DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th October 2015
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 18
Thanked 0 Times in 0 Posts
Default iked, NAT-T and keep alive

I am testing iked on OpenBSD phobos 5.7 GENERIC#738 i386, I think there is keep-alive problem when use NAT-T
Configs are as follows:

Phobos LAN vr3 = 172.30.10.1/24
Phobos WAN vr0 = 13.13.14.2

Mars vr2 = 13.13.14.1
match out on vr3 inet from 13.13.14.0/24 to any nat-to 13.13.15.1
Mars vr3 = 13.13.15.1

Deimos WAN vr0 = 13.13.15.2
Deimos LAN vr3 = 172.30.20.1/24

routing & ping withouht IPsec are OK, there is no pf on Phobos & Deimos, detailed config are:


Quote:
phobos /etc>cat iked.conf
# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
set active
ikev2 "proba1" active esp \
from 172.30.10.0/24 to 172.30.20.0/24 \
local 13.13.14.2 peer 13.13.15.2 \
psk "abcd1234"
phobos /etc>

deimos /etc>cat iked.conf
# $OpenBSD: iked.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $
set passive
ikev2 "proba1" passive esp \
from 172.30.20.0/24 to 172.30.10.0/24 \
local 13.13.15.2 peer any \
psk "abcd1234"
deimos /etc>

mars /etc>cat pf_mars.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $

set timeout { udp.first 300, udp.single 150, udp.multiple 900 }

if_admin ="vr0"
if_winxp ="vr1"
if_phobos="vr2"
if_deimos="vr3"

ip_phobos="13.13.14.1"
ip_deimos="13.13.15.1"

set reassemble yes
set block-policy return
set loginterface egress

set skip on lo
set skip on $if_admin
set skip on $if_winxp

#
# pass on phobos side (inside)
#
pass on $if_phobos all

#
# nat from phobos to deimos (outside)
#
block in log on $if_deimos all
block out log on $if_deimos all

match out on $if_deimos from 13.13.14.0/24 to any nat-to $ip_deimos
pass out on $if_deimos from any to any keep state

pass in on $if_deimos proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on $if_deimos proto esp

pass on $if_deimos proto tcp from any to any port 22
pass on $ip_deimos inet proto icmp

mars /etc>

mars /etc>pfctl -sr
pass on vr2 all flags S/SA
block return in log on vr3 all
block return out log on vr3 all
match out on vr3 inet from 13.13.14.0/24 to any nat-to 13.13.15.1
pass in on vr3 proto udp from any to any port = 500
pass in on vr3 proto udp from any to any port = 4500
pass in on vr3 proto esp all
pass out on vr3 all flags S/SA
pass on vr3 proto tcp from any to any port = 22 flags S/SA
pass on 13.13.15.1 inet proto icmp all
mars /etc>
I started iked daemons on Phobos & Deimos, and SAD is almost imidiately here:

Quote:
phobos /etc>iked
phobos /etc>
phobos /etc>
phobos /etc>ipsecctl -sa
FLOWS:
flow esp in from 172.30.20.0/24 to 172.30.10.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type use
flow esp out from 172.30.10.0/24 to 172.30.20.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 13.13.14.2 to 13.13.15.2 spi 0x368db98f auth hmac-sha2-256 enc aes-256
esp tunnel from 13.13.15.2 to 13.13.14.2 spi 0x9756665c auth hmac-sha2-256 enc aes-256
phobos /etc>
we can see ike on mars:

Quote:
mars /etc>tcpdump -ni vr3 not port ssh
tcpdump: listening on vr3, link-type EN10MB
22:04:37.795565 13.13.15.1.56019 > 13.13.15.2.500: isakmp v2.0 exchange IKE_SA_INIT
cookie: 2763677be11c7acb->0000000000000000 msgid: 00000000 len: 520
22:04:39.245045 13.13.15.2.500 > 13.13.15.1.56019: isakmp v2.0 exchange IKE_SA_INIT
cookie: 2763677be11c7acb->226fdff2dbff07a7 msgid: 00000000 len: 432
22:04:39.972229 13.13.15.1.52215 > 13.13.15.2.4500:udpencap: isakmp v2.0 exchange IKE_AUTH
cookie: 2763677be11c7acb->226fdff2dbff07a7 msgid: 00000001 len: 256
22:04:39.976740 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: isakmp v2.0 exchange IKE_AUTH
cookie: 2763677be11c7acb->226fdff2dbff07a7 msgid: 00000001 len: 224

ping from LAN1 to LAN2 is OK, oposite direction is also OK.

