2008/5/15 Claer <[EMAIL PROTECTED]>:
> On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:
>
>> 2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>:
>> > 2008/5/14 scott learmonth <[EMAIL PROTECTED]>:
>> >>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]>
>> >>> wrote:
>> >>>> I am trying to set up a ipsec link between my home network(private ip
>> >>>> network behind dynamic public ip)
>> >>>> and my colo server(single public static ip). I was a bit unclear on
>> >>>> how to set up a tunnel between a static
>> >>>> and dynamic ip
>> >>>>
>> >>>> interesting traffic:
>> >>>> 208.70.72.13 -> 10.0.0.0/16
>> >>>>
>> >>>>
>> >>>> My sad seems to set up ok, however afterward i get no flows and can not
>> >>>> pass
>> >>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use.
>> >>>>
>> >>>> Below is data i believe relevant, if anything else is requested i will
>> >>>> do my best to post it back in a timely fashion
>> >>>> thank you
>> >>>>
>> >>>>
>> >>>> colo server:
>> >>>>
>> >>>> # uname -a
>> >>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
>> >>>> # cat /etc/ipsec.conf
>> >>>>
>> >>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \
>> >>>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>> >>>> quick auth hmac-sha1 enc 3des \
>> >>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
>> >>>> psk "password"
>> >>>> # ipsecctl -sa
>> >>>> FLOWS:
>> >>>> No flows
>> >>>>
>> >>>> SAD:
>> >>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>> >>>> hmac-sha1 enc 3des-cbc
>> >>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>> >>>> hmac-sha1 enc 3des-cbc
>> >>>> #
>> >>>>
>> >>>> ipsecctl -m output:
>> >>>>
>> >>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>> >>>> address_src: 67.159.171.204
>> >>>> address_dst: 208.70.72.13
>> >>>> spirange: min 0x00000100 max 0xffffffff
>> >>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>> >>>> sa: spi 0x581ea1f0 auth none enc none
>> >>>> state mature replay 0 flags 0
>> >>>> address_src: 67.159.171.204
>> >>>> address_dst: 208.70.72.13
>> >>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
>> >>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 208.70.72.13
>> >>>> address_dst: 67.159.171.204
>> >>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
>> >>>> key_encrypt: bits 192:
>> >>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
>> >>>> identity_src: type fqdn id 0: angie.sporkton.com
>> >>>> identity_dst: type fqdn id 0: fire.sporkton.com
>> >>>> src_mask: 255.255.255.255
>> >>>> dst_mask: 255.255.0.0
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction out
>> >>>> src_flow: 208.70.72.13
>> >>>> dst_flow: 10.0.0.0
>> >>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
>> >>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 208.70.72.13
>> >>>> address_dst: 67.159.171.204
>> >>>> identity_src: type fqdn id 0: angie.sporkton.com
>> >>>> identity_dst: type fqdn id 0: fire.sporkton.com
>> >>>> src_mask: 255.255.255.255
>> >>>> dst_mask: 255.255.0.0
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction out
>> >>>> src_flow: 208.70.72.13
>> >>>> dst_flow: 10.0.0.0
>> >>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
>> >>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 67.159.171.204
>> >>>> address_dst: 208.70.72.13
>> >>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
>> >>>> key_encrypt: bits 192:
>> >>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715
>> >>>> identity_src: type fqdn id 0: fire.sporkton.com
>> >>>> identity_dst: type fqdn id 0: angie.sporkton.com
>> >>>> src_mask: 255.255.0.0
>> >>>> dst_mask: 255.255.255.255
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction in
>> >>>> src_flow: 10.0.0.0
>> >>>> dst_flow: 208.70.72.13
>> >>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
>> >>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 67.159.171.204
>> >>>> address_dst: 208.70.72.13
>> >>>> identity_src: type fqdn id 0: fire.sporkton.com
>> >>>> identity_dst: type fqdn id 0: angie.sporkton.com
>> >>>> src_mask: 255.255.0.0
>> >>>> dst_mask: 255.255.255.255
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction in
>> >>>> src_flow: 10.0.0.0
>> >>>> dst_flow: 208.70.72.13
>> >>>>
>> >>>>
>> >>>>
>> >>>> Home firewall:
>> >>>>
>> >>>> # uname -a
>> >>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
>> >>>> # cat /etc/ipsec.conf
>> >>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \
>> >>>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>> >>>> quick auth hmac-sha1 enc 3des \
>> >>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \
>> >>>> psk "password"
>> >>>> # ipsecctl -sa
>> >>>> FLOWS:
>> >>>> No flows
>> >>>>
>> >>>> SAD:
>> >>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>> >>>> hmac-sha1 enc 3des-cbc
>> >>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>> >>>> hmac-sha1 enc 3des-cbc
>> >>>> #
>> >>>>
>> >>>>
>> >>>> ipsecctl -m output:
>> >>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>> >>>> address_src: 208.70.72.13
>> >>>> address_dst: 67.159.171.204
>> >>>> spirange: min 0x00000100 max 0xffffffff
>> >>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>> >>>> sa: spi 0xeac5bef2 auth none enc none
>> >>>> state mature replay 0 flags 0
>> >>>> address_src: 208.70.72.13
>> >>>> address_dst: 67.159.171.204
>> >>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351
>> >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 67.159.171.204
>> >>>> address_dst: 208.70.72.13
>> >>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308
>> >>>> key_encrypt: bits 192:
>> >>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57
>> >>>> identity_src: type fqdn id 0: fire.sporkton.com
>> >>>> identity_dst: type fqdn id 0: angie.sporkton.com
>> >>>> src_mask: 255.255.0.0
>> >>>> dst_mask: 255.255.255.255
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction out
>> >>>> src_flow: 10.0.0.0
>> >>>> dst_flow: 208.70.72.13
>> >>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
>> >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 67.159.171.204
>> >>>> address_dst: 208.70.72.13
>> >>>> identity_src: type fqdn id 0: fire.sporkton.com
>> >>>> identity_dst: type fqdn id 0: angie.sporkton.com
>> >>>> src_mask: 255.255.0.0
>> >>>> dst_mask: 255.255.255.255
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction out
>> >>>> src_flow: 10.0.0.0
>> >>>> dst_flow: 208.70.72.13
>> >>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
>> >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 208.70.72.13
>> >>>> address_dst: 67.159.171.204
>> >>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
>> >>>> key_encrypt: bits 192:
>> >>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
>> >>>> identity_src: type fqdn id 0: angie.sporkton.com
>> >>>> identity_dst: type fqdn id 0: fire.sporkton.com
>> >>>> src_mask: 255.255.255.255
>> >>>> dst_mask: 255.255.0.0
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction in
>> >>>> src_flow: 208.70.72.13
>> >>>> dst_flow: 10.0.0.0
>> >>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
>> >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>> >>>> state mature replay 16 flags 4
>> >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> >>>> address_src: 208.70.72.13
>> >>>> address_dst: 67.159.171.204
>> >>>> identity_src: type fqdn id 0: angie.sporkton.com
>> >>>> identity_dst: type fqdn id 0: fire.sporkton.com
>> >>>> src_mask: 255.255.255.255
>> >>>> dst_mask: 255.255.0.0
>> >>>> protocol: proto 0 flags 0
>> >>>> flow_type: type unknown direction in
>> >>>> src_flow: 208.70.72.13
>> >>>> dst_flow: 10.0.0.0
>> >>>
>> >>> I would recommend taking a look at if you haven't already:
>> >>> http://www.securityfocus.com/infocus/1859
>> >>>
>> >>> Jonathan
>> >>>
>> >>>
>> >>
>> >> http://www.securityfocus.com/infocus/1859
>> >> is the article that started it all for me using ipsec and OpenBSD. It's
>> >> not exactly geared for one end being dynamic ip though.
>> >>
>> >> I don't have much experience with dynamic addresses, but if my
>> >> understanding is correct, the best would be as below.
>> >>
>> >> Let me know if it works, I'm curious, since I've also never done ipsec
>> >> between a static and dynamic device without an internal subnet on both
>> >> hosts:
>> >>
>> >>
>> >> colo /etc/ipsec.conf:
>> >>
>> >> ike passive from 208.70.72.13 to 10.0.0.0/16
>> >>
>> >> home /etc/ipsec.conf:
>> >>
>> >> ike dynamic from 10.0.0.0/16 to 208.70.72.13
>> >>
>> >> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to
>> >> amaze me in it's simplicity compared to other options)
>> >>
>> >> Make sure your pf on both ends is allowing negotiation (which it seems to
>> >> be). Also, unless you need to apply pf rules to your encrypted traffic,
>> >> make sure you've got enc0 in your "set skip on" interfaces.
>> >>
>> >> I'd suggest using pubkeys as in isakmpd(8) which should be:
>> >>
>> >> copy /etc/isakmpd/local.pub from colo to
>> >> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine
>> >>
>> >> copy /etc/isakmpd/local.pub from home to
>> >> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
>> >>
>> >> That would be better than psk if you can get it working, imho.
>> >>
>> >> Cheers
>> >>
>> >>
>> >>
>> >
>> > i have switched to using pubkeys via fqdn as im using fqdn in both
>> > dstid and srcid, that is now working. and quite nicely if i do say so
>> > myself
>> >
>> > i have appropriate nonat on the dynamic side as well
>> > angie="208.70.72.13"
>> > table <private> const { 10/8, 172.16/12, 192.168/16 }
>> > no nat on $ext_if from <private> to $angie
>> >
>> >
>> > the pf is set up to allow all udp 500 traffic on both sides.
>> > pass in on $ext_if inet proto udp from any to $ext_if port isakmp
>> >
>> > enc0 was not on my skip list however it is now, and still no change
>> > set skip on {enc0, lo0}
>> >
>> > from the man page sample:
>> > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
>> > # srcid me.mylan.net dstid the.others.net
>> > #ike esp from 192.168.3.1 to 192.168.3.2 \
>> > # srcid me.mylan.net dstid the.others.net
>> >
>> > # Set up a tunnel using static keying:
>> > #
>> > # The first rule sets up the flow; the second sets up the SA.
>> >
>> > it seems to imply that 2 rules are needed for any one connection, one
>> > rule that specifies interesting traffic and one that defines
>> > termination points. I will try this.
>> >
>> >
>> > --
>> > -Lawrence
>> >
>>
>> Im not exactly sure how to tell the second rule, as the home endpoint
>> is dynamic, i cant set that one to a ip since it will change, and if i
>> set it to a fqdn i get errors for mismatched types, however i think it
>> just looks up the name anyone doesnt it?
>
> Do you have a rule to allow esp traffic ? If you don't have one, here is
> what you should add in your pf ruleset :
>
> pass in on $ext_if inet proto 50 from any to $ext_if
>
>
> Claer
>
>
Yes I have modified my pf as well as ipsec.conf, below are the new
configs, still no worky, ive been experimenting with different ways
but nothing really passes traffic, im concerned that perhaps its not
my ipsec.conf thats messed up but something else im missing that is
preventing it from passing traffic, so far as i can tell the entire sa
comes up
both routers now have:
pass in on $ext_if inet proto udp from any to $ext_if port isakmp
pass in on $ext_if inet proto esp from any to $ext_if
the fire router has
no nat on $ext_if from <private> to $angie
ipsec.conf on fire:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike active esp tunnel from $fire to $angie peer $angie \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "fire.sporkton.com" dstid "angie.sporkton.com"
ipsec.conf on angie:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike passive esp tunnel from $angie to $fire \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "angie.sporkton.com" dstid "fire.sporkton.com"
thank you
--
-Lawrence
