help with openbsd 6.8 and ipsec site to site connection

[SimpL]

Hi all,

Fair warning Total newbie to ipsec here!
I would like to establish a connection to a client of ours that has a ipsec server. This would be a site to site connection.
They sent me the data regarding the ipsec settings:
Address:
A.B.C.D
PSK: SECRET!!!
DPD 5
DPD 20
PH1:
AES256-SHA256
AES256-SHA1
DH Group: 5 14
Key Lifetime: x
PH2:
AES256-SHA256
AES256-SHA1
DH Group: 5 14
Key Liftime: y

I searched the net for an ipsec specific site to site connection but im a bit stumped now.
I found a post here on demonforums:
http://daemonforums.org/showthread.p...ighlight=ipsec
used the following manuals:
https://community.broadcom.com/syman...brarydocuments
(no keys only psk so partial)
https://man.openbsd.org/ipsec.conf.5#CRYPTO_TRANSFORMS
https://www.openbsd.org/faq/faq17.html#site2site (Connecting to an IKEv1/L2TP VPN part.. should i use site-to-site? don't have keys only psk)
If anyone can provide a more recent description i would very much appreciate it
as far as i could tell:

AES256-SHA256 = hmac-sha2-256
AES256-SHA1 = aes-256
DH Group: 5 14 = modp2048 (or modp1536)

I’m not sure about the above at all!!!! so maybe this is the problem?

ipsec.conf on client:
-----------
ike esp transport from egress to A.B.C.D \
main auth "hmac-sha2-256" enc "aes-256" group modp2048 \
quick auth "hmac-sha2-256" enc "aes-256" group modp2048 \
psk "SECRET!!!"
-----------
# ipsecctl -f /etc/ipsec.conf
----not installed for reasons....-------
# pkg_add xl2tpd
Can't find xl2tpd
-----------

# ipsecctl -vnf /etc/ipsec.conf
C set [Phase 1]:A.B.C.D=peer-A.B.C.D force
C set [peer-A.B.C.D]:Phase=1 force
C set [peer-A.B.C.D]:Address=A.B.C.D force
C set [peer-A.B.C.D]:Authentication=SECRET!!! force
C set [peer-A.B.C.D]:Configuration=phase1-peer-A.B.C.D force
C set [phase1-peer-A.B.C.D]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-A.B.C.D]:Transforms=phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048 force
C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:AUTHENTICATION_METHOD=PRE_SHARED force
C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:HASH_ALGORITHM=SHA2_256 force
C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:ENCRYPTION_ALGORITHM=AES_CBC force
C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:KEY_LENGTH=256,256:256 force
C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:GROUP_DESCRIPTION=MODP_2048 force
C set [phase1-transform-peer-A.B.C.D-PRE_SHARED-SHA2_256-AES256-MODP_2048]:Life=LIFE_MAIN_MODE force
C set [from-em0-to-A.B.C.D]:Phase=2 force
C set [from-em0-to-A.B.C.D]:ISAKMP-peer=peer-A.B.C.D force
C set [from-em0-to-A.B.C.D]:Configuration=phase2-from-em0-to-A.B.C.D force
C set [from-em0-to-A.B.C.D]:Local-ID=from-em0 force
C set [from-em0-to-A.B.C.D]:Remote-ID=to-A.B.C.D force
C set [phase2-from-em0-to-A.B.C.D]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-em0-to-A.B.C.D]:Suites=phase2-suite-from-em0-to-A.B.C.D force
C set [phase2-suite-from-em0-to-A.B.C.D]:Protocols=phase2-protocol-from-em0-to-A.B.C.D force
C set [phase2-protocol-from-em0-to-A.B.C.D]:PROTOCOL_ID=IPSEC_ESP force
C set [phase2-protocol-from-em0-to-A.B.C.D]:Transforms=phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT force
C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:TRANSFORM_ID=AES force
C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:KEY_LENGTH=256,256:256 force
C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:ENCAPSULATION_MODE=TRANSPORT force
C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force
C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:GROUP_DESCRIPTION=MODP_2048 force
C set [phase2-transform-from-em0-to-A.B.C.D-AES256-SHA2_256-MODP_2048-TRANSPORT]:Life=LIFE_QUICK_MODE force
C set [from-em0]:ID-type=IPV4_ADDR force
C set [from-em0]:Address=em0 force
C set [to-A.B.C.D]:ID-type=IPV4_ADDR force
C set [to-A.B.C.D]:Address=A.B.C.D force
C add [Phase 2]:Connections=from-em0-to-A.B.C.D
----------ok above as far as i can tell....-----
# ipsecctl -sa
FLOWS:
No flows

SAD:
No entries
--------------no good...------------------------
And that’s all folks....

This is a client machine behind a firewall that wants to connect.
pf.conf on client:
default openbsd 6.8
fw pf.conf:
pass out quick on em0 proto tcp from { long list of clients that have internet access } to ! X.Y.0.0/16 nat-to (em0)
pass in quick proto tcp from { long list of clients that have internet access } to any

pass in quick on em0 proto esp from A.B.C.D to (em0)
pass out quick on em0 proto esp from (em0) to A.B.C.D

pass in quick on em0 proto udp from A.B.C.D to (em0) port { 500 4500 }
pass out quick on em0 proto udp from (em0) to A.B.C.D port { 500 4500 }

log msg:
Feb 4 00:27:51 testbsd isakmpd[12944]: transport_send_messages: giving up on exchange peer-A.B.C.D, no response from peer A.B.C.D:500
Feb 4 00:29:24 testbsd isakmpd[12944]: sendmsg (16, 0x7f7ffffda248, 0): Permission denied

So im a bit stuck here. BTW how do you tcpdump for ipsec enc0? I would like to see if it actually tries to connect or not and would like to see if this passes the fw correctly.....

Is the problem on the other side (truth is out there Mulder) or is this on my
end??????

Thank you for your 2 cents in advance
SimpL

[SimpL]

ps.: trying this too...
ikev2 active esp \
from Locallan/8 to localothersidelan/32 \
peer A.B.C.D \
psk "SECRET!!!"

log:
Feb 4 17:02:05 testbsd isakmpd[27668]: isakmpd: starting
Feb 4 17:11:09 testbsd ntpd[59317]: constraints configured but none available

[jggimi]

It's not clear to me what you are actually trying, and what is failing. Such as: 1) I cannot tell from your description of the intended connection whether you need L2TP or not. 2) There is not enough information presented in your post to tell you why installation of the xl2tpd package fails. 3) I cannot tell what you decided not install due to "reasons". 4) I cannot tell if you have the isakmpd(8) daemon running, which is necessary for IKEv1.

Symantec's ancient article is still available, and it may help you.

[SimpL]

Hi jggimi

https://cdn.openbsd.org/pub/OpenBSD/...-stable/amd64/
in the repo there is no xl2tpd file so i could not install it like they told me in the faq
https://www.openbsd.org/faq/faq17.html

What I'm trying to do is connect to a site-to-site connection with a psk key only. I don't have anything but the info that i wrote that they sent me and a psk key. They told me this is enough to connect to the server they have.

As I told you im a total newbie in ipsec and i only read a bunch of descriptions, and docs and faqs specific to this, but i don't got the jist of what exactly I would have to do here exactly.

I told them the exact lan ip of the machine I'm trying to connect from (they asked me for it) and they sent me a lan ip that i would have to connect to too that is the machine that i would like to reach y.y.y.y/32. Lets call these x(our bsd) and y(the bsd in there lan).

x(inside our lan that i installed ipsec on)->our firewall(that has the settings to let x out to the internet)->internet->ipsec server/firewall they use(exact setup unknown)->y(the bsd i want to access)

So this is what im trying to accomplish...

[jggimi]

Logically, the failure to install must be due to using the PKG_PATH environment variable and directing it to ../packages-stable/.. only. This directory only contains the approximately 750 packages which have been updated since the OS release due to security issues. There are more than 11000 packages for the release you must not currently have access to. To fix this problem, a) either correct your PKG_PATH string, or b) eliminate PKG_PATH and use your installurl(5) file instead. The installurl facility will apply "%m" as defined in the pkg_add(1) man page to resolve your install path. If you wish to continue using PKG_PATH instead of installurl(5), you must either manually add both directories in the proper order, or use "%m" or "%c/packages" as described in the pkg_add(1) man page.

[SimpL]

----not installed for reasons....-------
# pkg_add xl2tpd
Can't find xl2tpd
-----------

pkg problem solved thx jggimi I set the wrong depo.....
The ipsec tunnel still pending connection...

[jggimi]

I have never used L2TP, and I have not managed an IPSec VPN in many years, so I am unlikely to be able to provide further assistance.

If no one else joins the conversation, you might consider posting your question to the misc@ mailing list.

[SimpL]

In the end it was a firewall problem, because i only allowed tcp connections and not all. After i set the the fw rule to all not just tcp the connection was up. I deleted the above rules and created 4 rows for incoming and outgoing traffic and nat-ed the connection. Bit crude currently but it "works".
They are currently checking if the connection is ok or not. After that i hope it will be ok
Thy again jggimi

[jggimi]

I'm glad you were able to determine the root cause of the problem. Good luck with your VPN!