DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th April 2014
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default OpenBSD Multiple VPN Setup

Thanks to jggimi I have working VPN setup between my home network and a remote network. I now want to connect with another site from home and would like to know if my ipsec.conf and pf.conf files are setup correctly when I add the new VPN. My question is this, for the second VPN do still use "ike esp" and "enc" or do those have to be change to something different to denote a different VPN and change the pf.conf accordingly. Below are my ipsec.conf and pf.conf files, masked accordingly. Are they correct for the two VPN's I'd like to setup?

Thank you.

Code:
#ipsec.conf
ike esp from 192.168.69.0/24 to 199.194.199.0/24 peer B.B.B.B \
        main auth hmac-sha1 enc aes-256 group modp1536 \
        quick auth hmac-sha1 enc aes-256 \
        srcid A.A.A.A psk "password-goes-here"

ike esp from 192.168.69.0/24 to 10.0.0.0/24 peer C.C.C.C \
        main auth hmac-sha1 enc aes-256 group modp1536 \
        quick auth hmac-sha1 enc aes-256 \
        srcid A.A.A.A psk "password-goes-here"
Code:
#pf.conf
# macros
ext_if="em0"
int_if="em1"
int_net="{ 192.168.69.0/24 }"
whs="192.168.69.50"

# options
set block-policy drop
set loginterface $ext_if
set skip on {enc0, lo}

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500
pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A
pass in on $ext_if inet proto udp from C.C.C.C to A.A.A.A port 500
pass in on $ext_if inet proto esp from C.C.C.C to A.A.A.A
pass in log on $int_if
Reply With Quote
  #2   (View Single Post)  
Old 4th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

This looks reasonable to me, Dr-D, assuming that the second remote gateway is capable of using the same IPSec configuration as the first. Each VPN would have its own SAs and Flows.
Reply With Quote
  #3   (View Single Post)  
Old 4th April 2014
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

Both remote sites have identical routers, Cisco RV042 which can have up to 50 VPN's, but I can't seem to get the second VPN to connect to my home OpenBSD box.

Network A: My OpenBSD Router
Network B: Cisco RV042
Network C: Cisco RV042

Working VPN between A&B, and B&C but no go for A&C.

I restarted my firewall after adding the entries for A&C. Do I need to reboot for the changes to take affect in ipsec.conf or is there a way to restart that? After editing ipsec.conf I ran this and got this output but A&C won't connect.
Code:
# isakmpd -K
# ipsecctl -f /etc/ipsec.conf
ipsecctl: ike_ipsec_establish: open(/var/run/isakmpd.fifo): No such file or directory
So my question is do I need to reboot my OpenBSD router or have some other way to have the ipsec.conf changes recognized for the added VPN?
Reply With Quote
  #4   (View Single Post)  
Old 5th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

The error message is telling you that isakmpd is not running. The .fifo file is a command channel.

Check for isakmpd error messages in /var/log/daemon. You can add the -v option to produce more detailed output, and if you want you can run it with -d so that it does not daemonize, and produces its output in the shell.
Reply With Quote
  #5   (View Single Post)  
Old 5th April 2014
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

It's working now, a reboot fixed it. VPN to both sites is active now. I thought there would be a way to have the edited ipsec.conf file reread after adding a new network without having to reboot.
Reply With Quote
  #6   (View Single Post)  
Old 5th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

There may be. You can flush (-F) the configuration before reloading it. However, I found better stability by restarting isakmpd before reloading the configuration.

I recommend you use rc.d(8) to restart services such as isakmpd. Upon successful restart, you can then issue a reload of the configuration.
Reply With Quote
  #7   (View Single Post)  
Old 5th April 2014
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 770
Thanked 36 Times in 32 Posts
Default

You probably could run the script which would restarted the network but reboot is cleaner and recommended after significant network change.
Reply With Quote
  #8   (View Single Post)  
Old 5th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

Oko, if you are referring to netstart(8), I don't believe either isakmpd or ipsecctl are within its scope.

Last edited by jggimi; 5th April 2014 at 02:56 AM. Reason: typo
Reply With Quote
  #9   (View Single Post)  
Old 7th April 2014
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 38
Thanked 0 Times in 0 Posts
Default

Well I've Googled myself to death but can't seem to solve this one. The two VPN's I setup won't allow me to share PC or server resources. I can ping, connect, install and print to all the remoter IP printers, I can ping and login to all the remote network gear (routers & WAP's) but I can't ping or connect to servers and PC's. The servers and PC's are all Windows. Windows 7 on the PC's and Windows Server on the servers

Network A: OpenBSD Router
Network B: Cisco RV042 Router
Network C: Cisco RV042 Router

The VPN between B&C has full access to each others resources but between A&B and A&C no access to servers and PC's. It would appear the problem lies somewhere in my OpenBSD box but I can't figure it out. Can anyone point me in the right direction as to what I'm doing wrong?
Reply With Quote
Old 7th April 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

My approach would be to use tcpdump(8) on the OpenBSD box in verbose mode. That will display a lot of information about the VPN packets, which encryption methods are available and which one is actually chosen.

In case it would be a routing issue, you also will be able to see which side does not send a reply.

With a default policy of block log all and/or enabling logging of the rules allowing the VPN traffic you could watch the pflog device with tcpdump to make sure the firewall ruleset is not dropping VPN packets.

By wiretapping with tcpdump(8) you also can verify whether DNS is working within the VPN. (In case you are using that )
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 7th April 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,697
Thanked 214 Times in 189 Posts
Default

I'm going to take a wild guess that IP forwarding may not be enabled; since the symptom could indicate that and forwarding is disabled by default. See FAQ 6.2.7.

Once that's confirmed, follow J65nko's advice regarding testing PF rules. You may need to deploy pass rules in pf.conf for the traffic you wish to enable. You're passing ESP packets for the VPN and UDP for key management, but not passing any underlying traffic between the interconnected networks. That may be the reason for the communication failure.

Last edited by jggimi; 7th April 2014 at 10:56 AM. Reason: typo, clarity
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD VPN Setup Dr-D OpenBSD Security 2 4th April 2014 01:23 PM
OpenBSD how to start (basic setup) wesley Guides 4 18th July 2012 06:29 PM
how setup arpwatch for OpenBSD mfaridi OpenBSD Packages and Ports 1 11th December 2008 05:22 PM
Using multiple gateways ivanatora FreeBSD General 7 15th November 2008 06:57 PM
Multiple VPN rondynames OpenBSD General 5 24th July 2008 11:51 AM


All times are GMT. The time now is 04:37 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick