Re: Question regarding IPsec HMAC-SHA2 incompatibility after OpenBSD 4.6

Johan Ryberg Sun, 13 May 2012 02:51:14 -0700

One problem still exist

I got this error message now from the OpenBSD 3.8 machine
125755.190614 Default responder_recv_HASH_SA_NONCE: peer proposed
invalid phase 2 IDs: initiator id c0a80100/ffffff00:
192.168.1.0/255.255.255.0, responder id c0a80300/ffffff00:
192.168.3.0/255.255.255.0


OpenBSD 5.1 says:
130447.536284 Default transport_send_messages: giving up on exchange
from-192.168.1.0/24-to-192.168.3.0/24, no response from peer
10.0.0.4:500

The config looks like
OpenBSD 3.8
ike esp from 192.168.3.0/24 to 192.168.1.0/24 peer 10.0.0.2 \
quick auth hmac-md5 enc aes

OpenBSD 5.1
ke esp from 192.168.1.0/24 to 192.168.3.0/24 peer 10.0.0.4 \
main auth hmac-sha1 enc 3des \
quick auth hmac-md5 enc aes group none

OpenBSD 3.8
# ipsecctl -nvf /etc/ipsec.conf
C set [peer-10.0.0.2]:Phase=1 force
C set [peer-10.0.0.2]:Address=10.0.0.2 force
C set [IPsec-192.168.3.0/24-192.168.1.0/24]:Phase=2 force
C set [IPsec-192.168.3.0/24-192.168.1.0/24]:ISAKMP-peer=peer-10.0.0.2 force
C set
[IPsec-192.168.3.0/24-192.168.1.0/24]:Configuration=qm-192.168.3.0/24-192.168
.1.0/24
force
C set [IPsec-192.168.3.0/24-192.168.1.0/24]:Local-ID=lid-192.168.3.0/24 force
C set [IPsec-192.168.3.0/24-192.168.1.0/24]:Remote-ID=rid-192.168.1.0/24
force
C set [qm-192.168.3.0/24-192.168.1.0/24]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-192.168.3.0/24-192.168.1.0/24]:Suites=QM-ESP-AES-MD5-PFS-SUITE
force
C set [lid-192.168.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [lid-192.168.3.0/24]:Network=192.168.3.0 force
C set [lid-192.168.3.0/24]:Netmask=255.255.255.0 force
C set [rid-192.168.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-192.168.1.0/24]:Network=192.168.1.0 force
C set [rid-192.168.1.0/24]:Netmask=255.255.255.0 force
t IPsec-192.168.3.0/24-192.168.1.0/24
c IPsec-192.168.3.0/24-192.168.1.0/24

# ipsecctl -ss
esp from 10.0.0.2 to 10.0.0.4 spi 0x8efb6582 aes hmac-md5 tunnel
esp from 10.0.0.4 to 10.0.0.2 spi 0x1ba68989 aes hmac-md5 tunnel

OpenBSD 5.1
# ipsecctl -nvf /etc/ipsec.conf
C set [Phase 1]:10.0.0.4=peer-10.0.0.4 force
C set [peer-10.0.0.4]:Phase=1 force
C set [peer-10.0.0.4]:Address=10.0.0.4 force
C set [peer-10.0.0.4]:Configuration=phase1-peer-10.0.0.4 force
C set [phase1-peer-10.0.0.4]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-10.0.0.4]:Transforms=3DES-SHA-RSA_SIG force
C set [from-192.168.1.0/24-to-192.168.3.0/24]:Phase=2 force
C set [from-192.168.1.0/24-to-192.168.3.0/24]:ISAKMP-peer=peer-10.0.0.4 force
C set
[from-192.168.1.0/24-to-192.168.3.0/24]:Configuration=phase2-from-192.168.1.0
/24-to-192.168.3.0/24
force
C set [from-192.168.1.0/24-to-192.168.3.0/24]:Local-ID=from-192.168.1.0/24
force
C set [from-192.168.1.0/24-to-192.168.3.0/24]:Remote-ID=to-192.168.3.0/24
force
C set [phase2-from-192.168.1.0/24-to-192.168.3.0/24]:EXCHANGE_TYPE=QUICK_MODE
force
C set
[phase2-from-192.168.1.0/24-to-192.168.3.0/24]:Suites=QM-ESP-AES-MD5-SUITE
force
C set [from-192.168.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [from-192.168.1.0/24]:Network=192.168.1.0 force
C set [from-192.168.1.0/24]:Netmask=255.255.255.0 force
C set [to-192.168.3.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [to-192.168.3.0/24]:Network=192.168.3.0 force
C set [to-192.168.3.0/24]:Netmask=255.255.255.0 force
C add [Phase 2]:Connections=from-192.168.1.0/24-to-192.168.3.0/24

# ipsecctl -ss
esp tunnel from 10.0.0.4 to 10.0.0.2 spi 0x1ba68989 auth hmac-md5 enc aes
esp tunnel from 10.0.0.2 to 10.0.0.4 spi 0x8efb6582 auth hmac-md5 enc aes


I think it's something how the IDs is used

3.8
C set [IPsec-192.168.3.0/24-192.168.1.0/24]:Local-ID=lid-192.168.3.0/24 force
C set [IPsec-192.168.3.0/24-192.168.1.0/24]:Remote-ID=rid-192.168.1.0/24
force

5.1
C set [from-192.168.1.0/24-to-192.168.3.0/24]:Local-ID=from-192.168.1.0/24
force
C set [from-192.168.1.0/24-to-192.168.3.0/24]:Remote-ID=to-192.168.3.0/24
force

The difference is lid-<ip> and from-<ip>, rid-<ip> and to-<ip> between
the versions.

How do I alter that?

Best regards Johan Ryberg


2012/5/13 Johan Ryberg <[email protected]>:
> Thanks, I will lock at that =)
>
> Best regards Johan
>
> 2012/5/12 Christian Weisgerber <[email protected]>:
>> Johan Ryberg <[email protected]> wrote:
>>
>>> I found this information that seems very interesting:
>>> http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
>>
>>> ike esp from 192.168.1.1 to 10.0.0.17 peer 192.168.10.1 psk
mekmitasdigoat
>>>
>>> The man page of ipsec.conf says that  hmac-sha1, aes, and modp1024 is
>>> used as mode auth algorithm enc algorithm group group if omitted
>>
>> In "main mode", which is just the initial IKE negotiation part.
>> Actual traffic is passed in "quick mode", which defaults to
>> hmac-sha2-256 and aes.
>>
>> You can also use ipsecctl -nvf /etc/ipsec.conf to look at the
>> expanded rules, or ipsecctl -ss to look at the parameters used by
>> the currently active security associations.  No need to guess.
>>
>> --
>> Christian "naddy" Weisgerber                          [email protected]

Re: Question regarding IPsec HMAC-SHA2 incompatibility after OpenBSD 4.6

Reply via email to