Hi Stuart,
On Mon, 28 Nov 2016, Stuart Henderson wrote:
For completeness of description, for the latter I use
ike passive esp transport \
proto udp from egress to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "3des" group modp1024 \
psk "MY-PRE-SHARED-SECRET"
"to any" in ipsec.conf creates a configuration for what isakmpd.conf(5)
describes as "the default ISAKMP peer". There can only be one such
section, so if you're using "default" in isakmpd.conf you have such a
conflict.
I figured it was something that.
The simplest fix, but not always possible, is to tie configs down by
IP address of the other side; if you can rely on normal lan-to-lan
tunnels to come only from specific addresses, just list them separately
and leave "default" for roaming clients.
Unfortunately we do not have static IPs in the remote offices. Some of
these might be able to be converted to static IP but others, especially
those out in the country, cannot easily be converted. So there is a demand
for two types of connections to be "to any", the remote offices links
which are a tunnel between 2 networks, and the road warriors with a Mac or
Windows PC, or Ipad or the like. All a bit of a nightmare.
By doing things on the isakmpd.conf/policy side you can write an
isakmpd.policy section fairly easily that allows somebody to connect
with either of a choice of PSKs (it's similar to one of the examples in
the manpage). I think it may also be possible (though more complicated)
to write a section that allows the port 1701 UDP tunnel with one psk,
and other tunnels with a different psk.
I think I will just live with a single PSK for the 'roaming' sites/people.
Here's an *untested* rough equivalent to the ipsec.conf entry you
included, with the standard auto-generated suite/transforms rather than
the ones that ipsecctl generates (using 192.0.2.1 as the local address
in this case).
I might see how I using yours as a guide but translating directly the
raw output of 'ipsecctl -nv'.
Also it is important to note that ipsec.conf doesn't handle the
isakmpd.policy side of things.
I need to read up on the isakmpd.policy a bit more it seems.
While I am here, I still see on the passive IPSec Port 500 traffic
got AES_CBC, expected 3DES_CBC
on the IPSec/port500udp
That is "incoming packet was AES, but I expected it to be 3DES". Is this
tunnel configured in default from the isakmpd.conf setup?
Yes. See below.
If so, it sounds like that section is being overridden by the ipsec.conf
one.
Do not think so. The same happens even if there is no 'ipsec.conf' or
'npppd'. I have seen it on older systems for years. Across VPN links
that work quite happily.
You also see this if config is cleared without reloading a new one and
you get an incoming request for AES request, because the default
"default peer" setting is for 3DES.
That is not my situation. It happens all the time on a system where nobody
is touching 'isakmpd'. And the network is running nicely. It appears say
every 3-4 minutes for 15 minutes, then not again for 2 hours and then for
a bit, and then not again for 30 minutes, and so on.
Looks like I will have to use the '-L' flag to the daemon. Does it need
any other options to get the maximum out of the '-L' dump.
My 'isakmpd.conf' : (slightly sanitized)
===================
[General]
Listen-on= Local-Machine-External-IP-to-the-World
Default-phase-1-lifetime= 86400,3600:86400
Default-phase-2-lifetime= 86400,3600:86400
DPD-check-interval= 10
[Phase 1]
default= ISAKMP-clients
[Phase 2]
Passive-connections= IPSec-clients
[ISAKMP-clients]
Phase= 1
Transport= udp
Local-address= Local-Machine-External-IP-to-the-World
Configuration= Client-main-mode
Authentication= MY-PRE-SHARED-KEY-as-in-isakmpd-policy
[IPSec-clients]
Phase= 2
ISAKMP-peer= ISAKMP-clients
Configuration= Client-quick-mode
Local-ID= Net-My-Local-One
Remote-ID= Net-Any_Remote
# My local network is 10.138.138.0/24 ( or could be and is something else )
[Net-My-Local-One]
ID-type= IPV4_ADDR_SUBNET
Network= 10.138.138.0
Netmask= 255.255.255.0
[Net-Any_Remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA-GRP2,3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
[Client-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA-GRP2,3DES-SHA
[Client-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-GRP2-SUITE,
QM-ESP-3DES-SHA-PFS-SUITE
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
