2008/5/14 scott learmonth <[EMAIL PROTECTED]>:
>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]>
>> wrote:
>>> I am trying to set up a ipsec link between my home network(private ip
>>> network behind dynamic public ip)
>>> and my colo server(single public static ip). I was a bit unclear on
>>> how to set up a tunnel between a static
>>> and dynamic ip
>>>
>>> interesting traffic:
>>> 208.70.72.13 -> 10.0.0.0/16
>>>
>>>
>>> My sad seems to set up ok, however afterward i get no flows and can not
>>> pass
>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use.
>>>
>>> Below is data i believe relevant, if anything else is requested i will
>>> do my best to post it back in a timely fashion
>>> thank you
>>>
>>>
>>> colo server:
>>>
>>> # uname -a
>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
>>> # cat /etc/ipsec.conf
>>>
>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \
>>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>>> quick auth hmac-sha1 enc 3des \
>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
>>> psk "password"
>>> # ipsecctl -sa
>>> FLOWS:
>>> No flows
>>>
>>> SAD:
>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>>> hmac-sha1 enc 3des-cbc
>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>>> hmac-sha1 enc 3des-cbc
>>> #
>>>
>>> ipsecctl -m output:
>>>
>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>>> address_src: 67.159.171.204
>>> address_dst: 208.70.72.13
>>> spirange: min 0x00000100 max 0xffffffff
>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>>> sa: spi 0x581ea1f0 auth none enc none
>>> state mature replay 0 flags 0
>>> address_src: 67.159.171.204
>>> address_dst: 208.70.72.13
>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 208.70.72.13
>>> address_dst: 67.159.171.204
>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
>>> key_encrypt: bits 192:
>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
>>> identity_src: type fqdn id 0: angie.sporkton.com
>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>> src_mask: 255.255.255.255
>>> dst_mask: 255.255.0.0
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction out
>>> src_flow: 208.70.72.13
>>> dst_flow: 10.0.0.0
>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 208.70.72.13
>>> address_dst: 67.159.171.204
>>> identity_src: type fqdn id 0: angie.sporkton.com
>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>> src_mask: 255.255.255.255
>>> dst_mask: 255.255.0.0
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction out
>>> src_flow: 208.70.72.13
>>> dst_flow: 10.0.0.0
>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 67.159.171.204
>>> address_dst: 208.70.72.13
>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
>>> key_encrypt: bits 192:
>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715
>>> identity_src: type fqdn id 0: fire.sporkton.com
>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>> src_mask: 255.255.0.0
>>> dst_mask: 255.255.255.255
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction in
>>> src_flow: 10.0.0.0
>>> dst_flow: 208.70.72.13
>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 67.159.171.204
>>> address_dst: 208.70.72.13
>>> identity_src: type fqdn id 0: fire.sporkton.com
>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>> src_mask: 255.255.0.0
>>> dst_mask: 255.255.255.255
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction in
>>> src_flow: 10.0.0.0
>>> dst_flow: 208.70.72.13
>>>
>>>
>>>
>>> Home firewall:
>>>
>>> # uname -a
>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
>>> # cat /etc/ipsec.conf
>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \
>>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>>> quick auth hmac-sha1 enc 3des \
>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \
>>> psk "password"
>>> # ipsecctl -sa
>>> FLOWS:
>>> No flows
>>>
>>> SAD:
>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>>> hmac-sha1 enc 3des-cbc
>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>>> hmac-sha1 enc 3des-cbc
>>> #
>>>
>>>
>>> ipsecctl -m output:
>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>>> address_src: 208.70.72.13
>>> address_dst: 67.159.171.204
>>> spirange: min 0x00000100 max 0xffffffff
>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>>> sa: spi 0xeac5bef2 auth none enc none
>>> state mature replay 0 flags 0
>>> address_src: 208.70.72.13
>>> address_dst: 67.159.171.204
>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351
>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 67.159.171.204
>>> address_dst: 208.70.72.13
>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308
>>> key_encrypt: bits 192:
>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57
>>> identity_src: type fqdn id 0: fire.sporkton.com
>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>> src_mask: 255.255.0.0
>>> dst_mask: 255.255.255.255
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction out
>>> src_flow: 10.0.0.0
>>> dst_flow: 208.70.72.13
>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 67.159.171.204
>>> address_dst: 208.70.72.13
>>> identity_src: type fqdn id 0: fire.sporkton.com
>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>> src_mask: 255.255.0.0
>>> dst_mask: 255.255.255.255
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction out
>>> src_flow: 10.0.0.0
>>> dst_flow: 208.70.72.13
>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 208.70.72.13
>>> address_dst: 67.159.171.204
>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
>>> key_encrypt: bits 192:
>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
>>> identity_src: type fqdn id 0: angie.sporkton.com
>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>> src_mask: 255.255.255.255
>>> dst_mask: 255.255.0.0
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction in
>>> src_flow: 208.70.72.13
>>> dst_flow: 10.0.0.0
>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>>> state mature replay 16 flags 4
>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>> address_src: 208.70.72.13
>>> address_dst: 67.159.171.204
>>> identity_src: type fqdn id 0: angie.sporkton.com
>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>> src_mask: 255.255.255.255
>>> dst_mask: 255.255.0.0
>>> protocol: proto 0 flags 0
>>> flow_type: type unknown direction in
>>> src_flow: 208.70.72.13
>>> dst_flow: 10.0.0.0
>>
>> I would recommend taking a look at if you haven't already:
>> http://www.securityfocus.com/infocus/1859
>>
>> Jonathan
>>
>>
>
> http://www.securityfocus.com/infocus/1859
> is the article that started it all for me using ipsec and OpenBSD. It's not
> exactly geared for one end being dynamic ip though.
>
> I don't have much experience with dynamic addresses, but if my understanding
> is correct, the best would be as below.
>
> Let me know if it works, I'm curious, since I've also never done ipsec
> between a static and dynamic device without an internal subnet on both hosts:
>
>
> colo /etc/ipsec.conf:
>
> ike passive from 208.70.72.13 to 10.0.0.0/16
>
> home /etc/ipsec.conf:
>
> ike dynamic from 10.0.0.0/16 to 208.70.72.13
>
> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to
> amaze me in it's simplicity compared to other options)
>
> Make sure your pf on both ends is allowing negotiation (which it seems to
> be). Also, unless you need to apply pf rules to your encrypted traffic, make
> sure you've got enc0 in your "set skip on" interfaces.
>
> I'd suggest using pubkeys as in isakmpd(8) which should be:
>
> copy /etc/isakmpd/local.pub from colo to
> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine
>
> copy /etc/isakmpd/local.pub from home to
> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
>
> That would be better than psk if you can get it working, imho.
>
> Cheers
>
>
>
i have switched to using pubkeys via fqdn as im using fqdn in both
dstid and srcid, that is now working. and quite nicely if i do say so
myself
i have appropriate nonat on the dynamic side as well
angie="208.70.72.13"
table <private> const { 10/8, 172.16/12, 192.168/16 }
no nat on $ext_if from <private> to $angie
the pf is set up to allow all udp 500 traffic on both sides.
pass in on $ext_if inet proto udp from any to $ext_if port isakmp
enc0 was not on my skip list however it is now, and still no change
set skip on {enc0, lo0}
from the man page sample:
#ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
# srcid me.mylan.net dstid the.others.net
#ike esp from 192.168.3.1 to 192.168.3.2 \
# srcid me.mylan.net dstid the.others.net
# Set up a tunnel using static keying:
#
# The first rule sets up the flow; the second sets up the SA.
it seems to imply that 2 rules are needed for any one connection, one
rule that specifies interesting traffic and one that defines
termination points. I will try this.
--
-Lawrence
