Re: Flaw in ipsec.conf(5)?

2016-05-28 Thread Jason McIntyre 
On Fri, May 27, 2016 at 01:21:55PM +0200, Bruno Flueckiger wrote:
> After discussing this with Philipp Buehler off list I have reworked my
> diff to make things easier in the example.
> 
> The paragraph which contains set skip on enc0 just before the ruleset
> is removed. All filtering in the rule set is done on sk0, skipping enc0
> entirely.
> 
> The new rule set looks like this:
> 
> block on sk0
> set skip on enc0
> 
> pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
>   port {500, 4500}
> pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
>   port {500, 4500}
> 
> pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
> pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
> 
> pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \
>   keep state (if-bound)
> pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \
>   keep state (if-bound)
> 

what then is the point of this section? to tell us to not filter
ipsec traffic?

what really needs to happen is for developers concerned with ipsec to
either recognise a change and adjust the filter rules accordingly, or
to say the idea of filtering enc traffic no longer makes sense and to
remove the section. or to tell you what's in ipsec.conf(5) is correct,
and why.

until that happens, the text will remain, i think.

jmc

> 
> Index: sbin/ipsecctl/ipsec.conf.5
> ===
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.151
> diff -u -p -r1.151 ipsec.conf.5
> --- sbin/ipsecctl/ipsec.conf.59 Dec 2015 21:41:50 -   1.151
> +++ sbin/ipsecctl/ipsec.conf.527 May 2016 11:07:55 -
> @@ -493,20 +493,12 @@ Match traffic of phase 2 SAs using the
>  keyword.
>  .El
>  .Pp
> -If the filtering rules specify to block everything by default,
> -the following rule
> -would ensure that IPsec traffic never hits the packet filtering engine,
> -and is therefore passed:
> -.Bd -literal -offset indent
> -set skip on enc0
> -.Ed
> -.Pp
>  In the following example, all traffic is blocked by default.
>  IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and
>  networks {10.0.1.0/24, 10.0.2.0/24} is permitted.
>  .Bd -literal -offset indent
>  block on sk0
> -block on enc0
> +set skip on enc0
>  
>  pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e
>   port {500, 4500}
> @@ -516,13 +508,9 @@ pass out on sk0 proto udp from 192.168.3
>  pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
>  pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
>  
> -pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
> - keep state (if-bound)
> -pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e
> - keep state (if-bound)
> -pass  in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e
> +pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \e
>   keep state (if-bound)
> -pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e
> +pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \e
>   keep state (if-bound)
>  .Ed
>  .Pp

Re: Flaw in ipsec.conf(5)?

2016-05-27 Thread Bruno Flueckiger 
After discussing this with Philipp Buehler off list I have reworked my
diff to make things easier in the example.

The paragraph which contains set skip on enc0 just before the ruleset
is removed. All filtering in the rule set is done on sk0, skipping enc0
entirely.

The new rule set looks like this:

block on sk0
set skip on enc0

pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
port {500, 4500}
pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
port {500, 4500}

pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2

pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \
keep state (if-bound)
pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \
keep state (if-bound)


Index: sbin/ipsecctl/ipsec.conf.5
===
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.151
diff -u -p -r1.151 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5  9 Dec 2015 21:41:50 -   1.151
+++ sbin/ipsecctl/ipsec.conf.5  27 May 2016 11:07:55 -
@@ -493,20 +493,12 @@ Match traffic of phase 2 SAs using the
 keyword.
 .El
 .Pp
-If the filtering rules specify to block everything by default,
-the following rule
-would ensure that IPsec traffic never hits the packet filtering engine,
-and is therefore passed:
-.Bd -literal -offset indent
-set skip on enc0
-.Ed
-.Pp
 In the following example, all traffic is blocked by default.
 IPsec-related traffic from gateways {192.168.3.1, 192.168.3.2} and
 networks {10.0.1.0/24, 10.0.2.0/24} is permitted.
 .Bd -literal -offset indent
 block on sk0
-block on enc0
+set skip on enc0
 
 pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \e
port {500, 4500}
@@ -516,13 +508,9 @@ pass out on sk0 proto udp from 192.168.3
 pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
 pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
 
-pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
-   keep state (if-bound)
-pass out on enc0 proto ipencap from 192.168.3.1 to 192.168.3.2 \e
-   keep state (if-bound)
-pass  in on enc0 from 10.0.2.0/24 to 10.0.1.0/24 \e
+pass  in on sk0 from 10.0.2.0/24 to 10.0.1.0/24 \e
keep state (if-bound)
-pass out on enc0 from 10.0.1.0/24 to 10.0.2.0/24 \e
+pass out on sk0 from 10.0.1.0/24 to 10.0.2.0/24 \e
keep state (if-bound)
 .Ed
 .Pp

Re: Flaw in ipsec.conf(5)?

2016-05-27 Thread Bruno Flueckiger 
On Thu, May 26, 2016 at 08:41:49AM +0100, Jason McIntyre wrote:
> On Tue, May 24, 2016 at 10:53:16AM +0200, Bruno Flueckiger wrote:
> > Hi,
> > 
> > I've tested IPsec connections in my lab. The setup looks like this:
> > 
> > [cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv]
> >   IPsec=
> 
> i think you should provide more details of your setup first. for
> example, ipsec.conf(5) shows pf rules for ipencap but you only provide a
> small snippet of your pf.conf. no vlan details. none of your tcpdump
> output that leads you to this conclusion. no routing details.
> 
> then keep your fingers crossed. i think most people run for the hills
> when they see ipsec mail.
> 
> jmc
> 

The network config looks like this:

vlan10: [cli] .11 <- 10.19.1.0/24 -> .1  [gw1]
vlan20: [gw2] .1  <- 10.81.1.0/24 -> .11 [srv]

The simulated internet between the gateways is one OpenBSD box which
forwards packets between the two subnets 10.0.19.0/24 and 10.0.81.0/24:

[gw1] .2 <- 10.0.19.0/24 -> .1 [inet] .1 <- 10.0.81.0/24 -> .2 [gw2]

There are no vlans defined for the two subnets between the gateways and
the [inet] box.  All machines are running OpenBSD 5.9-release on a
VMware ESXi 5.5. All network adapters are vmx, each adapter is connected
to a vSphere standard switch. There is one vSphere switch for each
subnet. None of the switches have physical nics assigned.

This is the ipsec.conf on [gw1]:

local_ip="10.0.19.2"
remote_ip="10.0.81.2"
local_net="10.19.1.0/24"
remote_net="10.81.1.0/24"
ike esp from $local_ip to $remote_ip
ike esp from $local_ip to $remote_net
ike esp from $local_net to $remote_net

This is the pf.conf on [gw1] in the version that blocks ipsec traffic on
interface enc0:

wan_if="vmx0"
local_net="10.19.1.0/24"
remote_ip="10.0.81.2"
remote_net="10.81.1.0/24"
icmp_types="{ echoreq unreach }"
ike_ports="{ isakmp ipsec-nat-t }"

set block-policy return
set skip on lo

match in all scrub (no-df random-id reassemble tcp)

block log all
pass in from (self)
pass out on $wan_if from (self) to any keep state

pass inet proto icmp all icmp-type $icmp_types keep state

pass in on vlan10 inet proto tcp from $local_net to vlan10 port ssh \
keep state (if-bound)

# Allow traffic for IPsec tunnel setup
pass in  on $wan_if proto udp from $remote_ip to $wan_if \
port $ike_ports
pass out on $wan_if proto udp from $wan_ifto $remote_ip \
port $ike_ports

# Allow esp packets between tunnel endpoints
pass in  on $wan_if proto esp from $remote_ip to $wan_if \
keep state (if-bound)
pass out on $wan_if proto esp from $wan_ifto $remote_ip \
keep state (if-bound)

# Allow encapsulated IP packets
pass in  on enc0 proto ipencap from $remote_ip to $wan_if \
keep state (if-bound)
pass out on enc0 proto ipencap from $wan_ifto $remote_ip \
keep state (if-bound)

# Allow traffic between the subnets
pass in  on vlan10 from $local_net  to $remote_net keep state
pass out on enc0   from $local_net  to $remote_net keep state (if-bound)
pass in  on enc0   from $remote_net to $local_net  keep state (if-bound)
pass out on vlan10 from $remote_net to $local_net  keep state

I run tcpdump -nettti pflog0 on [gw1]. Then I try to connect from [cli]
to [srv] by running ssh 10.81.1.11. This is the output from tcpdump when
using the above pf.conf on [gw1]:

tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
May 27 08:27:04.754155 rule 1/(match) block out on enc0: esp 10.0.19.2 >
10.0.81.2 spi 0x621d35d7 seq 8 len 120
May 27 08:27:10.743030 rule 1/(match) block out on enc0: esp 10.0.19.2 >
10.0.81.2 spi 0x621d35d7 seq 9 len 120
May 27 08:27:22.739668 rule 1/(match) block out on enc0: esp 10.0.19.2 >
10.0.81.2 spi 0x621d35d7 seq 10 len 120
May 27 08:27:46.732233 rule 1/(match) block out on enc0: esp 10.0.19.2 >
10.0.81.2 spi 0x621d35d7 seq 11 len 120

This made me include the interface enc0 in the two rules for esp
packets. After this the connection works as expected. That made me write
the patch.

If something is unclear in my description of even more details are
needed I'm happy to provide those.

Cheers,
Bruno

Re: Flaw in ipsec.conf(5)?

2016-05-26 Thread Jason McIntyre 
On Tue, May 24, 2016 at 10:53:16AM +0200, Bruno Flueckiger wrote:
> Hi,
> 
> I've tested IPsec connections in my lab. The setup looks like this:
> 
> [cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv]
>   IPsec=
> 
> During the testing I think I've found a flaw in ipsec.conf(5). According
> to the man page the esp packets need to be passed on interface sk0:
> 
> block on sk0
> block on enc0
>  
> pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
>   port {500, 4500}
> pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
>   port {500, 4500}
>  
> pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
> pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
>  
> My test setup didn't allow communication between [cli] and [srv]. Checking
> the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets
> are blocked by pf on enc0. So I included the interface enc0 in the pass
> rules for esp packets. After this the connections work as expected.
> 
> As a result of my tests I've created the diff below for ipsec.conf(5). Is
> this ok or did I miss something?
> 

i think you should provide more details of your setup first. for
example, ipsec.conf(5) shows pf rules for ipencap but you only provide a
small snippet of your pf.conf. no vlan details. none of your tcpdump
output that leads you to this conclusion. no routing details.

then keep your fingers crossed. i think most people run for the hills
when they see ipsec mail.

jmc

> Cheers,
> Bruno
> 
> Index: sbin/ipsecctl/ipsec.conf.5
> ===
> RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
> retrieving revision 1.151
> diff -u -p -r1.151 ipsec.conf.5
> --- sbin/ipsecctl/ipsec.conf.59 Dec 2015 21:41:50 -   1.151
> +++ sbin/ipsecctl/ipsec.conf.524 May 2016 08:24:49 -
> @@ -513,8 +513,8 @@ pass  in on sk0 proto udp from 192.168.3
>  pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e
>   port {500, 4500}
>  
> -pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
> -pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
> +pass  in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1
> +pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2
>  
>  pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
>   keep state (if-bound)

Re: Flaw in ipsec.conf(5)?

2016-05-24 Thread Philipp Buehler 

Am 24.05.2016 10:53 schrieb Bruno Flueckiger:

As a result of my tests I've created the diff below for ipsec.conf(5). 
Is

this ok or did I miss something?



You missed the 'set skip on enc0' a bit up.

--
pb

Flaw in ipsec.conf(5)?

2016-05-24 Thread Bruno Flueckiger 
Hi,

I've tested IPsec connections in my lab. The setup looks like this:

[cli] <-- vlan10 --> [gw1] <> [inet] <> [gw2] <-- vlan20 --> [srv]
  IPsec=

During the testing I think I've found a flaw in ipsec.conf(5). According
to the man page the esp packets need to be passed on interface sk0:

block on sk0
block on enc0
 
pass  in on sk0 proto udp from 192.168.3.2 to 192.168.3.1 \
port {500, 4500}
pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \
port {500, 4500}
 
pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
 
My test setup didn't allow communication between [cli] and [srv]. Checking
the reason on [gw1] using tcpdump -nettti pflog0 shows that esp packets
are blocked by pf on enc0. So I included the interface enc0 in the pass
rules for esp packets. After this the connections work as expected.

As a result of my tests I've created the diff below for ipsec.conf(5). Is
this ok or did I miss something?

Cheers,
Bruno

Index: sbin/ipsecctl/ipsec.conf.5
===
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.151
diff -u -p -r1.151 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5  9 Dec 2015 21:41:50 -   1.151
+++ sbin/ipsecctl/ipsec.conf.5  24 May 2016 08:24:49 -
@@ -513,8 +513,8 @@ pass  in on sk0 proto udp from 192.168.3
 pass out on sk0 proto udp from 192.168.3.1 to 192.168.3.2 \e
port {500, 4500}
 
-pass  in on sk0 proto esp from 192.168.3.2 to 192.168.3.1
-pass out on sk0 proto esp from 192.168.3.1 to 192.168.3.2
+pass  in on {sk0 enc0} proto esp from 192.168.3.2 to 192.168.3.1
+pass out on {sk0 enc0} proto esp from 192.168.3.1 to 192.168.3.2
 
 pass  in on enc0 proto ipencap from 192.168.3.2 to 192.168.3.1 \e
keep state (if-bound)