DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th June 2009
bertonumnum bertonumnum is offline
New User
 
Join Date: Jun 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default Road Warrior in VPN Purgatory

So I've been trying to get a road warrior IPsec setup (like millions of others) and have pretty much got it done except one little thing...the remote PC can only access the VPN box and ping everything inside but nothing else. I've looked at pf.conf, ipsec.conf, isakmpd.conf and isakmpd.policy to no avail. If anyone could lift me from this IPsec purgatory I would be eternally grateful. Here's the setup:

PC (external) --> OpenBSD 4.4 (VPN/FW Box) --> Internal Net

pf.conf
=======
ext_if="fxp0"
trunk_if="trunk0" # Internal Trunk Group
ext_net = "192.168.1.0/24"
int_net = "192.168.0.0/24"

srv_int = "192.168.0.56" # Internal Server
gw_ext = "10.10.10.1" # External IP on the VPN

#table <spamd-white> persist

set skip on lo
set skip on enc0
scrub in all

nat on $ext_if from !($ext_if) -> ($ext_if:0)

# Redirection for redir for webserver
rdr on $ext_if proto tcp from any to $gw_ext port { www https } -> $srv_int

block in
pass out

#pass quick on $int_if no state
antispoof quick for { lo $trunk_if }

# Allow ESP encapsulated IPsec traffic on the external interface
pass in on $ext_if proto esp from $ext_net to $gw_ext
pass out on $ext_if proto esp from $gw_ext to $ext_net

# Allow isakmpd(8) traffic on the external interface
pass in on $ext_if proto udp from $ext_net to $gw_ext port {isakmp, ipsec-nat-t}
pass out on $ext_if proto udp from $gw_ext to $ext_net port {isakmp, ipsec-nat-t}

# Allow IP-in-IP traffic between the gateways on the enc(4) interface
pass in on enc0 proto ipencap from $ext_net to $gw_ext keep state (if-bound)
pass out on enc0 proto ipencap from $gw_ext to $ext_net keep state (if-bound)

# Filter unencrypted VPN traffic on the enc(4) interface
pass in on enc0 from $ext_net to $trunk_if:network keep state (if-bound)
pass out on enc0 from $trunk_if:network to $ext_net keep state (if-bound)

# A bunch of port/service rules you don't care about...

# Squid transparent proxy on the VPN box for internal users
pass in on $trunk_if inet proto tcp from $int_net to localhost port 3128
pass out on $ext_if inet proto tcp from localhost to any port www

pass quick on $trunk_if
-----------------------------------------------------------
isakmpd.policy
==============
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
doi == "ipsec" &&
pfs == "yes" &&
esp_present == "yes" &&
esp_enc_alg == "aes" -> "true";

-----------------------------------------------------------
isakmpd.conf
============
[General]
Listen-On = 10.10.10.1

[Phase 1]
# Default = <ISAKMP-peer>
Default = client

[Phase 2]
# Passive-connections = <IPsec connection>
Passive-connections = client-netB

# <ISAKMP-peer>
[client]
Phase = 1
Transport = udp
# Configuration = <ISAKMP-configuration>
Configuration = Default-main-mode
Authentication = sharedsecret

# <IPsec connection>
[client-netB]
Phase = 2
ISAKMP-peer = client
# Configuration = <IPsec-configuration>
Configuration = Default-quick-mode
# Local-ID = <IPsec-ID>
Local-ID = netB
# Remote-ID = <IPsec-ID>
Remote-ID = client

# <IPsec-ID>
[client]
ID-type = IPV4_ADDR
Address = 0.0.0.0

# <IPsec-ID>
[netB]
ID-type = IPV4_ADDR_SUBNET
Network = 0.0.0.0
Netmask = 0.0.0.0

# <ISAKMP-configuration>
[Default-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = AGGRESSIVE
# Transforms = <ISAKMP-transform>
Transforms = AES-256-SHA

# <IPsec-configuration>
[Default-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
# Suites = <IPsec-suite>
Suites = QM-ESP-AES-256-SHA-PFS-SUITE

---------------------------------------------------
ipsec.conf
==========
ike passive esp from $gw_ext to $ext_net
ike dynamic esp from $int_net to $ext_net

---------------------------------------------------

So when a PC on the outside connects, it has full access to the VPN box but can't get beyond it inside the int_net. It can however icmp ping inside everywhere. On a box on the inside net, an arp -a yields:

# arp -a
? (192.168.0.165) at (incomplete) on trunk0

So packets get to the inside boxes from the outside PC, but the internal boxes don't get an arp response for the outside PC.

Any help would be EXTREMELY appreciated!
Reply With Quote
  #2   (View Single Post)  
Old 5th June 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,188
Thanked 182 Times in 149 Posts
Default

Have you seen http://www.securityfocus.com/infocus/1859? ?

To check whether pf is blocking, use a default policy of:
Code:
 block log all
This will make blocked packets appear on the pflog0 device.
You can see these packets by using
Code:
tcpdump -eni pflog0
a console on the VPN/firewall box.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 5th June 2009
bertonumnum bertonumnum is offline
New User
 
Join Date: Jun 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default

Thanks for the reply!

Yes I've read that article and I've already looked at the tcpdump and logged the block all log. There is no blocked logs generated when the road warrior tries to access the internal servers.

Any thoughts?
Reply With Quote
  #4   (View Single Post)  
Old 5th June 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,188
Thanked 182 Times in 149 Posts
Default

If pf isn't blocking anything, and
assuming your VPN configuration is correct, then it probably is a routing problem.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 5th June 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

make sure that you have routing working. I don't know about ipsec, but you will need:
1. a routing entry in the remote computer telling it to use the local server for any addresses in the local network, and
2. a routing entry in the local server where it is supposed to send packets, and, of course, packet forwarding enabled.

(checks above to see whether you have already mentioned that.)

From my examination, it seems that you may have ommitted to tell the inside hosts that packets to the remote host must be sent to the ipsec server. I don't know your network, and i don't know ipsec either (!), so I don't know how to do it. Maybe a routing entry in your internet gateway should do it.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #6   (View Single Post)  
Old 12th June 2009
bertonumnum bertonumnum is offline
New User
 
Join Date: Jun 2009
Posts: 3
Thanked 0 Times in 0 Posts
Default

but if it was a routing issue, ping traffic wouldn't work...correct?
Reply With Quote
  #7   (View Single Post)  
Old 13th June 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Run (and post the output from) ...

Code:
route -n show -inet -gateway
/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The road to 2009 TerryP Off-Topic 4 7th January 2009 06:05 PM


All times are GMT. The time now is 03:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick