|
|||
Negotiation of IPsec SA
hi everyone !
nice to see that there is a forum related to openbsd !... i have only a basic question about the VPN/IPsec implementation in openbsd 4.x - specially for ISAKMP exchanges in phase 2. it seems that this is different from other OS or vendors. >> does openbsd accept in phase 2 a remote-subnet, which is not configured as a reachable subnet through vpn ? << That means subnet A and B should be reached via vpn. A and B is configured on both sides. The client (ex. netscreen) sends also a subnet C to responder (openbsd), and openbsd agreed subnet C in phase 2 even subnet C is not configured in openbsd as vpn remote-subnet. Or is this just a problem of the configuration of openbsd, isakmpd.conf... ? thanks a lot for your answer. vpn is established by mainmode and preshared key. |
|
|||
Quote:
Recognize that the OpenBSD project only supports the two latest releases at any given time. Per Section 5.1 of the project's official FAQ: Quote:
|
|
|||
i agree, but this question is more general.
unfortunately i have to use the "openbsd box" as it is. i will do my best to get the latest version if i should decide to use openbsd as vpn gateway and firewall. if this is a known problem, someone might know which version should be used to fix this. thanks for support. |
|
||||
OpenBSD does not use MAJOR.minor release numbering. Instead, the number just increases by 0.1 every six months. 5.0 was half a year after 4.9, as 3.0 was half a year after 2.9.
Which specific release you are running may sometimes be important, even when it is a legacy system such as yours. There have been regular changes to IPSec capabilities over time. And sometimes incompatibilities occur, such as when there were two hash algorithm bug fixes at OpenBSD 4.7 for HMAC-SHA2. ---- There are few IPSec users here. I'm one, but I do not use isakmpd.conf; instead, I use ipsecctl(8) and ipsec.conf(5). Quote:
If not, and if you don't get any useful responses, you might consider posting your question to the misc@ mailing list. If you decide to post to misc@, I'm sure you will be asked to post your specific release, the specifics of the configuration problem you are trying to solve, as well as both your isakmpd.conf and any captured Phase 2 negotiation logs -- these last two may be safely posted after redacting private information, such as publicly facing IP addresses.------ Edited to add: The capabilities described in the Journal article were added to -current in January of 2009, and were included in 4.5-release in April of that year: Quote:
Last edited by jggimi; 6th August 2012 at 09:39 PM. Reason: addendum |
|
|||
hi !
ok, the release is 5.0. after some investigations, i think that i found the problem and solution. to be sure that only specific local- and remote subnets are able to connect with vpn/ipsec in openbsd, you have to use the isakmpd.policy. this file contains the allowed subnets, for example: > remote_ filter_addr_upper == "010.001.000.255" && > remote_ filter_addr_lower == "010.001.000.000" && > local_ filter_addr_upper == "010.018.000.255" && > local_ filter_addr_lower == "010.018.000.000" && this file must be parsed by openbsd with keynote. but it is additional effort to create this .policy and you have to install keynote (?)... by default, isakmpd.policy contains only the pre-shared key and no filters. what is the advantage of using ipsecctl(8) and ipsec.conf(5) instead of isakmpd.conf / isakmpd.policy ? |
|
||||
I'm glad you found the answer
Quote:
http://www.symantec.com/connect/arti...psec-4-minutes |
|
|||
Why not just use pf to filter the traffic on enc(4)? It could be a simple 1-liner that gets the job done, with no need for the complexity you described above.
Last edited by denta; 7th August 2012 at 03:12 PM. |
|
|||
yes, this is a workaround.
but this prevents not that a packet can be send from one peer to the other through vpn. and my "vpn-engine" is also unnecessary burdend. i dont know how many vpn tunnels can be established until the vpn-service crashes... |
|
|||
How is that a workaround? Sorry, I clearly don't understand your problem still, after all these posts.
edit: Also, I have no idea what the network topology is, or where the OpenBSD units are, and what needs to connect to what. Last edited by denta; 7th August 2012 at 03:58 PM. |
|
|||
denat, the question is more general. it does not depent on the topology.
but if you have a simple site-to-site vpn, peer A is openbsd-box, peer B is any other vpn-gateway ( call it Gw-B ). now Gw-B initiates the vpn and a tunnel is established between the two peers. with this tunnel you can send packets - for example - between the two direct connected internal networks. this is the reason of the vpn tunnel. now the admin of Gw-B configures additional ipsec-SA and did not inform the admin of the openbsd-box. so the openbsd-box will not be changed. the result is, that the openbsd-box accepts these additional ipsec-SA and packets can be send from Gw-B to openbsd-box. if the openbsd-box has a configured route for these packets, these packets will reach the target. this makes the admin of the openbsd-box nervous, because it is not his intention to receive such (unknown) traffic. this scenario will happen if you do not use the isakmpd.ipsec. if you use this file, you can filter the ipsec-SAs from Gw-B and the opnbsd-box denies the requests from Gw-B. That means: - no tunnel can be established for the "unkown" ipsec-SAs from peer B, - therefore no need for pf. and the best is, that - only valid ipsec-SAs are terminated on the openbsd-box - no add burden for isakmpd. but you have to install keynote on your openbsd-box to get this work and you should know how to use isakmpd.ipsec. it seems a little bit complicated.... but this is the reason that your solution is just a workaround. your kind of configuration did not solve the real problem. but i am sure - it will work. i have not tested this, it is just a theoretical investigation, but i think this will point to the right way - if not, please let me know. i am still learning in openbsd. the smarter way to get more and easier ipsec security is to use the configuration files mentioned by jggimi. i think this is more restrictive than isakmpd.conf. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IPSec VPN configuration? | polken | OpenBSD Security | 8 | 29th May 2012 08:48 PM |
IPsec/pf setup | denta | OpenBSD Security | 1 | 25th May 2012 09:08 PM |
Need Help Please About IPsec | wong_baru | FreeBSD Security | 2 | 21st June 2010 08:00 AM |
ipsec with client nat | sicute | OpenBSD General | 0 | 30th October 2008 05:39 PM |
IPsec on openbsd | hitete | OpenBSD Installation and Upgrading | 1 | 12th July 2008 01:57 AM |