So egress being something very much like "any" then? 2008/5/17 Jose Quinteiro <[EMAIL PROTECTED]>: > http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html > > try > > ipsec.conf on fire: > angie = "208.70.72.13" > fire = "10.0.0.0/24" > > ike esp from $fire to $angie local egress \ > srcid "fire.sporkton.com" dstid "angie.sporkton.com" > > > > ipsec.conf on angie: > angie = "208.70.72.13" > fire = "10.0.0.0/24" > > ike passive esp from $angie to $fire \ > srcid "angie.sporkton.com" dstid "fire.sporkton.com" > > HTH, > Jose. > > Lord Sporkton wrote: >> 2008/5/15 Claer <[EMAIL PROTECTED]>: >>> On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: >>> >>>> 2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>: >>>>> 2008/5/14 scott learmonth <[EMAIL PROTECTED]>: >>>>>>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]> >>>>>>> wrote: >>>>>>>> I am trying to set up a ipsec link between my home network(private ip >>>>>>>> network behind dynamic public ip) >>>>>>>> and my colo server(single public static ip). I was a bit unclear on >>>>>>>> how to set up a tunnel between a static >>>>>>>> and dynamic ip >>>>>>>> >>>>>>>> interesting traffic: >>>>>>>> 208.70.72.13 -> 10.0.0.0/16 >>>>>>>> >>>>>>>> >>>>>>>> My sad seems to set up ok, however afterward i get no flows and can >>>>>>>> not >>>>>>>> pass >>>>>>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use. >>>>>>>> >>>>>>>> Below is data i believe relevant, if anything else is requested i will >>>>>>>> do my best to post it back in a timely fashion >>>>>>>> thank you >>>>>>>> >>>>>>>> >>>>>>>> colo server: >>>>>>>> >>>>>>>> # uname -a >>>>>>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 >>>>>>>> # cat /etc/ipsec.conf >>>>>>>> >>>>>>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \ >>>>>>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ >>>>>>>> quick auth hmac-sha1 enc 3des \ >>>>>>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \ >>>>>>>> psk "password" >>>>>>>> # ipsecctl -sa >>>>>>>> FLOWS: >>>>>>>> No flows >>>>>>>> >>>>>>>> SAD: >>>>>>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth >>>>>>>> hmac-sha1 enc 3des-cbc >>>>>>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth >>>>>>>> hmac-sha1 enc 3des-cbc >>>>>>>> # >>>>>>>> >>>>>>>> ipsecctl -m output: >>>>>>>> >>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 >>>>>>>> address_src: 67.159.171.204 >>>>>>>> address_dst: 208.70.72.13 >>>>>>>> spirange: min 0x00000100 max 0xffffffff >>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 >>>>>>>> sa: spi 0x581ea1f0 auth none enc none >>>>>>>> state mature replay 0 flags 0 >>>>>>>> address_src: 67.159.171.204 >>>>>>>> address_dst: 208.70.72.13 >>>>>>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 >>>>>>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 208.70.72.13 >>>>>>>> address_dst: 67.159.171.204 >>>>>>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 >>>>>>>> key_encrypt: bits 192: >>>>>>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 >>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>>> src_mask: 255.255.255.255 >>>>>>>> dst_mask: 255.255.0.0 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction out >>>>>>>> src_flow: 208.70.72.13 >>>>>>>> dst_flow: 10.0.0.0 >>>>>>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 >>>>>>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 208.70.72.13 >>>>>>>> address_dst: 67.159.171.204 >>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>>> src_mask: 255.255.255.255 >>>>>>>> dst_mask: 255.255.0.0 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction out >>>>>>>> src_flow: 208.70.72.13 >>>>>>>> dst_flow: 10.0.0.0 >>>>>>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 >>>>>>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 67.159.171.204 >>>>>>>> address_dst: 208.70.72.13 >>>>>>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 >>>>>>>> key_encrypt: bits 192: >>>>>>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715 >>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>>> src_mask: 255.255.0.0 >>>>>>>> dst_mask: 255.255.255.255 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction in >>>>>>>> src_flow: 10.0.0.0 >>>>>>>> dst_flow: 208.70.72.13 >>>>>>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 >>>>>>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 67.159.171.204 >>>>>>>> address_dst: 208.70.72.13 >>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>>> src_mask: 255.255.0.0 >>>>>>>> dst_mask: 255.255.255.255 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction in >>>>>>>> src_flow: 10.0.0.0 >>>>>>>> dst_flow: 208.70.72.13 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Home firewall: >>>>>>>> >>>>>>>> # uname -a >>>>>>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 >>>>>>>> # cat /etc/ipsec.conf >>>>>>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ >>>>>>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ >>>>>>>> quick auth hmac-sha1 enc 3des \ >>>>>>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \ >>>>>>>> psk "password" >>>>>>>> # ipsecctl -sa >>>>>>>> FLOWS: >>>>>>>> No flows >>>>>>>> >>>>>>>> SAD: >>>>>>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth >>>>>>>> hmac-sha1 enc 3des-cbc >>>>>>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth >>>>>>>> hmac-sha1 enc 3des-cbc >>>>>>>> # >>>>>>>> >>>>>>>> >>>>>>>> ipsecctl -m output: >>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 >>>>>>>> address_src: 208.70.72.13 >>>>>>>> address_dst: 67.159.171.204 >>>>>>>> spirange: min 0x00000100 max 0xffffffff >>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 >>>>>>>> sa: spi 0xeac5bef2 auth none enc none >>>>>>>> state mature replay 0 flags 0 >>>>>>>> address_src: 208.70.72.13 >>>>>>>> address_dst: 67.159.171.204 >>>>>>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351 >>>>>>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 67.159.171.204 >>>>>>>> address_dst: 208.70.72.13 >>>>>>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308 >>>>>>>> key_encrypt: bits 192: >>>>>>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57 >>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>>> src_mask: 255.255.0.0 >>>>>>>> dst_mask: 255.255.255.255 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction out >>>>>>>> src_flow: 10.0.0.0 >>>>>>>> dst_flow: 208.70.72.13 >>>>>>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351 >>>>>>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 67.159.171.204 >>>>>>>> address_dst: 208.70.72.13 >>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>>> src_mask: 255.255.0.0 >>>>>>>> dst_mask: 255.255.255.255 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction out >>>>>>>> src_flow: 10.0.0.0 >>>>>>>> dst_flow: 208.70.72.13 >>>>>>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351 >>>>>>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 208.70.72.13 >>>>>>>> address_dst: 67.159.171.204 >>>>>>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac >>>>>>>> key_encrypt: bits 192: >>>>>>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe >>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>>> src_mask: 255.255.255.255 >>>>>>>> dst_mask: 255.255.0.0 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction in >>>>>>>> src_flow: 208.70.72.13 >>>>>>>> dst_flow: 10.0.0.0 >>>>>>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351 >>>>>>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc >>>>>>>> state mature replay 16 flags 4 >>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>>> address_src: 208.70.72.13 >>>>>>>> address_dst: 67.159.171.204 >>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>>> src_mask: 255.255.255.255 >>>>>>>> dst_mask: 255.255.0.0 >>>>>>>> protocol: proto 0 flags 0 >>>>>>>> flow_type: type unknown direction in >>>>>>>> src_flow: 208.70.72.13 >>>>>>>> dst_flow: 10.0.0.0 >>>>>>> I would recommend taking a look at if you haven't already: >>>>>>> http://www.securityfocus.com/infocus/1859 >>>>>>> >>>>>>> Jonathan >>>>>>> >>>>>>> >>>>>> http://www.securityfocus.com/infocus/1859 >>>>>> is the article that started it all for me using ipsec and OpenBSD. It's >>>>>> not exactly geared for one end being dynamic ip though. >>>>>> >>>>>> I don't have much experience with dynamic addresses, but if