DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th November 2013
Daffy Daffy is offline
Fdisk Soldier
 
Join Date: Jun 2010
Posts: 73
Thanked 0 Times in 0 Posts
Default Some help with IPSEC / VPN

Hi @ all,
currently I'm trying to set up a server (OpenBSD) that will act as a VPN for road warriors and all users with access will be on the same subnet.

The final though is to use it like:

{road warrior} ---> {OpenBSD vpn} ---> {internet}

Me and a friend decided to use IPSEC for this but we're having some difficulties (using OpenBSD both on server and client).

So far, the keys are in the right place, negotiation between machines seems ok, we can see flows using `ipsecctl -s all` but the problem is that we cannot understand how to route the traffic. We tried with gif(4) but that did not work.

edit: I searched as much as I could in here and mailing lists, but I could not find anything helpful...

I know we are missing many things. Can someone provide info/help in this?


Here are the files we're using so far:

ipsec.conf (server-side)
========================
Code:
local_ip="<SERVER-IP>"
remote_ip="<CLIENT-IP>"
ike passive esp from $local_ip to $remote_ip srcid $local_ip
ipsec.conf (client-side)
========================
Code:
local_ip="<CLIENT-IP>"
remote_ip="<SERVER-IP>"
ike esp from $local_ip to $remote_ip peer $remote_ip srcid $local_ip
ipsecctl -s all output
======================
Code:
% sudo ipsecctl -s all
FLOWS:
flow esp in from <SERVER-IP> to <CLIENT-DYNAMIC-IP> peer <SERVER-IP> srcid <CLIENT-IP> dstid <SERVER-IP>/32 type use
flow esp out from <CLIENT-DYNAMIC-IP> to <SERVER-IP> peer <SERVER-IP> srcid <CLIENT-IP> dstid <SERVER-IP>/32 type require
SAD:
esp tunnel from <SERVER-IP> to 192.168.1.67 spi 0xad51f50c auth hmac-sha2-256 enc aes
esp tunnel from 192.168.1.67 to <SERVER-IP> spi 0xb2b7d945 auth hmac-sha2-256 enc aes
isakmpd output
==============
Code:
% sudo isakmpd -K -DA=20 -d
183306.143594 Default log_debug_cmd: log level changed from 0 to 20 for class 0 [priv]
183306.149267 Default log_debug_cmd: log level changed from 0 to 20 for class 1 [priv]
183306.149309 Default log_debug_cmd: log level changed from 0 to 20 for class 2 [priv]
183306.149339 Default log_debug_cmd: log level changed from 0 to 20 for class 3 [priv]
183306.149368 Default log_debug_cmd: log level changed from 0 to 20 for class 4 [priv]
183306.149397 Default log_debug_cmd: log level changed from 0 to 20 for class 5 [priv]
183306.149426 Default log_debug_cmd: log level changed from 0 to 20 for class 6 [priv]
183306.149455 Default log_debug_cmd: log level changed from 0 to 20 for class 7 [priv]
183306.149484 Default log_debug_cmd: log level changed from 0 to 20 for class 8 [priv]
183306.149512 Default log_debug_cmd: log level changed from 0 to 20 for class 9 [priv]
183306.149541 Default log_debug_cmd: log level changed from 0 to 20 for class 10 [priv]
183306.149702 Default isakmpd: starting [priv]
183306.161120 Misc 10 monitor_init: privileges dropped for child process
183306.886844 Misc 20 udp_make: transport 0x87d5a380 socket 8 ip ::1 port 500
183306.951063 Misc 20 udp_encap_make: transport 0x87d5ab40 socket 9 ip ::1 port 4500
183307.021939 Misc 20 udp_make: transport 0x87d5a780 socket 10 ip fe80:4::1 port 500
183307.072943 Misc 20 udp_encap_make: transport 0x87d5a200 socket 11 ip fe80:4::1 port 4500
183307.149134 Misc 20 udp_make: transport 0x87d5a600 socket 12 ip 127.0.0.1 port 500
183307.227445 Misc 20 udp_encap_make: transport 0x87d5af00 socket 13 ip 127.0.0.1 port 4500
183307.247319 Misc 20 udp_make: transport 0x87d5a140 socket 14 ip fe80:1::216:d3ff:fe22:135a port 500
183307.252287 Misc 20 udp_encap_make: transport 0x87d5a980 socket 15 ip fe80:1::216:d3ff:fe22:135a port 4500
183307.257331 Misc 20 udp_make: transport 0x87d5a400 socket 16 ip 192.168.1.67 port 500
183307.262257 Misc 20 udp_encap_make: transport 0x87d5a880 socket 17 ip 192.168.1.67 port 4500
183307.267242 Misc 20 udp_make: transport 0x87d5a280 socket 18 ip 0.0.0.0 port 500
183307.272126 Misc 20 udp_encap_make: transport 0x87d5aa80 socket 19 ip 0.0.0.0 port 4500
183307.276985 Misc 20 udp_make: transport 0x87d5a340 socket 20 ip :: port 500
183307.281807 Misc 20 udp_encap_make: transport 0x87d5a240 socket 21 ip :: port 4500
183313.382478 Timr 10 timer_add_event: event ui_conn_reinit(0x0) added last, expiration in 5s
183318.393775 Timr 10 timer_handle_expirations: event ui_conn_reinit(0x0)
183318.408824 Timr 10 timer_add_event: event connection_checker(0x8aa74130) added last, expiration in 0s
183318.409190 Timr 10 timer_handle_expirations: event connection_checker(0x8aa74130)
183318.409305 Timr 10 timer_add_event: event connection_checker(0x8aa74130) added last, expiration in 60s
183318.516283 Timr 10 timer_add_event: event exchange_free_aux(0x821abc00) added last, expiration in 120s
183318.531242 Exch 10 exchange_establish_p1: 0x821abc00 peer-<SERVER-IP> phase1-peer-<SERVER-IP> policy initiator phase 1 doi 1 exchange 2 step 0
183318.531288 Exch 10 exchange_establish_p1: icookie 72190358955f13f4 rcookie 0000000000000000
183318.531316 Exch 10 exchange_establish_p1: msgid 00000000
183318.532539 Timr 10 timer_add_event: event message_send_expire(0x844f6f80) added before connection_checker(0x8aa74130), expiration in 7s
183318.806179 Mesg 20 message_free: freeing 0x844f6f80
183318.821845 Timr 10 timer_remove_event: removing event message_send_expire(0x844f6f80)
183318.822040 Exch 10 check_vendor_openbsd: OpenBSD (OpenBSD-5.2)
183318.822077 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
183318.822107 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
183318.822136 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
183318.822165 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
183318.822354 Negt 20 ike_phase_1_validate_prop: success
183318.822387 Misc 20 ipsec_decode_transform: transform 0 chosen
183318.880570 Timr 10 timer_add_event: event message_send_expire(0x844f6480) added before connection_checker(0x8aa74130), expiration in 7s
183319.164728 Mesg 20 message_free: freeing 0x844f6480
183319.179418 Timr 10 timer_remove_event: removing event message_send_expire(0x844f6480)
183319.179532 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're behind it
183319.212456 Mesg 20 message_free: freeing 0x844f6d80
183319.230776 Misc 10 rsa_sig_encode_hash: no certificate to send for id fqdn/<CLIENT-IP>
183319.309831 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange
183319.312848 Timr 10 timer_add_event: event message_send_expire(0x844f6200) added before connection_checker(0x8aa74130), expiration in 7s
183319.601107 Mesg 20 message_free: freeing 0x844f6200
183319.616008 Timr 10 timer_remove_event: removing event message_send_expire(0x844f6200)
183319.652218 Mesg 20 message_free: freeing 0x844f6e00
183319.652693 Exch 10 exchange_finalize: 0x821abc00 peer-<SERVER-IP> phase1-peer-<SERVER-IP> policy initiator phase 1 doi 1 exchange 2 step 5
183319.653319 Exch 10 exchange_finalize: icookie 72190358955f13f4 rcookie 07d97cb69dcd70fd
183319.653798 Exch 10 exchange_finalize: msgid 00000000
183319.654213 Exch 10 exchange_finalize: phase 1 done: initiator id <CLIENT-IP>, responder id <SERVER-IP>, src: 192.168.1.67 dst: <SERVER-IP>
183319.654821 Timr 10 timer_add_event: event sa_soft_expire(0x821ab800) added last, expiration in 3247s
183319.655337 Timr 10 timer_add_event: event sa_hard_expire(0x821ab800) added last, expiration in 3600s
183319.655810 Timr 10 timer_add_event: event nat_t_send_keepalive(0x821ab800) added before connection_checker(0x8aa74130), expiration in 20s
183319.656422 Exch 20 exchange_establish_finalize: finalizing exchange 0x821abc00 with arg 0x87d5a840 (from-<CLIENT-DYNAMIC-IP>-to-<SERVER-IP>) & fail = 0
183319.657164 Timr 10 timer_add_event: event exchange_free_aux(0x821aba00) added before sa_soft_expire(0x821ab800), expiration in 120s
183319.657752 Exch 10 exchange_establish_p2: 0x821aba00 from-<CLIENT-DYNAMIC-IP>-to-<SERVER-IP> phase2-from-<CLIENT-DYNAMIC-IP>-to-<SERVER-IP> policy initiator phase 2 do
i 1 exchange 32 step 0
183319.658580 Exch 10 exchange_establish_p2: icookie 72190358955f13f4 rcookie 07d97cb69dcd70fd
183319.659002 Exch 10 exchange_establish_p2: msgid 0c1e6e18 sa_list
183319.686444 Timr 10 timer_remove_event: removing event exchange_free_aux(0x821abc00)
183319.692029 Mesg 20 message_free: freeing 0x844f6d80
183319.692396 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange
183319.692901 Timr 10 timer_add_event: event message_send_expire(0x844f6900) added before nat_t_send_keepalive(0x821ab800), expiration in 7s
183319.977351 Mesg 20 message_free: freeing 0x844f6900
183319.992009 Timr 10 timer_remove_event: removing event message_send_expire(0x844f6900)
183319.998947 Misc 20 ipsec_decode_transform: transform 1 chosen
183320.005949 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange
183320.061534 Exch 10 exchange_finalize: 0x821aba00 from-<CLIENT-DYNAMIC-IP>-to-<SERVER-IP> phase2-from-<CLIENT-DYNAMIC-IP>-to-<SERVER-IP> policy initiator phase 2 doi 1 
exchange 32 step 3
183320.064011 Exch 10 exchange_finalize: icookie 72190358955f13f4 rcookie 07d97cb69dcd70fd
183320.064541 Exch 10 exchange_finalize: msgid 0c1e6e18 sa_list 0x821ab900
183320.065140 Sdep 10 pf_key_v2_set_spi: satype 2 dst <SERVER-IP> SPI 0x88d28ac2
183320.065556 Timr 10 timer_add_event: event sa_soft_expire(0x821ab900) added before sa_soft_expire(0x821ab800), expiration in 1108s
183320.066105 Timr 10 timer_add_event: event sa_hard_expire(0x821ab900) added before sa_soft_expire(0x821ab800), expiration in 1200s
183320.067014 Sdep 10 pf_key_v2_set_spi: satype 2 dst 192.168.1.67 SPI 0xd351f41
183339.664102 Timr 10 timer_handle_expirations: event nat_t_send_keepalive(0x821ab800)
183339.666498 Timr 10 timer_add_event: event nat_t_send_keepalive(0x821ab800) added before connection_checker(0x8aa74130), expiration in 20s
Thanks and sorry for the long post.
Reply With Quote
  #2   (View Single Post)  
Old 9th November 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

As you described your goal, it appeared to me that you wished to have someone at any external IP address establish a tunnel to a local address, then use that local address as an initiation for further communication outbound. That's not the picture you drew, nor does it match the configuration files and output that you shared with us.

Did I understand what you wanted to accomplish? If so, IPSec alone won't provide that. You will need to establish tunnels within an IPSec flow, and gif(4) would be one likely candidate. The gif(4) man page has an example of this using bridge(4) and the etherip protocol.

The reason you need additional tunnels is because IPSec uses flows to determine whether to apply IPSec to a packet, and Security Associations (SAs) to determine the various IPSec options to apply to a packet within a flow. By itself, it doesn't provide for the "local virtual IP address for a road warrior" that you apparently need.
Reply With Quote
Reply

Tags
ipsec, openbsd, vpn

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ipsec and altq igy01 OpenBSD Security 5 18th February 2014 11:30 PM
ipsec and ospf igy01 OpenBSD Security 1 23rd November 2012 01:41 PM
Negotiation of IPsec SA xeniades OpenBSD Security 10 7th August 2012 06:53 PM
IPSec VPN configuration? polken OpenBSD Security 8 29th May 2012 08:48 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM


All times are GMT. The time now is 03:00 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick