Hello, we have to connect factory using ipsec vpn and nat. The factory server (windows 2003) will send his backup to our NAS using FTP,so : Site A and Site B (factory)
Site A , OpenBSD 4.5 -RELEASE, used like firewall (and ftpproxy) Ip address (provided by IAP): 11.11.11.11(Egress), IP : 10.0.0.113(lan) Site B , We don't know what they use ad equipements, but they have a hundred sites connected by ipsec vpn. Ip address (provided by IAP) : 22.22.22.22 Our 2 sites have the same network : 10.0.0.0/24 (us) and 10.0.0.0/8 (factory) So we need to implement translations We have decided that : Site A will use : 192.168.192.0/24 Site B will use : 192.168.191.0/24 Admin factory has sent me informations to configure my ipsec vpn on OpenBSD: Authentication Mode: Preshared Keys Diffie-Hellman Group 2 (1024 bit) Encryption Algorithm: AES 256 Hashing Algoritm: SHA-1 Negotiation Mode: Main Lifetime : 28800 sec IPSec-Parameter: Perfect Forward Secrecy: Group 2 Encapsulation : ESP Encryption Algorithm: AES 256 Authentication Algorithm : SHA-1 Encapsulation Mode: Tunnel Lifetime : 3600 sec the preshared key : haiku (it is just an example, not the true key) I have already read man pages of ipsec.conf, pf.conf, isakmpd, ipsecctl And of course : http://undeadly.org/cgi?action=article&sid=20090127205841 I come back. For over a week, i break my head to run the vpn, it is mounted, but there is no traffic, what is more, i have a problem about phase 2 in ipsec.conf. Now the error i have is : /var/log/daemon : Sep 17 11:00:01 sdsl114 newsyslog[5191]: logfile turned over Sep 17 11:04:18 sdsl114 savecore: no core dump Sep 17 11:04:19 sdsl114 isakmpd[19476]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id 192.168.191.0/255.255.255.0, responder id 192.168.192.0/255.255.255.0 Sep 17 11:04:19 sdsl114 isakmpd[19476]: dropped message from 22.22.22.22 port 500 due to notification type INVALID_ID_INFORMATION Sep 17 11:04:19 sdsl114 ftp-proxy[13321]: listening on 11.11.11.11 port 21 ipsecctl -sa : flow esp in from 192.168.191.0/24 to 10.0.0.0/24 peer 22.22.22.22 srcid 11.11.11.11/32 dstid 22.22.22.22/32 type use flow esp out from 10.0.0.0/24 to 192.168.191.0/24 peer 22.22.22.22 srcid 11.11.11.11/32 dstid 22.22.22.22/32 type require SAD: esp tunnel from 11.11.11.11 to 22.22.22.22 spi 0x5f3b4329 auth hmac-sha1 enc aes-256 esp tunnel from 22.22.22.22 to 11.11.11.11 spi 0x60ecca8f auth hmac-sha1 enc aes-256 What i have done : ipsec.conf : ike esp from 192.168.192.0/24 (10.0.0.0/24) to 192.168.191.0/24 \ peer 22.22.22.22 \ main auth hmac-sha1 enc aes-256 group modp1024 \ quick auth hmac-sha1 enc aes-256 group modp1024 \ psk "Haiku" pf.conf : lan="bge0:network" int_if="bge0" gw="11.11.11.11" ftp_server="10.0.0.115" clients_out="{ ssh, www, https, imap, imaps, pop3, pop3s, smtp, smtps, \ 3389, ftp, ftp-data, 8080, submission, sftp }" set require-order no set skip on { lo, enc0 } set block-policy drop scrub in nat-anchor "ftp-proxy/*" nat on egress from $lan -> egress rdr-anchor "ftp-proxy/*" binat on enc0 inet from 10.0.0.0/24 to 192.168.1.0/24 -> 192.168.192.0/24 block log all pass quick proto esp keep state pass quick proto udp to port { isakmp, ipsec-nat-t } keep state pass quick inet proto { tcp, udp } from $lan to any port domain pass inet proto icmp all icmp-type { echoreq, unreach } pass inet proto tcp from $lan to any port $clients_out pass out on egress from $gw to any pass in on egress inet proto tcp to $gw port 21 \ flags S/SA keep state pass out on $int_if inet proto tcp to $ftp_server port 21 \ user proxy flags S/SA keep state anchor "ftp-proxy/*" My dmesg : OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009 [email protected]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR real mem = 1073291264 (1023MB) avail mem = 1029545984 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 09/08/03, BIOS32 rev. 0 @ 0xf1780, SMBIOS rev. 2.3 @ 0xf3180 (42 entries) bios0: vendor Award Software, Inc. version "6.00.23 RV (09/08/2003)" date 09/08/2003 bios0: Hewlett-Packard HP Server acpi0 at bios0: rev 0 acpi0: tables DSDT FACP BOOT SPCR APIC acpi0: wakeup devices NIC0(S1) UAR1(S4) UAR2(S4) PS2K(S4) PS2M(S4) USB0(S1) PCI0(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 16 pins ioapic0: misconfigured as apic 1, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 2, remapped to apid 3 ioapic2 at mainbus0: apid 4 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 3, remapped to apid 4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc0000/0x8000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "ServerWorks GCNB-LE Host" rev 0x32 pchb1 at pci0 dev 0 function 1 "ServerWorks GCNB-LE Host" rev 0x00 bge0 at pci0 dev 3 function 0 "Broadcom BCM5702X" rev 0x02, BCM5703 A2 (0x1002): apic 3 int 2 (irq 3), address 00:08:02:f7:00:c9 brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 ahc0 at pci0 dev 4 function 0 "Adaptec AHA-29160 U160" rev 0x02: apic 3 int 3 (irq 5) scsibus0 at ahc0: 16 targets, initiator 7 rl0 at pci0 dev 8 function 0 "Realtek 8139" rev 0x10: apic 3 int 7 (irq 9), address 00:50:fc:47:05:17 rlphy0 at rl0 phy 0: RTL internal PHY vga1 at pci0 dev 9 function 0 "ATI Rage XL" rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpm0 at pci0 dev 15 function 0 "ServerWorks CSB6" rev 0xa0: polling iic0 at piixpm0 lm1 at iic0 addr 0x2d: AS99127F rev 2 iic0: addr 0x2f d0=00 d1=00 d2=00 d3=00 d4=00 e0=00 e1=00 e2=00 e3=00 e4=00 e5=00 e6=00 e7=00 e8=00 e9=00 ea=00 eb=00 f6=f8 f7=10 words 00=ffff 01=ffff 02=ffff 03=ffff 04=ffff 05=ffff 06=ffff 07=ffff pciide0 at pci0 dev 15 function 1 "ServerWorks CSB6 RAID/IDE" rev 0xa0: DMA wd0 at pciide0 channel 0 drive 0: <ExcelStor Technology J640> wd0: 16-sector PIO, LBA48, 39266MB, 80418240 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: <LITE-ON, CD-ROM LTN-489S, 89C1> ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 "ServerWorks CSB6 USB" rev 0x05: apic 2 int 10 (irq 11), version 1.0, legacy support pchb2 at pci0 dev 15 function 3 "ServerWorks GCLE-2 Host" rev 0x00 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 "ServerWorks OHCI root hub" rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: <PC speaker> spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec mtrr: Pentium Pro MTRR support softraid0 at root root on wd0a swap on wd0b dump on wd0b umass0 at uhub0 port 1 configuration 1 interface 0 "Kingston DataTraveler 2.0" rev 2.00/1.10 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: <Kingston, DataTraveler 2.0, PMAP> SCSI0 0/direct removable sd0: 1968MB, 512 bytes/sec, 4030464 sec total sd0 detached scsibus2 detached umass0 detached umass0 at uhub0 port 2 configuration 1 interface 0 "Kingston DataTraveler 2.0" rev 2.00/1.10 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: <Kingston, DataTraveler 2.0, PMAP> SCSI0 0/direct removable sd0: 1968MB, 512 bytes/sec, 4030464 sec total sd0 detached scsibus2 detached umass0 detached umass0 at uhub0 port 1 configuration 1 interface 0 "Kingston DataTraveler 2.0" rev 2.00/1.10 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd0 at scsibus2 targ 1 lun 0: <Kingston, DataTraveler 2.0, PMAP> SCSI0 0/direct removable sd0: 1968MB, 512 bytes/sec, 4030464 sec total If someone can help me please?
