DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th April 2011
copetts copetts is offline
New User
 
Join Date: Apr 2011
Posts: 2
Thanked 0 Times in 0 Posts
Post VPN Nat issue on 4.8

Hi all,
Hope to post my question in the right place.
I 've upgraded my 2 fw from 4.6 ->4.7->4.8
Now I have a problem with a VPN that use the nat to reach the remote site.
with the 4.6 version everything worked fine, but after the upgrade and the nat rule conversion the VPN came up and run, but retrive a lot of error in daemon log.
My ipsec conf is the following (It's the same that i used in 4.6 version)

Quote:
ike esp from { 172.16.1.0/24, 172.29.128.96/27, 172.20.44.224/27, 172.20.43.192/27 } to 10.0.0.0/8 local <myfw_pub_ip> peer <remotefw_pub_ip> \
main auth hmac-md5 enc 3des quick auth hmac-md5 enc 3des group modp1024 psk XXXXXXXXXX
As you can see I have 4 networks that must reach the remote one.

My pf.conf is the following:
Code:
lan1 = "172.16.1.0/24"
lan2 = "172.29.128.96/27"
lan3 = "172.20.44.224/27"
lan4 = "172.20.43.192/27 "
lanremote="10.0.0.0/8"

natvpn= "172.16.196.16/28"

fwremote= public ip address remote 
intvpn= my public ip address

match out on enc0 from { $lan1, $lan2, $lan3, $lan4 }  to $lanremote nat-to $natvpn source-hash

#VPN section
pass in quick on $ext inet proto udp from $fwremote to $intvpn port 500
pass out quick on $ext inet proto udp from $intvpn to $fwremote port 500
#
#
pass in quick on $ext inet proto esp from $fwremote  to $intvpn
pass out quick on $ext inet proto esp from $intvpn to $fwremote 

# ENC0 VPN interface
#################################################################################
#
block in on enc0 all
block out on enc0 all
block return-rst in on enc0 proto tcp all
block return-rst out on enc0 proto tcp all
#
#
pass in quick on enc0 proto ipencap from $fwremote  to $intvpn
pass out quick on enc0 proto ipencap from $intvpn to $fwremote  
#
#
#
pass out quick on enc0 inet proto { udp, tcp, icmp } from $natvpn to $lanremote
pass in quick on enc0 inet proto { udp, tcp, icmp } from $lanremote to $natvpn

The errors I retrive periodically in daemon log are:
Quote:
Apr 8 16:20:37 fire1 isakmpd[18227]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.0.0.0/255.0.0.0, responder id 172.16.196.16/255.255.255.240
Apr 8 16:20:37 fire1 isakmpd[18227]: dropped message from <remotefw> port 500 due to notification type INVALID_ID_INFORMATION

isakmpd[25384]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute
Apr 11 10:33:17 fire1 isakmpd[25384]: dropped message from <remotefw> port 500 due to notification type NO_PROPOSAL_CHOSEN

I know that my ipsec.conf seems strange because I put the lan ip address and not the nat ip to create the tunnel, but with the 4.6 it worked fine the only rule that I used and now in 4.8 I 've removed is:

Code:
no nat on $ext from $natvpm to $lanremote
Sorry if my post is so long but I hope to have write all the information usefull to understand the question.
Any help well be very appreciated.
Thank you in advance

Last edited by J65nko; 11th April 2011 at 04:01 PM. Reason: [code] and [/code], [quote] and [/quote] tags added
Reply With Quote
  #2   (View Single Post)  
Old 11th April 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Are you sure http://openbsd.org/faq/upgrade47.html#hmac-sha2 is not affecting you?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 12th April 2011
copetts copetts is offline
New User
 
Join Date: Apr 2011
Posts: 2
Thanked 0 Times in 0 Posts
Default

Thank you for your reply

I think that this is not the case, in my ipsec.conf i don't use hmac-sha2 protocol.
In meantime I' ve find the solution to the error:
Apr 8 16:20:37 fire1 isakmpd[18227]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 10.0.0.0/255.0.0.0, responder id 172.16.196.16/255.255.255.240
Apr 8 16:20:37 fire1 isakmpd[18227]: dropped message from <remotefw> port 500 due to notification type INVALID_ID_INFORMATION

I added also the nat ip address in the ipsec.conf:
ike esp from { 172.16.196.16/28, 172.16.1.0/24, 172.29.128.96/27, 172.20.44.224/27, 172.20.43.192/27 } to 10.0.0.0/8 local <myfw_pub_ip> peer <remotefw_pub_ip> \
main auth hmac-md5 enc 3des quick auth hmac-md5 enc 3des group none psk XXXXXXXXXX
and I've tried to change the modp1024 with none to fix the second error, it seems work fine, but sometime appear still an error:

isakmpd[27703]: message_parse_payloads: reserved field non-zero: 5
Apr 12 12:06:39 fire1 isakmpd[27703]: dropped message from <remotefw> port 500 due to notification type PAYLOAD_MALFORMED
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
gdm/ new monitor issue jimbus FreeBSD General 3 4th August 2009 07:39 PM
4.5 -current issue roundkat OpenBSD Installation and Upgrading 11 28th February 2009 02:11 PM
FFS permission issue marc OpenBSD General 2 2nd February 2009 07:31 PM
Possible SMP Issue? MetalHead OpenBSD General 1 25th November 2008 03:52 AM
RAM issue nikkon FreeBSD General 5 7th May 2008 04:26 AM


All times are GMT. The time now is 12:49 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick