I made some changes and got a little further with the setup. The
clients being used on the clients is the Windows XP VPN connection or
the 'IP Security Policies on Local Computer' mmc snap-in.
I have not done anything with ipsec.conf. I will read up and make the
necessary changes for this file. I'll post the results once I have a
'(hopefully) working' config. The contents currently show the following
(which is obviously all wrong):
# cat ../ipsec.conf
# $OpenBSD: ipsec.conf,v 1.1 2005/12/24 15:44:12 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.
# Set up two tunnels using automatic keying with isakmpd(8):
#
# First between the networks 10.1.1.0/24 and 10.1.2.0/24,
# second between the machines 192.168.3.1 and 192.168.3.2.
# Use FQDNs as IDs.
ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
srcid me.mylan.net dstid the.others.net
ike esp from 192.168.3.1 to 192.168.3.2 \
srcid me.mylan.net dstid the.others.net
# Set up a tunnel using static keying:
#
# The first rules sets up the flow, second the SA. As default
# transforms ipsecctl(8) will use hmac-sha2-256 for authentication
# and aesctr for encryption. hmac-sha2-256 uses a 256 bit key, aesctr
# a 160 bit key.
flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2
esp from 192.168.3.1 to 192.168.3.2 spi 0xdeadbeef:0xbeefdead \
authkey
0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
\
enckey
0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee:0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Here are the revised isakmpd.conf and isakmpd.policy files:
# cat isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Licensees: "passphrase:sharedsecret"
Conditions: esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
# cat isakmpd.conf
[General]
Listen-On = 10.107.208.1
[Phase 1]
Default = client
[Phase 2]
Passive-connections = client-netB
[client]
Phase = 1
Transport = udp
Configuration = Default-main-mode
Authentication = sharedsecret
[client-netB]
Phase = 2
ISAKMP-peer = client
Configuration = Default-quick-mode
Local-ID = netB
Remote-ID = client
[client]
ID-type = IPV4_ADDR
Address = 10.107.208.20
[netB]
ID-type = IPV4_ADDR_SUBNET
Network = 10.180.0.0
Netmask = 255.255.0.0
[Default-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = AES-SHA,3DES-SHA
[Default-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE
This is the output when attempting to use the Windows VPN client (the
client hangs up and asks to redial after 60 seconds):
# isakmpd -d -4 -DA=10
141617.788349 Default log_debug_cmd: log level changed from 0 to 10 for
class 0 [priv]
141617.789905 Default log_debug_cmd: log level changed from 0 to 10 for
class 1 [priv]
141617.790569 Default log_debug_cmd: log level changed from 0 to 10 for
class 2 [priv]
141617.790970 Default log_debug_cmd: log level changed from 0 to 10 for
class 3 [priv]
141617.791474 Default log_debug_cmd: log level changed from 0 to 10 for
class 4 [priv]
141617.791843 Default log_debug_cmd: log level changed from 0 to 10 for
class 5 [priv]
141617.792317 Default log_debug_cmd: log level changed from 0 to 10 for
class 6 [priv]
141617.793043 Default log_debug_cmd: log level changed from 0 to 10 for
class 7 [priv]
141617.793447 Default log_debug_cmd: log level changed from 0 to 10 for
class 8 [priv]
141617.793910 Default log_debug_cmd: log level changed from 0 to 10 for
class 9 [priv]
141617.794278 Default log_debug_cmd: log level changed from 0 to 10 for
class 10 [priv]
141617.804214 Misc 10 monitor_init: privileges dropped for child process
141649.335732 Timr 10 timer_add_event: event
exchange_free_aux(0x47986e00) added last, expiration in 120s
141649.336803 Exch 10 exchange_setup_p1: 0x47986e00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0
141649.337342 Exch 10 exchange_setup_p1: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.337896 Exch 10 exchange_setup_p1: msgid 00000000
141649.338660 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer
detected
141649.339572 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
141649.340080 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
141649.340628 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
141649.342123 Timr 10 timer_add_event: event
message_send_expire(0x43fb4e00) added before
exchange_free_aux(0x47986e00), expiration in 7s
141649.378704 Timr 10 timer_remove_event: removing event
message_send_expire(0x43fb4e00)
