connect to an other site using ipsec-nat

[wesley]

Hello,

We have to connect to a factory using ipsec and nat.
A server(factory) will send backup to us using ftp.

Our ftp server is protected by a firewall with OpenBSD (PF and ftp-proxy)
OpenBSD firewall : 2 interfaces : egress (81.255.XX.XX) and local (10.0.0.3) ; FTP server : 10.0.0.4

The admin of the factory has send me informations to configure vpn ipsec :

our vpn gateway : 81.255.XX.XX
src address :192.168.191.0/24
dst address : 192.168.192.0/24

factory vpn gateway : 210.253.XX.XX
src address : 192.168.192.0/24
dst address : 192.168.191.0/24

Authentication Mode: Preshared Keys
Diffie-Hellman Group 2 (1024 bit)
Encryption Algorithm: AES 256
Hashing Algoritm: SHA-1
Negotiation Mode: Main
Lifetime : 28800 sec

IPSec-Parameter:
Perfect Forward Secrecy: Group 2
Encapsulation : ESP
Encryption Algorithm: AES 256
Authentication Algorithm : SHA-1
Encapsulation Mode: Tunnel
Lifetime : 3600 sec

the preshared key : haiku

i have read man pages of ipsec.conf, ipsecctl, isakampd.
My pf.conf let protocol esp, udp 500 and 4500 from any to any.
I dont see how to realize that. If someone can help me.
Thank you.

[jggimi]

Step 1. Talk with your factory admin, and change your preshared key, since you have now published it here. It is your only authentication. Do not use "haiku". You hid the gateway addresses, but all it takes is a quick scan of 64 thousand IP addresses to find either gateway and quickly break your only authentication. And such keys should never be short, and never be words.

-----------------

Please clarify your RFC 1918 subnets: each location uses a separate subnet, correct? That is, the systems at the factory use 192.168.192.x IP addresses, and the systems at your site use 192.168.191.x? If these will stay separate subnets, then it makes the use of IPSec much, much easier.

Please confirm if it is your intention that a server or workstation with address 192.168.192.17 at the factory will still be 192.168.192.17 when connected to your local network. If so, then your ipsec.conf configuration will be straightforward.

Translation of subnets should only be necessary when there are IP addressing collisions, and those might only occur when connecting large organizations via VPN gateways. I would avoid it, if at all possible. While such translation can be done, it is complicated: see http://undeadly.org/cgi?action=artic...20090127205841

[wesley]

First : what i have wrote in the previous message like the preshared key, it is not the true IKE passphrase.

The factory is a large organization.
So i have to implement NAT in VPN.

[wesley]

I ve read http://undeadly.org/cgi?action=artic...20090127205841
Here what i have done :

my pf.conf, i ve add lines :
binat on enc0 inet from 10.0.0.0/24 to 192.168.192.0/24 -> \
192.168.191.0/24

my ipsec.conf:
ike esp from 192.168.192.0/24 (10.0.0.0/8) to 192.168.191.0/24 peer \
the_gateway_of_factory \
main auth hmac-sha1 enc aes-256 group modp1024 \
quick auth hmac-sha1 enc aes-256 group modp1024 \
psk "haiku"

When i try : ipsecctl -sa, i have :
# ipsecctl –sa j’ai comme résultat :

FLOWS:
flow esp in from 192.168.191.0/24 to 10.0.0.0/8 peer 212.99.117.97 srcid my_gateway dstid the_gateway_factory type use
flow esp out from 10.0.0.0/8 to 192.168.191.0/24 peer 212.99.117.97 srcid my_gateway dstid the_gateway_factory type require

SAD:
esp tunnel from the_gateway_fatory to my_gateway spi 0x5f836c7a auth hmac-sha1 enc aes-256
esp tunnel from my_gateway to the_factory_gateway spi 0x7d51b2f7 auth hmac-sha1 enc aes-256
#

If i type : isakmpd and after, ipsecctl -f /etc/ipsec.conf, i ve the following :
ike_ipsec_establish : open (/var/run/isakmpd.fifo) : no such file or directory
Why ?

I'm not very far from the goal! need help.

[jggimi]

isakmpd, if used with ipsecctl and ipsec.conf, must be started with "-K".

[wesley]

in my /etc/rc.conf.local, i have added :
ipsec="yes"
isakmpd="-K"

when i restart the machine, i can see the same error :
ike_ipsec_establish : open (/var/run/isakmpd.fifo) : no such file or directory

when i'm login on it and type :
isakmpd -K
ipsecctl -f /etc/ipsec.conf
it's ok, the tunnel is ok. But why i have this error at startup ?

[jggimi]

Examine /var/log/daemon for errors from isakmpd(8).

During testing, you can use

# isakmpd -Kd &

or

# isakmpd -Kvd &

to see messages from isakmpd on your console.

[jggimi]

Ah, here's the reason: in rc.conf.local, the correct variable name is isakmpd_flags -- so isakmpd is not being started.

[wesley]

Thank's !!!

[jggimi]

One thing I recommend you use, based on my small experience -- of course, without using the complications of the (srcnat) option -- is that the tcpdump(8) tool is a great aid.

There's no way to tell if traffic is being tunnelled in esp packets or not, without it.

IPSec SA and Flow definitions will determine what packets get tunnelled and what packets do not, but there is no functional difference to a network application for IPSec-protected traffic or traffic flowing in the clear.

So, an admin might assume that traffic is running inside a VPN just because there is some output from # ipsecctl -sa, but the traffic intended to be secured may not actually be tunneled.

It has always been helpful to me to run tcpdump and examine packets for both the enc0 pseudo-devices, and, for the gateway NICs.

[wesley]

thank's for your suggestions.

[wesley]

Hello,

I come back. For over a week, i break my head to run the vpn, it is mounted, but there is no traffic, what is more, i have a problem about phase 2 in ipsec.conf.

To summarize :
My firewall : 10.0.0.113/24 ; FTP SERVER : 10.0.0.11524
My network (A) have 10.0.0.0 /24, same network for site 2(B).

So we need to implement : address translation
Site A will be : 192.168.192.0 /24
Site B will be : 192.168.191.0 /24

Ip address for A : 11.11.11.11
IP address for B : 22.22.22.22

I attach my files : ipsec.conf and pf.conf

I have this error in my /var/log/daemon :
Sep 17 11:00:01 sdsl114 newsyslog[5191]: logfile turned over
Sep 17 11:04:18 sdsl114 savecore: no core dump
Sep 17 11:04:19 sdsl114 isakmpd[19476]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.191.0/255.255.255.0, responder id 192.168.192.0/255.255.255.0
Sep 17 11:04:19 sdsl114 isakmpd[19476]: dropped message from 22.22.22.22 port 500 due to notification type INVALID_ID_INFORMATION
Sep 17 11:04:19 sdsl114 ftp-proxy[13321]: listening on 11.11.11.11 port 21

When i type ipsecctl -sa, i have :
FLOWS:
flow esp in from 192.168.191.0/24 to 10.0.0.0/24 peer 22.22.22.22 srcid 11.11.11.11/32 dstid 22.22.22.22/32 type use
flow esp out from 10.0.0.0/24 to 192.168.191.0/24 peer 22.22.22.22 srcid 11.11.11.11/32 dstid 22.22.22.22/32 type require
SAD:
esp tunnel from 11.11.11.11 to 22.22.22.22 spi 0x5f3b4329 auth hmac-sha1 enc aes-256
esp tunnel from 22.22.22.22 to 11.11.11.11 spi 0x60ecca8f auth hmac-sha1 enc aes-256

Can you help me please? thank's

[jggimi]

Phase 1 negotiation is used by the gateway to authenticate with each other and to establish an encrypted channel. Phase 2 negotiation is where IPSec configurations are set. Both are required to complete. The failure to successfully negotiate Phase 2 prevents IPSec from working. If I understand this message:

Code:

responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: 
initiator id 192.168.191.0/255.255.255.0, responder id 192.168.192.0/255.255.255.0

it looks like both sides of the gateway are trying to use 192.168.191/24 as the local network. But I may be wrong; I've never used this type of complex configuration and may be misunderstanding the cause of the misconnect between the gateways.

I'd recommended avoiding this level of complexity, if at all possible.

Because I have limited IPSec configuration experience, and no one else has jumped in, I recommend you post your problem to OpenBSD's misc@ mailing list. Rather than only one or two people who may have some experience with IPSec, there will be hundreds.

Some warnings:

No attachments are allowed. Place your configuration files and log messages as text, in-line with your e-mail. Attachments will just be stripped, and no one will see them.

Put more information in your request for assistance than you think may be needed. For example, include a dmesg, even though you don't think it is necessary. (Actually, it is often helpful, because it gives readers your specific release, flavor, and architecture for the OS, among other information.) Because the misc@ mailing list is not newbie-friendly, the more you can provide, the less likely your posting will be ignored, and the less likely you'll get a rude response.

Read the Netiquette section from the OpenBSD website, and follow its guidance:
http://www.openbsd.org/mail.html

[wesley]

thank's, i have posted it on misc@openbsd.org, how many time it takes to appear ?

[Carpetsmoker]

It's already there:
http://www.nabble.com/Ipsec-vpn-and-nat-td25489013.html

[jggimi]

And it's in other archives as well, such as http://marc.info/?l=openbsd-misc&m=125318467307484&w=2

No replies, yet.

If you subscribe to misc@, you will see any replies in your e-mail. If you don't subscribe, you will have to track one of the many public archives manually.

[wesley]

Thank you!
I'm waiting for replies.

[gamemaniac]

Informative posts indeed although a little complicated to me but easy to understand tips.

[wesley]

I forgot to modify the file sysctl.conf in order to activate the IP Fowarding!
I ve rebooted it, and now I haven't any more error in my file daemon log.

[jggimi]

Glad you've got it working, Wesley.