my >>>>>> understanding is correct, the best would be as below. >>>>>> >>>>>> Let me know if it works, I'm curious, since I've also never done ipsec >>>>>> between a static and dynamic device without an internal subnet on both >>>>>> hosts: >>>>>> >>>>>> >>>>>> colo /etc/ipsec.conf: >>>>>> >>>>>> ike passive from 208.70.72.13 to 10.0.0.0/16 >>>>>> >>>>>> home /etc/ipsec.conf: >>>>>> >>>>>> ike dynamic from 10.0.0.0/16 to 208.70.72.13 >>>>>> >>>>>> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases >>>>>> to amaze me in it's simplicity compared to other options) >>>>>> >>>>>> Make sure your pf on both ends is allowing negotiation (which it seems >>>>>> to be). Also, unless you need to apply pf rules to your encrypted >>>>>> traffic, make sure you've got enc0 in your "set skip on" interfaces. >>>>>> >>>>>> I'd suggest using pubkeys as in isakmpd(8) which should be: >>>>>> >>>>>> copy /etc/isakmpd/local.pub from colo to >>>>>> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine >>>>>> >>>>>> copy /etc/isakmpd/local.pub from home to >>>>>> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo >>>>>> >>>>>> That would be better than psk if you can get it working, imho. >>>>>> >>>>>> Cheers >>>>>> >>>>>> >>>>>> >>>>> i have switched to using pubkeys via fqdn as im using fqdn in both >>>>> dstid and srcid, that is now working. and quite nicely if i do say so >>>>> myself >>>>> >>>>> i have appropriate nonat on the dynamic side as well >>>>> angie="208.70.72.13" >>>>> table <private> const { 10/8, 172.16/12, 192.168/16 } >>>>> no nat on $ext_if from <private> to $angie >>>>> >>>>> >>>>> the pf is set up to allow all udp 500 traffic on both sides. >>>>> pass in on $ext_if inet proto udp from any to $ext_if port isakmp >>>>> >>>>> enc0 was not on my skip list however it is now, and still no change >>>>> set skip on {enc0, lo0} >>>>> >>>>> from the man page sample: >>>>> #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ >>>>> # srcid me.mylan.net dstid the.others.net >>>>> #ike esp from 192.168.3.1 to 192.168.3.2 \ >>>>> # srcid me.mylan.net dstid the.others.net >>>>> >>>>> # Set up a tunnel using static keying: >>>>> # >>>>> # The first rule sets up the flow; the second sets up the SA. >>>>> >>>>> it seems to imply that 2 rules are needed for any one connection, one >>>>> rule that specifies interesting traffic and one that defines >>>>> termination points. I will try this. >>>>> >>>>> >>>>> -- >>>>> -Lawrence >>>>> >>>> Im not exactly sure how to tell the second rule, as the home endpoint >>>> is dynamic, i cant set that one to a ip since it will change, and if i >>>> set it to a fqdn i get errors for mismatched types, however i think it >>>> just looks up the name anyone doesnt it? >>> Do you have a rule to allow esp traffic ? If you don't have one, here is >>> what you should add in your pf ruleset : >>> >>> pass in on $ext_if inet proto 50 from any to $ext_if >>> >>> >>> Claer >>> >>> >> >> Yes I have modified my pf as well as ipsec.conf, below are the new >> configs, still no worky, ive been experimenting with different ways >> but nothing really passes traffic, im concerned that perhaps its not >> my ipsec.conf thats messed up but something else im missing that is >> preventing it from passing traffic, so far as i can tell the entire sa >> comes up >> >> both routers now have: >> pass in on $ext_if inet proto udp from any to $ext_if port isakmp >> pass in on $ext_if inet proto esp from any to $ext_if >> >> the fire router has >> no nat on $ext_if from <private> to $angie >> >> >> ipsec.conf on fire: >> angie = "208.70.72.13" >> fire = "10.0.0.0/24" >> >> ike active esp tunnel from $fire to $angie peer $angie \ >> aggressive auth hmac-sha1 enc 3des group modp1024 \ >> quick auth hmac-sha1 enc 3des \ >> srcid "fire.sporkton.com" dstid "angie.sporkton.com" >> >> >> >> ipsec.conf on angie: >> angie = "208.70.72.13" >> fire = "10.0.0.0/24" >> >> ike passive esp tunnel from $angie to $fire \ >> aggressive auth hmac-sha1 enc 3des group modp1024 \ >> quick auth hmac-sha1 enc 3des \ >> srcid "angie.sporkton.com" dstid "fire.sporkton.com" >> >> >> thank you >
-- -Lawrence