.0.100.key"; peers_certfile x509 "192.168.0.103.crt"; lifetime time 8 hour; passive off; proposal_check obey; initial_contact on; generate_policy off; proposal { encryption_algorithm blowfish; hash_algorithm sha1; authentication_method rsasig; lifetime time 30 sec; dh_group modp1024; } } sainfo (address 192.168.0.100 any address 192.168.0.103 any) { pfs_group modp1024; lifetime time 36000 sec; encryption_algorithm blowfish; authentication_algorithm hmac_sha256; compression_algorithm deflate; } Code:
flush; spdflush; spdadd 192.168.0.100 192.168.0.103 any -P out ipsec esp/transport//use; spdadd 192.168.0.103 192.168.0.100 any -P in ipsec esp/transport//use; Code:
main auth hmac-sha1 enc blowfish group modp1024 quick auth hmac-sha2-256 enc blowfish group modp1024 ike esp transport from 192.168.0.103 to 192.168.0.100 peer 192.168.0.100 ike esp transport from 192.168.0.100 to 192.168.0.103 peer 192.168.0.100 I do isakmpd -Kdv and then when I try ipsecctl -f /etc/ipsec.conf I get Code:
/etc/ipsec.conf: 1: syntax error C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force C set [peer-192.168.0.100]:Phase=1 force C set [peer-192.168.0.100]:Address=192.168.0.100 force C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force C set [from-192.168.0.103-to-192.168.0.100]:Phase=2 force C set [from-192.168.0.103-to-192.168.0.100]:ISAKMP-peer=peer-192.168.0.100 force C set [from-192.168.0.103-to-192.168.0.100]:Configuration=phase2-from-192.168.0.103-to-192.168.0.100 force C set [from-192.168.0.103-to-192.168.0.100]:Local-ID=from-192.168.0.103 force C set [from-192.168.0.103-to-192.168.0.100]:Remote-ID=to-192.168.0.100 force C set [phase2-from-192.168.0.103-to-192.168.0.100]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-192.168.0.103-to-192.168.0.100]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force C set [from-192.168.0.103]:ID-type=IPV4_ADDR force C set [from-192.168.0.103]:Address=192.168.0.103 force C set [to-192.168.0.100]:ID-type=IPV4_ADDR force C set [to-192.168.0.100]:Address=192.168.0.100 force C add [Phase 2]:Connections=from-192.168.0.103-to-192.168.0.100 C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force C set [peer-192.168.0.100]:Phase=1 force C set [peer-192.168.0.100]:Address=192.168.0.100 force C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force C set [from-192.168.0.100-to-192.168.0.103]:Phase=2 force C set [from-192.168.0.100-to-192.168.0.103]:ISAKMP-peer=peer-192.168.0.100 force C set [from-192.168.0.100-to-192.168.0.103]:Configuration=phase2-from-192.168.0.100-to-192.168.0.103 force C set [from-192.168.0.100-to-192.168.0.103]:Local-ID=from-192.168.0.100 force C set [from-192.168.0.100-to-192.168.0.103]:Remote-ID=to-192.168.0.103 force C set [phase2-from-192.168.0.100-to-192.168.0.103]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-192.168.0.100-to-192.168.0.103]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force C set [from-192.168.0.100]:ID-type=IPV4_ADDR force C set [from-192.168.0.100]:Address=192.168.0.100 force C set [to-192.168.0.103]:ID-type=IPV4_ADDR force C set [to-192.168.0.103]:Address=192.168.0.103 force C add [Phase 2]:Connections=from-192.168.0.100-to-192.168.0.103 ipsecctl: Syntax error in config file: ipsec rules not loaded On the freebsd I run setkey -f /usr/local/etc/racoon/setkey.conf and /usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf but when I look for loaded spd with setkey -DP I get none. Also I get this same failure when I try freebsd to freebsd Last edited by kasse; 30th December 2008 at 11:14 AM. Reason: omitted to mention setkey on freebsd part and double / in setkey.conf freebsd |
|
|||
I tried you ipsec.conf on a 4.2 machine. I get the same syntax error. Only by removing the first two offending lines the two 'ike' rules load fine.
I am not an IPSEC expert. I once set up transport mode between OpenBSD boxes. When watching the traffic with OpenBSD's tcpdump I saw a lot of negotiation stuff. Maybe you just should try it without those first two rules
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Thanks!
I commented out those lines specifying the phase 1,2 crypto settings and set the freebsd to enc to aes. Now instead I get errors that there are no configurations. Now I have spd on freebsd Code:
192.168.0.103[any] 192.168.0.100[any] any in ipsec esp/transport//use spid=3 seq=1 pid=2467 refcnt=1 192.168.0.100[any] 192.168.0.103[any] any out ipsec esp/transport//use spid=2 seq=0 pid=2467 refcnt=1 but no SA connections: On freebsd Code:
Foreground mode. 2008-12-30 12:07:41: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net) 2008-12-30 12:07:41: INFO: @(#)This product linked OpenSSL 0.9.8i 15 Sep 2008 (http://www.openssl.org/) 2008-12-30 12:07:41: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf" 2008-12-30 12:07:41: INFO: Resize address pool from 0 to 255 2008-12-30 12:07:41: INFO: 192.168.0.100[500] used as isakmp port (fd=6) 2008-12-30 12:09:10: ERROR: couldn't find configuration. 2008-12-30 12:09:17: ERROR: couldn't find configuration. 2008-12-30 12:09:26: ERROR: couldn't find configuration. 2008-12-30 12:09:37: ERROR: couldn't find configuration. 2008-12-30 12:09:37: ERROR: no configuration found for 192.168.0.103. 2008-12-30 12:09:37: ERROR: failed to begin ipsec sa negotication. Code:
120610.144329 Default transport_send_messages: giving up on exchange peer-192.168.0.100, no response from peer 192.168.0.100:500 Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 12:47:10.453595 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident 12:47:17.468224 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident 12:47:26.478179 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident 12:47:37.488083 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident 12:49:10.471921 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident Code:
tcpdump: listening on acx0, link-type EN10MB 12:47:43.468574 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184 12:47:50.483722 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184 12:47:59.493502 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184 12:48:10.503219 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184 Last edited by kasse; 30th December 2008 at 11:48 AM. Reason: adding some tcpdump info |
|
|||
You have to use tcpdump with the -vv flag to see what is going on.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Securing wifi networks with ipsec/ssh and openbsd | Oko | OpenBSD Security | 4 | 16th April 2009 07:32 AM |
openBSD IPSEC gateway w/WINDOWS XP roadwarrior | s2scott | OpenBSD Security | 7 | 13th January 2009 11:01 AM |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) | NathanPardoe | FreeBSD General | 9 | 21st May 2008 12:00 AM |