141649.462858 Timr 10 timer_add_event: event
message_send_expire(0x43fb4a00) added before
exchange_free_aux(0x47986e00), expiration in 7s
141649.568401 Timr 10 timer_remove_event: removing event
message_send_expire(0x43fb4a00)
141649.570846 Exch 10 exchange_finalize: 0x47986e00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6
141649.571484 Exch 10 exchange_finalize: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.571895 Exch 10 exchange_finalize: msgid 00000000
141649.572567 Exch 10 exchange_finalize: phase 1 done: initiator id
0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src:
10.107.208.1 dst: 10.107.208.20
141649.573066 Timr 10 timer_add_event: event sa_soft_expire(0x47987000)
added last, expiration in 27100s
141649.573700 Timr 10 timer_add_event: event sa_hard_expire(0x47987000)
added last, expiration in 28800s
141649.578955 Timr 10 timer_add_event: event
exchange_free_aux(0x47986c00) added before sa_soft_expire(0x47987000),
expiration in 120s
141649.579558 Exch 10 exchange_setup_p2: 0x47986c00 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 32 step 0
141649.579991 Exch 10 exchange_setup_p2: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.580495 Exch 10 exchange_setup_p2: msgid 63ba711f sa_list
141649.585479 Timr 10 timer_add_event: event
message_send_expire(0x43fb5000) added before
exchange_free_aux(0x47986e00), expiration in 7s
141649.586872 Timr 10 timer_remove_event: removing event
message_send_expire(0x43fb5000)
141649.588331 Exch 10 exchange_finalize: 0x47986c00 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 32 step 2
141649.588933 Exch 10 exchange_finalize: icookie b713c39cd0c47724
rcookie 56a69eddda558c2b
141649.589361 Exch 10 exchange_finalize: msgid 63ba711f sa_list 0x47987200
141649.590025 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI
0x1086163f
141649.590493 Timr 10 timer_add_event: event sa_soft_expire(0x47987200)
added before sa_soft_expire(0x47987000), expiration in 3279s
141649.591070 Timr 10 timer_add_event: event sa_hard_expire(0x47987200)
added before sa_soft_expire(0x47987000), expiration in 3600s
141649.592114 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI
0x633b612e
141649.593627 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x47986c00)
Thanks,
Axton Grams
Hans-Joerg Hoexer wrote:
> what ipsec software is running on the clients? What does your
> ipsec.conf on the firewall look like?
>
> On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
>> Hoping someone can point me in the right direction to get isakmpd working.
>>
>> The scenario:
>> - the router drops all traffic directed to it from the dmz net
>> - the router drops all traffic destined for the lan from the dmz
>> - the router drops all traffic destined for the dmz from the lan
>> - vlan1 (dmz) has linux hosts
>> - vlan2 (lan) has windows and linux hosts, for the purpose of this
>> exercise, I am using a windows host
>>
>> The goals:
>> - create a way by which hosts in the lan can connect to the dmz network
>> using ipsec/isakmpd
>> - starting off with simple auth, shared secret passphrase
>>
>> The problem:
>> - I am unable to establish a SA between the router and the lan hosts
>> isakmpd returns the following:
>> 155359.461787 Default message_recv: cleartext phase 2 message
>> 155359.462366 Default dropped message from 10.107.208.20 port 500 due to
>> notification type INVALID_FLAGS
>>
>> Some background Info:
>>
>> My network is as follows:
>> (trunking is next on my list, but for now, I have separate interfaces on
>> the router for each vlan)
>>
>> |
>> Internet (dynamic ip)
>> |1.1.1.2
>> +------------------------+
>> | router/fw/isakmpd |
>> +------------------------+
>> 10.180.16.1 | |10.107.208.1
>> dmz | | lan
>> +--------+ +--------+
>> | |
>> +-----------------------------+
>> | switch |
>> | vlan1 | vlan2 |
>> +-----------------------------+
>> | |
>> | |
>> +---------------+ +-------------------+
>> | www server | | workstation 1 +
>> | 10.180.16.250 | | 10.107.208.20 +
>> +---------------+ +-------------------+
>>
>> - OpenBSD Router:
>> - relavent ifconfig
>> ** internet
>> hme0:
>> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
>> mtu 1500
>> lladdr xxx
>> groups: egress
>> media: Ethernet 100baseTX full-duplex
>> status: active
>> inet6 xxx%hme0 prefixlen 64 scopeid 0x2
>> inet 1.1.1.2 netmask 0xffffe000 broadcast 1.1.1.255
>> ** lan
>> hme1:
>> flags=8363<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST>
>> mtu 1500
>> lladdr 08:00:20:ca:7d:c5
>> media: Ethernet 100baseTX
>> status: active
>> inet 10.107.208.1 netmask 0xffffff00 broadcast 10.107.208.255
>> inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3
>> ** dmz
>> hme2:
>> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
>> mtu 1500
>> lladdr 08:00:20:ca:7d:c6
>> media: Ethernet autoselect (100baseTX full-duplex)
>> status: active
>> inet 10.180.16.1 netmask 0xffffff00 broadcast 10.180.16.255
>> inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4
>>
>> # cat isakmpd.policy
>> KeyNote-Version: 2
>> Authorizer: "POLICY"
>> Licensees: "passphrase:foobar"
>> Conditions: app_domain == "IPsec policy" &&
>> esp_present == "yes" &&
>> esp_enc_alg == "3des" &&
>> esp_auth_alg == "hmac-md5" -> "true";
>>
>> # isakmpd -d -4 -DA=10
>> 155358.773509 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 0 [priv]
>> 155358.775093 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 1 [priv]
>> 155358.775757 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 2 [priv]
>> 155358.776153 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 3 [priv]
>> 155358.776672 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 4 [priv]
>> 155358.777056 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 5 [priv]
>> 155358.777524 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 6 [priv]
>> 155358.777914 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 7 [priv]
>> 155358.778416 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 8 [priv]
>> 155358.778794 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 9 [priv]
>> 155358.779267 Default log_debug_cmd: log level changed from 0 to 10 for
>> class 10 [priv]
>> 155358.788915 Misc 10 monitor_init: privileges dropped for child process
>> 155359.444597 Timr 10 timer_add_event: event
>> connection_checker(0x4fe41420) added last, expiration in 0s
>> 155359.451947 Timr 10 timer_handle_expirations: event
>> connection_checker(0x4fe41420)
>> 155359.452947 Timr 10 timer_add_event: event
>> connection_checker(0x4fe41420) added last, expiration in 60s
>> 155359.453857 Timr 10 timer_add_event: event
>> exchange_free_aux(0x44908c00) added last, expiration in 120s
>> 155359.454632 Exch 10 exchange_establish_p1: 0x44908c00 ISAKMP-peer-west
>> Default-phase-1-configuration policy initiator phase 1 doi 1 exchange 2
>> step 0
>> 155359.455323 Exch 10 exchange_establish_p1: icookie 4d18594e523695f1
>> rcookie 0000000000000000
>> 155359.455748 Exch 10 exchange_establish_p1: msgid 00000000
>> 155359.457524 Timr 10 timer_add_event: event
>> message_send_expire(0x4d2dab00) added before
>> connection_checker(0x4fe41420), expiration in 7s
>> 155359.459672 Timr 10 timer_add_event: event
>> exchange_free_aux(0x44909000) added last, expiration in 120s
>> 155359.460277 Exch 10 exchange_setup_p2: 0x44909000 <unnamed> <no
>> policy> policy responder phase 2 doi 1 exchange 5 step 0
>> 155359.460737 Exch 10 exchange_setup_p2: icookie 4d18594e523695f1
>> rcookie a6af81ffd3a2d153
>> 155359.461263 Exch 10 exchange_setup_p2: msgid e5eb6990 sa_list
>> 155359.461787 Default message_recv: cleartext phase 2 message
>> 155359.462366 Default dropped message from 10.107.208.20 port 500 due to
>> notification type INVALID_FLAGS
>> 155359.462856 Timr 10 timer_add_event: event
>> exchange_free_aux(0x44909200) added last, expiration in 120s
>> 155359.463566 Exch 10 exchange_establish_p1: 0x44909200 <unnamed> <no
>> policy> policy initiator phase 1 doi 1 exchange 5 step 0
>> 155359.464001 Exch 10 exchange_establish_p1: icookie e82be37d8c1ae997
>> rcookie 0000000000000000
>> 155359.464539 Exch 10 exchange_establish_p1: msgid 00000000
>> 155359.465751 Exch 10 exchange_finalize: 0x44909200 <unnamed> <no
>> policy> policy initiator phase 1 doi 1 exchange 5 step 1
>> 155359.466300 Exch 10 exchange_finalize: icookie e82be37d8c1ae997
>> rcookie 0000000000000000
>> 155359.466708 Exch 10 exchange_finalize: msgid 00000000
>> 155359.467220 Timr 10 timer_remove_event: removing event
>> exchange_free_aux(0x44909200)
>> 155406.461707 Timr 10 timer_handle_expirations: event
>> message_send_expire(0x4d2dab00)
>> 155406.463417 Timr 10 timer_add_event: event
>> message_send_expire(0x4d2dab00) added before
>> connection_checker(0x4fe41420), expiration in 9s
>>
>> Thanks,
>> Axton Grams
