DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th March 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Post come back with "vpn ipsec nat"

I'm trying to do vpn ipsec with nat. (I can do fully some test @ work with have sdsl with 5 ip address)

To resume i want to do ipsec vpn between Site A (192.168.0.0/24) and Site B (192.168.0.0/24). They have same network address.

So i done this with this good article : http://undeadly.org/cgi?action=artic...20090127205841 (from Mitja)

PC1----PF1----------------INTERNET---------------------PF2---PC2

PF1 : OpenBSD 4.6
rl0 : connected to sdsl, have an ip fixe (11.11.11.11), this interface is the egress.
rl1 : our network, his ip address : 192.168.0.11
DNS : ISP
There's only PF,isakmpd(-K), and ipsec services. No dhcp, no bind

PF2 : OpenBSD 4.6
rl0 : connected to sdsl, have an ip fixe (22.22.22.22), this interface is the egress.
rl1 : our network, his ip address : 192.168.0.12
There's only PF,isakmpd(-K), and ipsec services. No dhcp, no bind

PC1 : XP PRO (workgroup)
IP : 192.168.0.93/24 should be 192.168.1.93 using NAT
Gateway : 192.168.0.11
DNS : ISP

PC2 : XP PRO (workgroup)
IP : 192.168.0.92/24 should be 192.168.2.92 using NAT
Gateway : 192.168.0.12
DNS : ISP

When i type on a PF machine (PF1 or PF2) : ipsecctl -sa, there's flow and sa.
Tunnel is monted. I can verify it using tcpdump -i enc0 on PF1, type tracert 192.168.1.93 (using PC2). There's traffic encrypted

ipsecctl -sa on PF2 :
FLOWS:
flow esp in from 192.168.1.0/24 to 192.168.0.0/24 peer 11.11.11.11 srcid 22.22.22.22/32 dstid 11.11.11.11/32 type use
flow esp out from 192.168.0.0/24 to 192.168.1.0/24 peer 11.11.11.11 srcid 22.22.22.22/32 dstid 11.11.11.11/32 type require

SAD:
esp tunnel from 11.11.11.11 to 22.22.22.22 spi 0x14f92c81 auth hmac-sha1 enc aes-256
esp tunnel from 22.22.22.22 to 11.11.11.11 spi 0xb1b3d4a6 auth hmac-sha1 enc aes-256

Test i ve done :
On machine PC1(192.168.0.93), i tryied ping PC2 using NAT 192.168.2.92 (doesn't work), i ve the following on the PF2 console using tcpdump -i enc0 :

tcpdump: listening on enc0, link-type ENC
18:31:36.608877 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
192.168.2.92: icmp: echo request (encap)
18:31:41.818990 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
192.168.2.92: icmp: echo request (encap)
18:31:47.329048 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
192.168.2.92: icmp: echo request (encap)
18:31:52.846117 (authentic,confidential): SPI 0x14f92c81: 192.168.0.93 >
192.168.2.92: icmp: echo request (encap)
^C
4 packets received by filter
0 packets dropped by kernel

Conclusion, something is missing, PF can't redirect packet to the machine.
he doesnt know who is 192.168.1.93 (should be 192.168.0.93 in real)
Have you an idea? On the document : http://undeadly.org/cgi?action=artic...20090127205841 He talks about need to use split dns to it works ? is it really necessary ?
Can you help me ? See pf.conf, ipsec.conf :

ipsec.conf (PF1):
ike esp from 192.168.1.0/24 (192.168.0.0/24) to 192.168.2.0/24 \
peer 22.22.22.22 \
main auth hmac-sha1 enc aes-256 group modp1024 \
quick auth hmac-sha1 enc aes-256 group modp1024 \
psk "thisisanexample"

ipsec.conf (PF2):
ike esp from 192.168.2.0/24 (192.168.0.0/24) to 192.168.1.0/24 \
peer 11.11.11.11 \
main auth hmac-sha1 enc aes-256 group modp1024 \
quick auth hmac-sha1 enc aes-256 group modp1024 \
psk "thisisanexample"

pf.conf (PF1) :
me="11.11.11.11"
distant="22.22.22.22"
set skip on {loi enc0}
set block-policy drop
nat on egress from rl1:network to any -> egress
binat on enc0 inet from 192.168.0.0/24 to 192.168.2.0/24 -> 192.168.1.0/24
block in log on egress
pass in on egress inet proto udp from $distant to $me port 500
pass in on egress inet proto udp from $distant to $me port 4500
pass in on egress proto esp from $distant to $me
pass out keep state

pf.conf (PF2) :
me="22.22.22.22"
distant="11.11.11.11"
set skip on {lo enc0}
set block-policy drop
nat on egress from rl1:network to any -> egress
binat on enc0 inet from 192.168.0.0/24 to 192.168.1.0/24 -> 192.168.2.0/24
block in log on egress
pass in on egress inet proto udp from $distant to $me port 500
pass in on egress inet proto udp from $distant to $me port 4500
pass in on egress proto esp from $distant to $me
pass out keep state

Last edited by wesley; 15th March 2010 at 05:16 AM. Reason: details
Reply With Quote
  #2   (View Single Post)  
Old 15th March 2010
wesley wesley is offline
Real Name: Wesley
Fdisk Soldier
 
Join Date: Aug 2009
Location: Reunion Island
Posts: 76
Thanked 1 Time in 1 Post
Default Now it works

Thank's to Mitja.
In my pf.conf, remove enc0 from "set skip on {lo enc0}", because binat rules doesn't take effect.

Last edited by wesley; 15th March 2010 at 07:14 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A little confused. Do "snapshots" (vs dump=image) have any correlation, non-unix? jb_daefo FreeBSD General 9 21st November 2009 04:41 AM
Opera Port - conflicting pkgs in "make install" IronForge OpenBSD Packages and Ports 5 29th October 2009 05:10 AM
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
"Thanks" and "Edit Tags". diw Feedback and Suggestions 2 29th March 2009 12:06 AM


All times are GMT. The time now is 07:16 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick