DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th September 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default IPSec Tunnel - no public key found

So on the advice of the people who will probably respond to this thread, I am working on an IPSec tunnel between two OpenBSD 4.3 gateway/firewalls. I'm following the guide "Zero to IPSec in 4 minutes" as well as some of the comments in my first attempt. My current setup:

Network A - ipsec.conf:
Code:
local_ip="1.2.3.4"
local_network="192.168.10.0/24"
remote_ip="5.6.7.8"
remote_network="192.168.111.0/24"
ike esp from { $local_ip $local_network } to { $remote_ip $remote_network } peer $remote_ip
ike esp from $local_ip to $remote_ip
Network B - ipsec.conf:
Code:
local_ip="5.6.7.8"
local_network="192.168.111.0/24"
remote_ip="1.2.3.4"
remote_network="192.168.10.0/24"
ike passive esp from { $local_ip $local_network } to { $remote_ip $remote_network } peer $remote_ip
ike passive esp from $local_ip to $remote_ip
I generated the local.pub on each machine with the following command:
Code:
openssl rsa -out /etc/isakmpd/private/local.pub -in /etc/isakmpd/private/local.key -pubout
I copied the contents of the local.pub file on each machine to the opposite into the /etc/isakmpd/pubkeys/ipv4/1.2.3.4 (& 5.6.7.8 on the other computer) without the .pub extension.

I've added/changed the following to pf.conf on each machine:
Code:
set skip on { lo enc0 }
pass quick on $ext_if from 1.2.3.4 (& 5.6.7.8 on the opposite)
When I run isakmpd -K -d, then ipsecctl -f ipsec.conf the tunnel doesn't open, and I get this:
Code:
201343.935936 Default get_raw_key_from_file: failed to get public key /etc/isakmpd/pubkeys//ipv4/5.6.7.8
201343.936385 Default rsa_sig_decode_hash: no public key found
201343.936525 Default dropped message from 5.6.7.8 port 500 due to notification type INVALID_ID_INFORMATION
Why am I having key problems? Even with -v on isakmpd I see no additional information that can help me.
Reply With Quote
  #2   (View Single Post)  
Old 7th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

1. OpenBSD 4.3 is unsupported. 4.4 will lose support on October 1, when 4.6 is released.

2. Each OpenBSD system you are running already had a public/private key pair for use with isakmpd. It got created by rc(8) the very first time the OS was run in multi-user mode. (At 4.5, which you are not running, the key length was increased to 2048 bits.) See /etc/rc for the specific openssl command, which used the genrsa option. If you delete the key pair you manually recreated, and just reboot, /etc/rc will recreate the key pair(s). It is possible your manual activity has produced an incorrect or inappropriate key.

3. Make sure you're using the remote IP address for the name of the public key half. e.g.: For Network A (at 1.2.3.4) that communicates with Network B (at 5.6.7.8), the public key-half obtained from B should be stored in /etc/isakmpd/pubkeys/ipv4/5.6.7.8 -- I mention it because that is not completely clear from your problem description. And, confirm the content is the public key that matches what is in Network B's /etc/isakmpd/local.pub file. Lastly, be sure the file is named "5.6.7.8" and not placed in a *directory* named 5.6.7.8. It may be obvious, but I've had conversation with at least one other person who misunderstood and instead had something like /etc/isakmpd/pubkeys/ipv4/5.6.7.8/local.pub -- that can't work.
Reply With Quote
  #3   (View Single Post)  
Old 8th September 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

I know 4.3 is no longer considered a supported OS, thanks. However, it should still work.

On #2, the local.pub files did not exist on either machines prior to me making them using the stated method. I verified in /etc/rc this is how it would have been made by the OS. What you're saying makes sense, as none of the tutorials I read made mention of having to make the file which I thought was odd.

On #3, the key is stored in a file 1.2.3.4 & 5.6.7.8 not a folder as you described. Although I tried the incorrect way first as I was confused myself.

Is there a way to get more verbose output from isakmpd? I will update each server to 4.4 then 4.5 as I have time this week.
Reply With Quote
  #4   (View Single Post)  
Old 8th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,612
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by mikesg View Post
On #2, the local.pub files did not exist on either machines prior to me making them using the stated method.
Odd. Perhaps you have a 4.3 kernel but an older /etc/rc due to an improperly executed prior upgrade? Or perhaps you have local customizations to /etc/rc? Looking at /etc/rc for 4.3-release, I see the test for the existence of keys on line # 562, and creation of the key pair on lines 563-573.
# isakmpd -vKd &
will provide more information than without "-v", per isakmpd(8)'s man page.
Reply With Quote
  #5   (View Single Post)  
Old 7th October 2009
mikesg's Avatar
mikesg mikesg is offline
I can has a title?
 
Join Date: Aug 2009
Posts: 26
Thanked 1 Time in 1 Post
Default

Thought I would tie this up. In the end this tutorial worked great. After I regenerated the keys on both ends, everything worked. So apparently, somehow, the first set of keys I created were flawed.
__________________
Mike
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tunnel to Proxy PatrickBaer General software and network 2 11th August 2008 03:32 PM
secure ssh with public key milo974 OpenBSD Security 11 9th July 2008 04:52 PM
Multiple IPSEC Tunnel problem RMSZaphod FreeBSD Security 1 28th June 2008 10:08 AM
OS to run in a public computer? Sunnz Off-Topic 31 23rd May 2008 05:47 PM


All times are GMT. The time now is 01:59 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick