Re: IPSec between OpenBSD and Cisco

Thu, 28 Oct 2010 09:31:09 -0700 

Sorry for the noise. I overlooked your nat statement in pf.conf.
But it is wrong, as per man page you shopuld nat on enc0, not on $ext_if




Hi,
from what I see you use the new address translation feature of ipsec 4.7

This requires a nat statement in pf.conf , which is probably missing from your
configuration..

See the section on 'outgoing network address translation' in the man page of
ipsec.conf

Regards
Christoph

> -----Urspr|ngliche Nachricht-----
> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org]
> Im Auftrag von Fernando Alvarez
> Gesendet: Donnerstag, 28. Oktober 2010 16:30
> An: misc@openbsd.org
> Betreff: IPSec between OpenBSD and Cisco
>
>
> Hi all,
>
> I have been trying to setup a VPN connection between OpenBSD
> and a Cisco router with no success for more than 2 weeks, and
> I really need some advice on how to resolve this. Basically,
> I cannot understand what is going wrong during the
> negociation :-S Any information would be really helpful for me.
>
> The scenario:
> ==========================================================
> OpenBSD 4.7 machine (amd64), fresh install, acting as gateway
> Public IP: A.A.A.A Private IP: 172.22.1.1/16
>
> Cisco Router (IPSec Server)
> Public IP: B.B.B.B
> Private LAN: 10.20.10.0/24 (Ipsec tunnel configured only to
> access 10.20.10.38 machine)
>
> Diagram: ==========================================================
>                Localization A
> Localization B
> 172.22/16 [OpenBSD] A.A.A.A ------(Internet)------- B.B.B.B
> [Cisco] -- 10.20.10.38 (machine)
>
> Constraints:
> ==========================================================
> 1 - The OpenBSD machine should present itself as 10.0.22.221
> in the Site B LAN. 2 - It's not possible to modify Cisco
> configuration. It's probed to be fully functional with other
> Cisco peers (at least that's what they have told to
> me)
>
> Cisco Configuration:
> ==========================================================
> name A.A.A.A siteApublicIP
> object-group network siteA
> access-list outside_cryptomap_23 extended permit ip
> object-group siteA host 10.0.22.221 crypto ipsec
> transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map
> outside_map 22 match address outside_cryptomap_23 crypto map
> outside_map 22 set pfs crypto map outside_map 22 set peer
> siteApublicIP crypto map outside_map 22 set transform-set
> ESP-3DES-MD5 tunnel-group A.A.A.A type ipsec-l2l tunnel-group
> A.A.A.A ipsec-attributes pre-shared-key theKey
>
> OpenBSD Config:
> ==========================================================
> /etc/ipsec.conf:
> ==========================================================
> ike active esp from 10.0.22.221 (172.22.0.0/16) to 10.20.10.0/24 \
>     peer B.B.B.B \
>     main auth hmac-md5 enc 3des \
>     quick auth hmac-md5 enc 3des group modp1024 \
>     psk theKey
>
>
> /etc/pf.conf:
> ==========================================================
> set skip on lo
> match out log on $ext_if from 172.22/16 to 10.20.10.0/24
> nat-to 10.0.22.221 match out log on $int_if from 172.22/16 to
> !172.22/16 nat-to A.A.A.A pass
>
>
> isakmpd output (via tcpdump):
> ==========================================================
> 0.0.0.0.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
>  cookie: 8f5627d25c664fa7->0000000000000000 msgid: 00000000 len: 180
>  payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>     payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP
> spisz: 0 xforms: 1
>         payload: TRANSFORM len: 32
>             transform: 0 ID: ISAKMP
>                 attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                 attribute HASH_ALGORITHM = MD5
>                 attribute AUTHENTICATION_METHOD = PRE_SHARED
>                 attribute GROUP_DESCRIPTION = MODP_1024
>                 attribute LIFE_TYPE = SECONDS
>                 attribute LIFE_DURATION = 3600
>  payload: VENDOR len: 20 (supports OpenBSD-4.0)
>  payload: VENDOR len: 20 (supports v2 NAT-T,
> draft-ietf-ipsec-nat-t-ike-02)
>  payload: VENDOR len: 20 (supports v3 NAT-T,
> draft-ietf-ipsec-nat-t-ike-03)
>  payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
>  payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1,
> len 208) B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0
> exchange ID_PROT
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 124
>  payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>     payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP
> spisz: 0 xforms: 1
>         payload: TRANSFORM len: 32
>             transform: 0 ID: ISAKMP
>                 attribute ENCRYPTION_ALGORITHM = 3DES_CBC
>                 attribute HASH_ALGORITHM = MD5
>                 attribute GROUP_DESCRIPTION = MODP_1024
>                 attribute AUTHENTICATION_METHOD = PRE_SHARED
>                 attribute LIFE_TYPE = SECONDS
>                 attribute LIFE_DURATION = 3600
>  payload: VENDOR len: 20 (supports v2 NAT-T,
> draft-ietf-ipsec-nat-t-ike-02)
>  payload: VENDOR len: 24 [ttl 0] (id 1, len 152)
> A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 220
>  payload: KEY_EXCH len: 132
>  payload: NONCE len: 20
>  payload: NAT-D-DRAFT len: 20
>  payload: NAT-D-DRAFT len: 20 [ttl 0] (id 1, len 248)
> B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 296
>  payload: KEY_EXCH len: 132
>  payload: NONCE len: 24
>  payload: VENDOR len: 20 (supports Cisco Unity)
>  payload: VENDOR len: 12 (supports
> draft-ietf-ipsra-isakmp-xauth-06.txt)
>  payload: VENDOR len: 20
>  payload: VENDOR len: 20
>  payload: NAT-D-DRAFT len: 20
>  payload: NAT-D-DRAFT len: 20 [ttl 0] (id 1, len 324)
> A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 88
>  payload: ID len: 12 type: IPV4_ADDR = A.A.A.A
>  payload: HASH len: 20
>  payload: NOTIFICATION len: 28
>     notification: INITIAL CONTACT
> (8f5627d25c664fa7->a8427e4dfc02591c) [ttl 0] (id 1, len 116)
> B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 00000000 len: 84
>  payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = B.B.B.B
>  payload: HASH len: 20
>  payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1,
> len 112) A.A.A.A.500 > B.B.B.B.500: [udp sum ok] isakmp v1.0
> exchange QUICK_MODE
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 276
>  payload: HASH len: 20
>  payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>     payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
> spisz: 4 xforms: 1 SPI: 0x6aa9a434
>         payload: TRANSFORM len: 28
>             transform: 1 ID: 3DES
>                 attribute LIFE_TYPE = SECONDS
>                 attribute LIFE_DURATION = 1200
>                 attribute ENCAPSULATION_MODE = TUNNEL
>                 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
>                 attribute GROUP_DESCRIPTION = 2
>  payload: NONCE len: 20
>  payload: KEY_EXCH len: 132
>  payload: ID len: 12 type: IPV4_ADDR = 10.0.22.221
>  payload: ID len: 12 type: IPV4_ADDR = 10.20.10.38 [ttl 0]
> (id 1, len 304) B.B.B.B.500 > A.A.A.A.500: [udp sum ok]
> isakmp v1.0 exchange QUICK_MODE
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 284
>  payload: HASH len: 20
>  payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
>     payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP
> spisz: 4 xforms: 1 SPI: 0xf11d3e40
>         payload: TRANSFORM len: 28
>             transform: 1 ID: 3DES
>                 attribute LIFE_TYPE = SECONDS
>                 attribute LIFE_DURATION = 1200
>                 attribute ENCAPSULATION_MODE = TUNNEL
>                 attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
>                 attribute GROUP_DESCRIPTION = 2
>  payload: NONCE len: 24
>  payload: KEY_EXCH len: 132
>  payload: ID len: 12 type: IPV4_ADDR = 10.0.22.221
>  payload: ID len: 12 type: IPV4_ADDR = 10.20.10.38 [ttl 0]
> (id 1, len 312) A.A.A.A.500 > B.B.B.B.500: [udp sum ok]
> isakmp v1.0 exchange QUICK_MODE
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d11a9d9b len: 48
>  payload: HASH len: 20 [ttl 0] (id 1, len 76)
> B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange INFO
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: c1f366e9 len: 84
>  payload: HASH len: 20
>  payload: NOTIFICATION len: 32
>     notification: STATUS_DPD_R_U_THERE seq 368398431 [ttl 0]
> (id 1, len 112) A.A.A.A.500 > B.B.B.B.500: [udp sum ok]
> isakmp v1.0 exchange INFO
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: f2b291c5 len: 80
>  payload: HASH len: 20
>  payload: NOTIFICATION len: 32
>     notification: STATUS_DPD_R_U_THERE_ACK seq 368398431 [ttl
> 0] (id 1, len
> 108)
> B.B.B.B.500 > A.A.A.A.500: [udp sum ok] isakmp v1.0 exchange INFO
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: d5775508 len: 84
>  payload: HASH len: 20
>  payload: NOTIFICATION len: 32
>     notification: STATUS_DPD_R_U_THERE seq 368398432 [ttl 0]
> (id 1, len 112) A.A.A.A.500 > B.B.B.B.500: [udp sum ok]
> isakmp v1.0 exchange INFO
>  cookie: 8f5627d25c664fa7->a8427e4dfc02591c msgid: 1d14596e len: 80
>  payload: HASH len: 20
>  payload: NOTIFICATION len: 32
>     notification: STATUS_DPD_R_U_THERE_ACK seq 368398432 [ttl
> 0] (id 1, len
> 108)
>
> Thank you in advance for your time and patience,
>
> Fer

Reply via email to