No, "egress" is an interface group. Man ifconfig. You have to use that
'cause you outgoing (egress) IP address changes. The pf-style "(eth0)"
syntax where "eth0" is your outside interface may work too. Try it and see.
Saludos,
Jose.
Lord Sporkton wrote:
So egress being something very much like "any" then?
2008/5/17 Jose Quinteiro <[EMAIL PROTECTED]>:
http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html
try
ipsec.conf on fire:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike esp from $fire to $angie local egress \
srcid "fire.sporkton.com" dstid "angie.sporkton.com"
ipsec.conf on angie:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike passive esp from $angie to $fire \
srcid "angie.sporkton.com" dstid "fire.sporkton.com"
HTH,
Jose.
Lord Sporkton wrote:
2008/5/15 Claer <[EMAIL PROTECTED]>:
On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:
2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>:
2008/5/14 scott learmonth <[EMAIL PROTECTED]>:
On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]>
wrote:
I am trying to set up a ipsec link between my home network(private ip
network behind dynamic public ip)
and my colo server(single public static ip). I was a bit unclear on
how to set up a tunnel between a static
and dynamic ip
interesting traffic:
208.70.72.13 -> 10.0.0.0/16
My sad seems to set up ok, however afterward i get no flows and can not
pass
data, ive checked out logs, and ipsecctl -m, but see nothing of use.
Below is data i believe relevant, if anything else is requested i will
do my best to post it back in a timely fashion
thank you
colo server:
# uname -a
OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
# cat /etc/ipsec.conf
ike passive from 208.70.72.13 to 10.0.0.0/16 \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
psk "password"
# ipsecctl -sa
FLOWS:
No flows
SAD:
esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
hmac-sha1 enc 3des-cbc
esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
hmac-sha1 enc 3des-cbc
#
ipsecctl -m output:
sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
address_src: 67.159.171.204
address_dst: 208.70.72.13
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
sa: spi 0x581ea1f0 auth none enc none
state mature replay 0 flags 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
key_encrypt: bits 192:
65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
key_encrypt: bits 192:
496cd320b35638d36dd8f899b8ce76c150840092db466715
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.0.0
dst_mask: 255.255.255.255
protocol: proto 0 flags 0
flow_type: type unknown direction in
src_flow: 10.0.0.0
dst_flow: 208.70.72.13
sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.0.0
dst_mask: 255.255.255.255
protocol: proto 0 flags 0
flow_type: type unknown direction in
src_flow: 10.0.0.0
dst_flow: 208.70.72.13
Home firewall:
# uname -a
OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
# cat /etc/ipsec.conf
ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "fire.sporkton.com" dstid "angie.sporkton.com" \
psk "password"
# ipsecctl -sa
FLOWS:
No flows
SAD:
esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
hmac-sha1 enc 3des-cbc
esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
hmac-sha1 enc 3des-cbc
#
ipsecctl -m output:
sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
address_src: 208.70.72.13
address_dst: 67.159.171.204
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
sa: spi 0xeac5bef2 auth none enc none
state mature replay 0 flags 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
sadb_add: satype esp vers 2 len 50 seq 5 pid 27351
sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308
key_encrypt: bits 192:
94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.0.0
dst_mask: 255.255.255.255
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 10.0.0.0
dst_flow: 208.70.72.13
sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 67.159.171.204
address_dst: 208.70.72.13
identity_src: type fqdn id 0: fire.sporkton.com
identity_dst: type fqdn id 0: angie.sporkton.com
src_mask: 255.255.0.0
dst_mask: 255.255.255.255
protocol: proto 0 flags 0
flow_type: type unknown direction out
src_flow: 10.0.0.0
dst_flow: 208.70.72.13
sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
key_encrypt: bits 192:
a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction in
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
state mature replay 16 flags 4
lifetime_hard: alloc 0 bytes 0 add 1200 first 0
lifetime_soft: alloc 0 bytes 0 add 1080 first 0
address_src: 208.70.72.13
address_dst: 67.159.171.204
identity_src: type fqdn id 0: angie.sporkton.com
identity_dst: type fqdn id 0: fire.sporkton.com
src_mask: 255.255.255.255
dst_mask: 255.255.0.0
protocol: proto 0 flags 0
flow_type: type unknown direction in
src_flow: 208.70.72.13
dst_flow: 10.0.0.0
I would recommend taking a look at if you haven't already:
http://www.securityfocus.com/infocus/1859
Jonathan
http://www.securityfocus.com/infocus/1859
is the article that started it all for me using ipsec and OpenBSD. It's not
exactly geared for one end being dynamic ip though.
I don't have much experience with dynamic addresses, but if my understanding is
correct, the best would be as below.
Let me know if it works, I'm curious, since I've also never done ipsec between
a static and dynamic device without an internal subnet on both hosts:
colo /etc/ipsec.conf:
ike passive from 208.70.72.13 to 10.0.0.0/16
home /etc/ipsec.conf:
ike dynamic from 10.0.0.0/16 to 208.70.72.13
(it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to amaze
me in it's simplicity compared to other options)
Make sure your pf on both ends is allowing negotiation (which it seems to be). Also,
unless you need to apply pf rules to your encrypted traffic, make sure you've got enc0 in
your "set skip on" interfaces.
I'd suggest using pubkeys as in isakmpd(8) which should be:
copy /etc/isakmpd/local.pub from colo to /etc/isakmpd/pubkeys/ipv4/208.70.72.13
on home machine
copy /etc/isakmpd/local.pub from home to
/etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
That would be better than psk if you can get it working, imho.
Cheers
i have switched to using pubkeys via fqdn as im using fqdn in both
dstid and srcid, that is now working. and quite nicely if i do say so
myself
i have appropriate nonat on the dynamic side as well
angie="208.70.72.13"
table <private> const { 10/8, 172.16/12, 192.168/16 }
no nat on $ext_if from <private> to $angie
the pf is set up to allow all udp 500 traffic on both sides.
pass in on $ext_if inet proto udp from any to $ext_if port isakmp
enc0 was not on my skip list however it is now, and still no change
set skip on {enc0, lo0}
from the man page sample:
#ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
# srcid me.mylan.net dstid the.others.net
#ike esp from 192.168.3.1 to 192.168.3.2 \
# srcid me.mylan.net dstid the.others.net
# Set up a tunnel using static keying:
#
# The first rule sets up the flow; the second sets up the SA.
it seems to imply that 2 rules are needed for any one connection, one
rule that specifies interesting traffic and one that defines
termination points. I will try this.
--
-Lawrence
Im not exactly sure how to tell the second rule, as the home endpoint
is dynamic, i cant set that one to a ip since it will change, and if i
set it to a fqdn i get errors for mismatched types, however i think it
just looks up the name anyone doesnt it?
Do you have a rule to allow esp traffic ? If you don't have one, here is
what you should add in your pf ruleset :
pass in on $ext_if inet proto 50 from any to $ext_if
Claer
Yes I have modified my pf as well as ipsec.conf, below are the new
configs, still no worky, ive been experimenting with different ways
but nothing really passes traffic, im concerned that perhaps its not
my ipsec.conf thats messed up but something else im missing that is
preventing it from passing traffic, so far as i can tell the entire sa
comes up
both routers now have:
pass in on $ext_if inet proto udp from any to $ext_if port isakmp
pass in on $ext_if inet proto esp from any to $ext_if
the fire router has
no nat on $ext_if from <private> to $angie
ipsec.conf on fire:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike active esp tunnel from $fire to $angie peer $angie \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "fire.sporkton.com" dstid "angie.sporkton.com"
ipsec.conf on angie:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike passive esp tunnel from $angie to $fire \
aggressive auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
srcid "angie.sporkton.com" dstid "fire.sporkton.com"
thank you