Quote:
phobos /etc>ping -I 172.30.10.1 172.30.20.1
PING 172.30.20.1 (172.30.20.1): 56 data bytes
64 bytes from 172.30.20.1: icmp_seq=0 ttl=255 time=1.675 ms
64 bytes from 172.30.20.1: icmp_seq=1 ttl=255 time=1.245 ms
................
64 bytes from 172.30.20.1: icmp_seq=9 ttl=255 time=1.373 ms
64 bytes from 172.30.20.1: icmp_seq=10 ttl=255 time=1.202 ms
--- 172.30.20.1 ping statistics ---
11 packets transmitted, 11 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.189/1.272/1.675/0.139 ms
phobos /etc>

mars /etc>tcpdump -ni vr3 not port ssh
22:05:31.784391 13.13.15.1.52215 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 2 len 136
22:05:31.785038 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: esp 13.13.15.2 > 13.13.15.1 spi 0x9756665c seq 2 len 136
22:05:32.791487 13.13.15.1.52215 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 3 len 136
................etc
pf states on mars are:

Quote:
mars /etc>pfctl -ss
all tcp 13.13.14.1:45590 -> 13.13.14.2:22 ESTABLISHED:ESTABLISHED
all tcp 13.13.15.1:36759 -> 13.13.15.2:22 ESTABLISHED:ESTABLISHED
all udp 13.13.15.2:4500 <- 13.13.14.2:4500 MULTIPLE:MULTIPLE
all udp 13.13.15.1:52215 (13.13.14.2:4500) -> 13.13.15.2:4500 MULTIPLE:MULTIPLE
all udp 13.13.15.2:500 <- 13.13.14.2:500 SINGLE:MULTIPLE
all udp 13.13.15.1:56019 (13.13.14.2:500) -> 13.13.15.2:500 MULTIPLE:SINGLE
mars /etc>
UDP states in pf will not last very long, only 15 minutes:

Quote:
mars /etc>pfctl -ss -vv
.....
all udp 13.13.15.2:4500 <- 13.13.14.2:4500 MULTIPLE:MULTIPLE
age 00:22:07, expires in 00:14:56, 285:31 pkts, 46604:4916 bytes, rule 0

so, after 15 minutes...

mars /etc>pfctl -ss -vv
all tcp 13.13.14.1:45590 -> 13.13.14.2:22 ESTABLISHED:ESTABLISHED
[3412585257 + 17376] wscale 3 [1442684952 + 16336] wscale 3
age 00:51:11, expires in 23:35:20, 562:532 pkts, 40377:54841 bytes, rule 0
id: 561da44900000097 creatorid: 511e69a1
all tcp 13.13.15.1:36759 -> 13.13.15.2:22 ESTABLISHED:ESTABLISHED
[2703832638 + 17376] wscale 3 [2214895039 + 16152] wscale 3
age 00:50:28, expires in 23:36:56, 316:305 pkts, 23909:31881 bytes, rule 8
id: 561da44900000098 creatorid: 511e69a1
mars /etc>
and ping is no more working:

Quote:
phobos /etc>ping -I 172.30.10.1 172.30.20.1
PING 172.30.20.1 (172.30.20.1): 56 data bytes
--- 172.30.20.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
phobos /etc>
tcpdump on mars NAT:

Quote:
mars /etc>tcpdump -ni vr3 not port ssh
tcpdump: listening on vr3, link-type EN10MB
22:35:06.368671 13.13.15.1.50017 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 27 len 136
22:35:06.369267 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: esp 13.13.15.2 > 13.13.15.1 spi 0x9756665c seq 30 len 136
22:35:06.369367 13.13.15.1 > 13.13.15.2: icmp: 13.13.15.1 udp port 52215 unreachable
22:35:07.371077 13.13.15.1.50017 > 13.13.15.2.4500:udpencap: esp 13.13.15.1 > 13.13.15.2 spi 0x368db98f seq 28 len 136
22:35:07.371546 13.13.15.2.4500 > 13.13.15.1.52215:udpencap: esp 13.13.15.2 > 13.13.15.1 spi 0x9756665c seq 31 len 136
22:35:07.371643 13.13.15.1 > 13.13.15.2: icmp: 13.13.15.1 udp port 52215 unreachable
.....
But, IPsec flow and SAD still there:

Quote:
phobos /etc>ipsecctl -sa
FLOWS:
flow esp in from 172.30.20.0/24 to 172.30.10.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type use
flow esp out from 172.30.10.0/24 to 172.30.20.0/24 peer 13.13.15.2 srcid FQDN/phobos dstid FQDN/deimos type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 13.13.14.2 to 13.13.15.2 spi 0x368db98f auth hmac-sha2-256 enc aes-256
esp tunnel from 13.13.15.2 to 13.13.14.2 spi 0x9756665c auth hmac-sha2-256 enc aes-256
phobos /etc>
So, what is solution? I think, iked need some kind of "keep alive", but I can't find it in iked.conf configuration. Or, do I need to send a ping from crontab, every few minutes? Some other idea?

Igy
Reply With Quote
  #2   (View Single Post)  
Old 15th October 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 4,818
Thanked 214 Times in 189 Posts
Default

There's no keepalive, but there is the ikelifetime option, which will rekey the IKE SA. The default is to not rekey the IKE SA. There is also the lifetime option, which can set child SA rekey time (or data) limits, which default to 3 hours and 512 megabytes.

I have never used NAT Traversal; and do not know if either of these will circumvent the problem.

There are few of us here who use (or have used) IPSec. If no one else responds within a working solution, consider posting a formal bug report to the bugs@ mailing list, or an informal query to the misc@ mailing list.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
iked certificate based VPN's bsdnut82 OpenBSD Security 8 12th August 2015 07:47 PM
iked support for ECDSA keys cakersq OpenBSD Security 2 4th March 2013 03:27 PM
OpenIndiana is it dead or alive? gpatrick Solaris 3 27th September 2012 01:33 PM
OpenSolaris Alive and Well at Oracle J65nko News 6 4th March 2010 08:35 PM


All times are GMT. The time now is 10:27 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick