subject:"IKED and encapsulated peers"

Re: IKED and encapsulated peers

2015-10-06 Thread Raf Czlonka

On Mon, Oct 05, 2015 at 07:52:28PM BST, Jason Tubnor wrote:
> On 5 October 2015 at 22:00, Jason Tubnor  wrote:
> 
> >
> > Solved!
> >
> >
> > I have attached a man 5 iked.conf patch that clears up an example used in
> > the man page.
> >
> 
> The gz diff was stripped by demime, here is the flat text patch file.
> 
> Cheers,
> 
> Jason.
> 
> [demime 1.01d removed an attachment of type application/octet-stream which 
> had a name of iked.conf.5.patch]
> 

Jason,

The only OpenBSD mailing list which permits attachments is ports@[0].
On all the other ones demime strips *any* kind of attachments from
emails sent there.

It is customary to include patches or config files in-line.

Regards,

Raf

[0] http://www.openbsd.org/mail.html

Re: IKED and encapsulated peers

2015-10-05 Thread Jason Tubnor

On 5 October 2015 at 22:00, Jason Tubnor  wrote:

>
> Solved!
>
>
> I have attached a man 5 iked.conf patch that clears up an example used in
> the man page.
>

The gz diff was stripped by demime, here is the flat text patch file.

Cheers,

Jason.

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of iked.conf.5.patch]

Re: IKED and encapsulated peers

2015-10-05 Thread Jason Tubnor

On 3 October 2015 at 14:40, Jason Tubnor  wrote:

> Hi,
>
> Based on man 5 iked.conf the following should setup technically 4 flows
> (reversing and setting active on the corresponding peer):
>
>
>
Solved!

Main gateway:

# cat /etc/iked.conf
ikev2 esp from 192.168.232.128 to 192.168.232.129 \
from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 psk
"HelloWorld"

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.232.129 to 192.168.232.128 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.232.128 to 192.168.232.129 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth
hmac-sha2-256 enc aes-256



Remote gateway (that initiates connection):

# cat /etc/iked.conf
ikev2 active esp from 192.168.232.129 to 192.168.232.128 \
from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128 psk
"HelloWorld"

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.232.128 to 192.168.232.129 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use
flow esp out from 192.168.232.129 to 192.168.232.128 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require
flow esp in from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use
flow esp out from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth
hmac-sha2-256 enc aes-256

--

I have attached a man 5 iked.conf patch that clears up an example used in
the man page.


Cheers,

Jason.

[demime 1.01d removed an attachment of type application/x-gzip which had a name 
of iked.conf.5.patch.gz]

Re: IKED and encapsulated peers

2015-10-04 Thread Jason Tubnor

On 3 October 2015 at 14:40, Jason Tubnor  wrote:

> Hi,
>
>
> Here is the ipsecctl flows:
>
>
>
Sorry, I copied in the flows from the wrong server (testing all different
ways trying to get things to work).  Here is the ipsecctl to match the
iked.conf listed:

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0x1d3ef308 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x22b8b189 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xb8b060e1 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0xbda3e596 auth
hmac-sha2-256 enc aes-256

Cheers,

Jason

IKED and encapsulated peers

2015-10-02 Thread Jason Tubnor

Hi,

Based on man 5 iked.conf the following should setup technically 4 flows
(reversing and setting active on the corresponding peer):

/etc/iked.conf

ikev2 esp from 192.168.232.128 to 192.168.232.129 psk "HelloWorld"
ikev2 esp from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 psk
"HelloWorld"

The site to site flow (2nd rule) works as intended over the encapsulated
interface. However, the 1st rule will not encapsulate the ICMP traffic when
pinging from the opposite peer (peer 192.168.232.129 used below):

# ping 192.168.232.128
PING 192.168.232.128 (192.168.232.128): 56 data bytes
Oct 03 14:21:13.493860 rule 3/(match) block in on em0: 192.168.232.128 >
192.168.232.129: icmp: echo reply

Here is the ipsecctl flows:

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.72.0/24 to 192.168.111.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.111.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0x09a48897 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0x55ef5dfe auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x99bd11bb auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0xf5e4357a auth
hmac-sha2-256 enc aes-256

*Note:  If I don't have the 1st IKED rule, then the SAD looks correct (only
2 lines, not 4 and still works for the above FLOWS).

I'm sort at a loss with this.  Now I don't mind if those 192.168.232.x
interfaces are encapsulated at the end of the day as all critical traffic
will go over the internal network flows, though for monitoring, I'd rather
end point gateway tests to remain encapsulated.  Any pointers on where to
look will be greatly appreciated, I've been through the man pages and mail
lists many times trying to work out where I am potentially going wrong.

Thanks in advance.

Jason.

dmesg

OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 520028160 (495MB)
avail mem = 502321152 (479MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/31/2013
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz, 2394.21 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz, 2393.62 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibat0 at acpi0: BAT1 not present
acpibat1 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: LID_
vmt0 at mainbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
"VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00

Re: IKED and encapsulated peers

Re: IKED and encapsulated peers

Re: IKED and encapsulated peers

Re: IKED and encapsulated peers

IKED and encapsulated peers

5 matches

Site Navigation

Mail list logo

Footer information