2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>: > 2008/5/14 scott learmonth <[EMAIL PROTECTED]>: >>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]> >>> wrote: >>>> I am trying to set up a ipsec link between my home network(private ip >>>> network behind dynamic public ip) >>>> and my colo server(single public static ip). I was a bit unclear on >>>> how to set up a tunnel between a static >>>> and dynamic ip >>>> >>>> interesting traffic: >>>> 208.70.72.13 -> 10.0.0.0/16 >>>> >>>> >>>> My sad seems to set up ok, however afterward i get no flows and can not >>>> pass >>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use. >>>> >>>> Below is data i believe relevant, if anything else is requested i will >>>> do my best to post it back in a timely fashion >>>> thank you >>>> >>>> >>>> colo server: >>>> >>>> # uname -a >>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 >>>> # cat /etc/ipsec.conf >>>> >>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \ >>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ >>>> quick auth hmac-sha1 enc 3des \ >>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \ >>>> psk "password" >>>> # ipsecctl -sa >>>> FLOWS: >>>> No flows >>>> >>>> SAD: >>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth >>>> hmac-sha1 enc 3des-cbc >>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth >>>> hmac-sha1 enc 3des-cbc >>>> # >>>> >>>> ipsecctl -m output: >>>> >>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 >>>> address_src: 67.159.171.204 >>>> address_dst: 208.70.72.13 >>>> spirange: min 0x00000100 max 0xffffffff >>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 >>>> sa: spi 0x581ea1f0 auth none enc none >>>> state mature replay 0 flags 0 >>>> address_src: 67.159.171.204 >>>> address_dst: 208.70.72.13 >>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 >>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 208.70.72.13 >>>> address_dst: 67.159.171.204 >>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 >>>> key_encrypt: bits 192: >>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 >>>> identity_src: type fqdn id 0: angie.sporkton.com >>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>> src_mask: 255.255.255.255 >>>> dst_mask: 255.255.0.0 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction out >>>> src_flow: 208.70.72.13 >>>> dst_flow: 10.0.0.0 >>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 >>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 208.70.72.13 >>>> address_dst: 67.159.171.204 >>>> identity_src: type fqdn id 0: angie.sporkton.com >>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>> src_mask: 255.255.255.255 >>>> dst_mask: 255.255.0.0 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction out >>>> src_flow: 208.70.72.13 >>>> dst_flow: 10.0.0.0 >>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 >>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 67.159.171.204 >>>> address_dst: 208.70.72.13 >>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 >>>> key_encrypt: bits 192: >>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715 >>>> identity_src: type fqdn id 0: fire.sporkton.com >>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>> src_mask: 255.255.0.0 >>>> dst_mask: 255.255.255.255 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction in >>>> src_flow: 10.0.0.0 >>>> dst_flow: 208.70.72.13 >>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 >>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 67.159.171.204 >>>> address_dst: 208.70.72.13 >>>> identity_src: type fqdn id 0: fire.sporkton.com >>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>> src_mask: 255.255.0.0 >>>> dst_mask: 255.255.255.255 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction in >>>> src_flow: 10.0.0.0 >>>> dst_flow: 208.70.72.13 >>>> >>>> >>>> >>>> Home firewall: >>>> >>>> # uname -a >>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 >>>> # cat /etc/ipsec.conf >>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ >>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ >>>> quick auth hmac-sha1 enc 3des \ >>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \ >>>> psk "password" >>>> # ipsecctl -sa >>>> FLOWS: >>>> No flows >>>> >>>> SAD: >>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth >>>> hmac-sha1 enc 3des-cbc >>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth >>>> hmac-sha1 enc 3des-cbc >>>> # >>>> >>>> >>>> ipsecctl -m output: >>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 >>>> address_src: 208.70.72.13 >>>> address_dst: 67.159.171.204 >>>> spirange: min 0x00000100 max 0xffffffff >>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 >>>> sa: spi 0xeac5bef2 auth none enc none >>>> state mature replay 0 flags 0 >>>> address_src: 208.70.72.13 >>>> address_dst: 67.159.171.204 >>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351 >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 67.159.171.204 >>>> address_dst: 208.70.72.13 >>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308 >>>> key_encrypt: bits 192: >>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57 >>>> identity_src: type fqdn id 0: fire.sporkton.com >>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>> src_mask: 255.255.0.0 >>>> dst_mask: 255.255.255.255 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction out >>>> src_flow: 10.0.0.0 >>>> dst_flow: 208.70.72.13 >>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351 >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 67.159.171.204 >>>> address_dst: 208.70.72.13 >>>> identity_src: type fqdn id 0: fire.sporkton.com >>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>> src_mask: 255.255.0.0 >>>> dst_mask: 255.255.255.255 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction out >>>> src_flow: 10.0.0.0 >>>> dst_flow: 208.70.72.13 >>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351 >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 208.70.72.13 >>>> address_dst: 67.159.171.204 >>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac >>>> key_encrypt: bits 192: >>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe >>>> identity_src: type fqdn id 0: angie.sporkton.com >>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>> src_mask: 255.255.255.255 >>>> dst_mask: 255.255.0.0 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction in >>>> src_flow: 208.70.72.13 >>>> dst_flow: 10.0.0.0 >>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351 >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc >>>> state mature replay 16 flags 4 >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>> address_src: 208.70.72.13 >>>> address_dst: 67.159.171.204 >>>> identity_src: type fqdn id 0: angie.sporkton.com >>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>> src_mask: 255.255.255.255 >>>> dst_mask: 255.255.0.0 >>>> protocol: proto 0 flags 0 >>>> flow_type: type unknown direction in >>>> src_flow: 208.70.72.13 >>>> dst_flow: 10.0.0.0 >>> >>> I would recommend taking a look at if you haven't already: >>> http://www.securityfocus.com/infocus/1859 >>> >>> Jonathan >>> >>> >> >> http://www.securityfocus.com/infocus/1859 >> is the article that started it all for me using ipsec and OpenBSD. It's not >> exactly geared for one end being dynamic ip though. >> >> I don't have much experience with dynamic addresses, but if my understanding >> is correct, the best would be as below. >> >> Let me know if it works, I'm curious, since I've also never done ipsec >> between a static and dynamic device without an internal subnet on both hosts: >> >> >> colo /etc/ipsec.conf: >> >> ike passive from 208.70.72.13 to 10.0.0.0/16 >> >> home /etc/ipsec.conf: >> >> ike dynamic from 10.0.0.0/16 to 208.70.72.13 >> >> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to >> amaze me in it's simplicity compared to other options) >> >> Make sure your pf on both ends is allowing negotiation (which it seems to >> be). Also, unless you need to apply pf rules to your encrypted traffic, make >> sure you've got enc0 in your "set skip on" interfaces. >> >> I'd suggest using pubkeys as in isakmpd(8) which should be: >> >> copy /etc/isakmpd/local.pub from colo to >> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine >> >> copy /etc/isakmpd/local.pub from home to >> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo >> >> That would be better than psk if you can get it working, imho. >> >> Cheers >> >> >> > > i have switched to using pubkeys via fqdn as im using fqdn in both > dstid and srcid, that is now working. and quite nicely if i do say so > myself > > i have appropriate nonat on the dynamic side as well > angie="208.70.72.13" > table <private> const { 10/8, 172.16/12, 192.168/16 } > no nat on $ext_if from <private> to $angie > > > the pf is set up to allow all udp 500 traffic on both sides. > pass in on $ext_if inet proto udp from any to $ext_if port isakmp > > enc0 was not on my skip list however it is now, and still no change > set skip on {enc0, lo0} > > from the man page sample: > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ > # srcid me.mylan.net dstid the.others.net > #ike esp from 192.168.3.1 to 192.168.3.2 \ > # srcid me.mylan.net dstid the.others.net > > # Set up a tunnel using static keying: > # > # The first rule sets up the flow; the second sets up the SA. > > it seems to imply that 2 rules are needed for any one connection, one > rule that specifies interesting traffic and one that defines > termination points. I will try this. > > > -- > -Lawrence >
Im not exactly sure how to tell the second rule, as the home endpoint is dynamic, i cant set that one to a ip since it will change, and if i set it to a fqdn i get errors for mismatched types, however i think it just looks up the name anyone doesnt it? -- -Lawrence
