Hello,
Joosep, thank you for pointing out this incompatibility. I have made
tests with Fabio and that was the problem.
Regarding the ipsec configuration
behind nat routers it has been tested successfully between a 4.9 and a 4.4
openbsd with udp encapsulation and between a 4.9 openbsd and a fortigate (not
behind nat). However I don't know about long term stability in those two
cases.
Regarding the configuration to adopt when the ipsec gateway is natted,
I'm wondering if it's necessary to port forward udp 500 and 4500 pointing to
the ipsec gateway on the LAN. I think yes if the two ipsec gateways are
natted, and maybe if only one of them is natted.
As for the configuration
that I described below I have not tried to do a ping from LAN1 to LAN2 with
the OpenBSD having only one interface. I will try to test it when I'll be able
to.
Something I'm still wondering is, how Openbsd knows that he's natted or
not so that he should use udp 4500. I haven't seen anywhere in the
configuration stating that I would use nat-t or not. Also, if two ipsec
gateways are not natted but I want to force nat-t would that be possible ?
Thanks
----- Mail original -----
> De : Joosep <joos...@gmail.com>
> @ :
misc@openbsd.org
> Cc :
> Envoyi le : Lundi 14 Novembre 2011 14h08
> Objet :
Re: OpenBSD ipsec gateway behind a router
>
> On Mon, Nov 14, 2011 at 2:00
PM, Mentesan <mente...@gmail.com> wrote:
>
>> Hi :)
>>
>> I'm trying to do
exactly this setup, between two OpenBSD boxes - 4.4
>> (central
>> office)
and 4.9 (branch office).
>> With the following setup I can bring the tunnel
up, but the networks
> can't
>> talk to each other:
>>
>> Central
ipsec.conf
>> -------------------------
>> ike passive esp tunnel from
10.20.0.0/16 to any \
>> srcid matriz.domain.com.br \
>>
psk testefilial
>> ------------
>>
>> Branch ipsec.conf
>>
-------------------------
>> matriz_net = "10.20.0.0/16"
>> matriz_gw =
"178.9.35.10"
>> filial_net = "10.10.11.0/24"
>>
>> ike dynamic esp tunnel
from $filial_net to $matriz_net peer $matriz_gw
> \
>> srcid
filial.domain.com.br \
>> dstid matriz.domain.com.br \
>>
psk testefilial
>> -----------
>>
>> # ipsecctl -sa
>> FLOWS:
>> flow esp in from 10.10.11.0/24 to 10.20.0.0/16 peer 185.53.27.23 srcid
>>
matriz.gruponp.com.br dstid filial.gruponp.com.br type use
>> flow esp out
from 10.20.0.0/16 to 10.10.11.0/24 peer 185.53.27.23 srcid
>>
matriz.gruponp.com.br dstid filial.gruponp.com.br type require
>>
>> SAD:
>>
esp tunnel from 178.9.35.10 to 185.53.27.23 spi 0x59f8b098 auth
>>
hmac-sha2-256
>> enc aes
>> esp tunnel from 185.53.27.23 to 178.9.35.10 spi
0xda08a9c3 auth
>> hmac-sha2-256
>> enc aes
>>
>> -----------
>>
>> #
route -n show -encap
>> Routing tables
>>
>> Encap:
>> Source
Port Destination Port Proto
>> SA(Address/Proto/Type/Direction)
>>
10.10.11/24 0 10.20/16 0 0
>>
185.53.27.23/esp/use/in
>> 10.20/16 0 10.10.11/24 0
0
>> 185.53.27.23/esp/require/out
>>
>>
>> Fabio Almeida
>>
>> Em
13/11/2011, `s 12:06, Mik J escreveu:
>>
>> > Hello,
>> >
>> > I would
like to know if such configuration is possible.
>> >
>> > LAN1
>> >
(192.168.10.0/24) <--> OpenBSD .99 <--> .254 Router IPx
> <--> Internet
>>
<-->
>> IPy
>> > IPSec_GW (Vendor) <--> LAN2 (192.168.20.0/24)
>> >
>> >
As you can see the OpenBSD 4.9
>> > server sits on the LAN1 and has one
physical interface.
>> > When it wants to
>> > access to the internet, its
address 192.168.10.99 is natted in IPx and
>> that's
>> > how the
IPSec_GW(Vendor) sees the source packets.
>> >
>> > It's not really
important
>> > now if other machines on LAN1 should ping machines on LAN2. I
would
> like
>> for
>> > now that the OpenBSD could ping machines on LAN2.
>> >
>> > I have search for examples
>> > on the internet for this
particular case because the OpenBSD is behind
> a
>> nat
>> > router. And I
haven't found the proper way to do this. I don't
> even know
>> if
>> >
it's possible. I know some kind of nat-t should be used though.
>> >
>> >
Does anyone
>> > have this configuration in place ?
>> >
>> > Thanks
>>
>>
[demime 1.01d removed an attachment of type application/pgp-signature
>>
which had a name of signature.asc]
>>
>>
> Hi!
>
> I think the problem in
your case is HMAC-SHA2 incompatibility between
> releases before 4.7 and
4.7(and upwards) releases. Please check this link
>
http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>
> regards,
> Joosep
