DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 17th November 2010
badguy badguy is offline
Fdisk Soldier
 
Join Date: Jul 2009
Location: MD, USA
Posts: 59
Default isakmp to ipsec

I am trying to convert from isakmp.conf/iskmpd.policy to ipsec.conf and I am using preshared keys.
Here are the configs. I want to use ipsec.conf as I can’t seem to get it to work with isakmp.conf. Can I get a little assistance with this? The whole idea is to allow remote clients (spokes) use the greenbow vpn client to connect to an openbsd box that is at the office (hub). Thanks

Right now I get this error -->
Nov 16 15:12:29 vpnKim isakmpd[8569]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Nov 16 15:12:29 vpnKim isakmpd[8569]: message_negotiate_sa: no compatible proposal found
Nov 16 15:12:29 vpnKim isakmpd[8569]: dropped message from 9.2.9.2 port 51717 due to notification type NO_PROPOSAL_CHOSEN

# cat /etc/isakmpd/isakmpd.conf
[General]
Retransmits= 3

[Phase 1]
default = thegreenbowP1

[Phase 2]
Passives-connections= thegreenbowP2

[thegreenbowP1]
Phase= 1
Transport= udp
Address= 0.0.0.0 # change this
Configuration= Default-main-mode
Authentication= seriously?

[thegreenbowP2]
Phase= 2
ISAKMP-peer= thegreenbowP1
Configuration= Default-quick-mode
Local-ID= network_corporate
Remote-ID= client_thegreenbow

[network_corporate]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.0.0.0

[client_thegreenbow]
ID-type= IPV4_ADDR
Address= 10.3.100.1

[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-GRP2

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE

# cat /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Example of configuration between TheGreenBow VPN client and OpenBSD
Authorizer: "POLICY"
Licensees: "passphrase: seriously?"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "aes" &&
esp_auth_alg == "hmac-sha" -> "true";


GREENBOW CONF
[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
8.8.8.6 = tgbtest-P1

[tgbtest-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA-GRP2

[tgbtest-P1]
Phase = 1
Address = 8.8.8.6
Transport = udp
Configuration = tgbtest-main-mode
Authentication = "seriously?""

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = tgbtest-tgbtest-P2

[tgbtest-tgbtest-P2]
Phase = 2
ISAKMP-peer = tgbtest-P1
Local-ID = tgbtest-local-addr
Remote-ID = tgbtest-remote-addr
Configuration = tgbtest-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[tgbtest-local-addr]
ID-type = IPV4_ADDR
Address = 10.3.1.2

[tgbtest-remote-addr]
ID-type = IPV4_ADDR_SUBNET
Network = 10.0.0.0
Netmask = 255.0.0.0

# ==================== TRANSFORMS ====================

[tgbtest-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = tgbtest-quick-mode-suite

[tgbtest-quick-mode-suite]
Protocols = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN

[TGBQM-ESP-AES128-SHA-PFSGRP2-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF

[TGBQM-ESP-AES128-SHA-PFSGRP2-TUN-XF]
TRANSFORM_ID = AES
KEY_LENGTH = 128,128:256
AUTHENTICATION_ALGORITHM = HMAC_SHA
GROUP_DESCRIPTION = MODP_1024
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
dhcpd, dhcrelay, and ipsec VPN dontek OpenBSD General 2 22nd May 2010 08:52 PM
connect to an other site using ipsec-nat wesley OpenBSD Security 30 23rd September 2009 09:41 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 01:37 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick