DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th December 2008
kasse kasse is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 67
Default Ipsec freebsd openbsd failure

Hello, I wanted to try and secure my wireless connection on my openbsd laptop via ipsec tunnel to my freebsd desktop. But I seem to get nowhere. So I tried to set up a more simple transport between the two to see if I could figure out what is wrong. But I still get the same errors. I have also tried between them as freebsd freebsd also no success. So here are the configs. I have disabled all the pf in this initial tests just to make sure that they are not the cause.

I want to try a ipsec transport from freebsd 192.168.0.100 to openbsd 192.168.0.103.

On freebsd I have compiled the kernel with ipsec and installed ipsec-tools.
Here is the racoon.conf
Code:
path include "/usr/local/etc/racoon";
path certificates "/usr/local/etc/racoon/certs";

padding 
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen  
{
        isakmp          192.168.0.100 [500];
}

remote  192.168.0.102 [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   asn1dn;
        certificate_type        x509 "192.168.0.100.crt" "192.168.0.100.key";
        peers_certfile  x509 "192.168.0.103.crt";
        
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
        initial_contact on;
        generate_policy off;

                        proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          sha1;
                                authentication_method   rsasig;        
                                lifetime time           30 sec;
                                dh_group                modp1024;
                        }
}

sainfo  (address 192.168.0.100 any address 192.168.0.103 any)    
{                               
        pfs_group       modp1024;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm   deflate;
}
here is the setkey.conf for freebsd

Code:
flush;
spdflush;
spdadd 192.168.0.100 192.168.0.103 any -P out ipsec esp/transport//use;
spdadd 192.168.0.103 192.168.0.100 any -P in ipsec esp/transport//use;
here is the ipsec.conf for openbsd

Code:
main auth hmac-sha1 enc blowfish group modp1024
quick auth hmac-sha2-256 enc blowfish group modp1024
ike esp transport from 192.168.0.103 to 192.168.0.100 peer 192.168.0.100 
ike esp transport from 192.168.0.100 to 192.168.0.103 peer 192.168.0.100
As in http://="http://www.bsdguides.org/gu...ity/ipsec_vpn"
I do
isakmpd -Kdv and then when I try ipsecctl -f /etc/ipsec.conf
I get
Code:
/etc/ipsec.conf: 1: syntax error
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.103-to-192.168.0.100]:Phase=2 force
C set [from-192.168.0.103-to-192.168.0.100]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Configuration=phase2-from-192.168.0.103-to-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Local-ID=from-192.168.0.103 force
C set [from-192.168.0.103-to-192.168.0.100]:Remote-ID=to-192.168.0.100 force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.103]:ID-type=IPV4_ADDR force
C set [from-192.168.0.103]:Address=192.168.0.103 force
C set [to-192.168.0.100]:ID-type=IPV4_ADDR force
C set [to-192.168.0.100]:Address=192.168.0.100 force
C add [Phase 2]:Connections=from-192.168.0.103-to-192.168.0.100
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.100-to-192.168.0.103]:Phase=2 force
C set [from-192.168.0.100-to-192.168.0.103]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Configuration=phase2-from-192.168.0.100-to-192.168.0.103 force
C set [from-192.168.0.100-to-192.168.0.103]:Local-ID=from-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Remote-ID=to-192.168.0.103 force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.100]:ID-type=IPV4_ADDR force
C set [from-192.168.0.100]:Address=192.168.0.100 force
C set [to-192.168.0.103]:ID-type=IPV4_ADDR force
C set [to-192.168.0.103]:Address=192.168.0.103 force
C add [Phase 2]:Connections=from-192.168.0.100-to-192.168.0.103
ipsecctl: Syntax error in config file: ipsec rules not loaded
I cannot understand really what the error is

On the freebsd I run setkey -f /usr/local/etc/racoon/setkey.conf and
/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf but when I look for loaded spd
with setkey -DP I get none. Also I get this same failure when I try freebsd to freebsd

Last edited by kasse; 30th December 2008 at 11:14 AM. Reason: omitted to mention setkey on freebsd part and double / in setkey.conf freebsd
Reply With Quote
  #2   (View Single Post)  
Old 30th December 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I tried you ipsec.conf on a 4.2 machine. I get the same syntax error. Only by removing the first two offending lines the two 'ike' rules load fine.

I am not an IPSEC expert. I once set up transport mode between OpenBSD boxes. When watching the traffic with OpenBSD's tcpdump I saw a lot of negotiation stuff.

Maybe you just should try it without those first two rules
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 30th December 2008
kasse kasse is offline
Fdisk Soldier
 
Join Date: Jun 2008
Posts: 67
Default

Thanks!
I commented out those lines specifying the phase 1,2 crypto settings and set the freebsd to enc to aes. Now instead I get errors that there are no
configurations.
Now I have spd on freebsd
Code:
192.168.0.103[any] 192.168.0.100[any] any
	in ipsec
	esp/transport//use
	spid=3 seq=1 pid=2467
	refcnt=1
192.168.0.100[any] 192.168.0.103[any] any
	out ipsec
	esp/transport//use
	spid=2 seq=0 pid=2467
	refcnt=1

but no SA connections:
On freebsd
Code:
Foreground mode.
2008-12-30 12:07:41: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
2008-12-30 12:07:41: INFO: @(#)This product linked OpenSSL 0.9.8i 15 Sep 2008 (http://www.openssl.org/)
2008-12-30 12:07:41: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2008-12-30 12:07:41: INFO: Resize address pool from 0 to 255
2008-12-30 12:07:41: INFO: 192.168.0.100[500] used as isakmp port (fd=6)
2008-12-30 12:09:10: ERROR: couldn't find configuration.
2008-12-30 12:09:17: ERROR: couldn't find configuration.
2008-12-30 12:09:26: ERROR: couldn't find configuration.
2008-12-30 12:09:37: ERROR: couldn't find configuration.
2008-12-30 12:09:37: ERROR: no configuration found for 192.168.0.103.
2008-12-30 12:09:37: ERROR: failed to begin ipsec sa negotication.
and on openbsd
Code:
120610.144329 Default transport_send_messages: giving up on exchange peer-192.168.0.100, no response from peer 192.168.0.100:500
here is tcpdump port 500 for freebsd
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
12:47:10.453595 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:47:17.468224 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:47:26.478179 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:47:37.488083 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:49:10.471921 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
and for openbsd
Code:
tcpdump: listening on acx0, link-type EN10MB
12:47:43.468574 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184
12:47:50.483722 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184
12:47:59.493502 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184
12:48:10.503219 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184

Last edited by kasse; 30th December 2008 at 11:48 AM. Reason: adding some tcpdump info
Reply With Quote
  #4   (View Single Post)  
Old 31st December 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

You have to use tcpdump with the -vv flag to see what is going on.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing wifi networks with ipsec/ssh and openbsd Oko OpenBSD Security 4 16th April 2009 07:32 AM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior s2scott OpenBSD Security 7 13th January 2009 11:01 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) NathanPardoe FreeBSD General 9 21st May 2008 12:00 AM


All times are GMT. The time now is 02:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick