Re: IKED and encapsulated peers

2015-10-06 Thread Raf Czlonka 
On Mon, Oct 05, 2015 at 07:52:28PM BST, Jason Tubnor wrote:
> On 5 October 2015 at 22:00, Jason Tubnor  wrote:
> 
> >
> > Solved!
> >
> >
> > I have attached a man 5 iked.conf patch that clears up an example used in
> > the man page.
> >
> 
> The gz diff was stripped by demime, here is the flat text patch file.
> 
> Cheers,
> 
> Jason.
> 
> [demime 1.01d removed an attachment of type application/octet-stream which 
> had a name of iked.conf.5.patch]
> 

Jason,

The only OpenBSD mailing list which permits attachments is ports@[0].
On all the other ones demime strips *any* kind of attachments from
emails sent there.

It is customary to include patches or config files in-line.

Regards,

Raf

[0] http://www.openbsd.org/mail.html

Re: IKED and encapsulated peers

2015-10-05 Thread Jason Tubnor 
On 5 October 2015 at 22:00, Jason Tubnor  wrote:

>
> Solved!
>
>
> I have attached a man 5 iked.conf patch that clears up an example used in
> the man page.
>

The gz diff was stripped by demime, here is the flat text patch file.

Cheers,

Jason.

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of iked.conf.5.patch]

Re: IKED and encapsulated peers

2015-10-05 Thread Jason Tubnor 
On 3 October 2015 at 14:40, Jason Tubnor  wrote:

> Hi,
>
> Based on man 5 iked.conf the following should setup technically 4 flows
> (reversing and setting active on the corresponding peer):
>
>
>
Solved!

Main gateway:

# cat /etc/iked.conf
ikev2 esp from 192.168.232.128 to 192.168.232.129 \
from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129 psk
"HelloWorld"

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.232.129 to 192.168.232.128 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.232.128 to 192.168.232.129 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth
hmac-sha2-256 enc aes-256



Remote gateway (that initiates connection):

# cat /etc/iked.conf
ikev2 active esp from 192.168.232.129 to 192.168.232.128 \
from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128 psk
"HelloWorld"

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.232.128 to 192.168.232.129 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use
flow esp out from 192.168.232.129 to 192.168.232.128 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require
flow esp in from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type use
flow esp out from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.128
srcid FQDN/rovpn.local dstid FQDN/hovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x01d084c7 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xf055afa1 auth
hmac-sha2-256 enc aes-256

--

I have attached a man 5 iked.conf patch that clears up an example used in
the man page.


Cheers,

Jason.

[demime 1.01d removed an attachment of type application/x-gzip which had a name 
of iked.conf.5.patch.gz]

Re: IKED and encapsulated peers

2015-10-04 Thread Jason Tubnor 
On 3 October 2015 at 14:40, Jason Tubnor  wrote:

> Hi,
>
>
> Here is the ipsecctl flows:
>
>
>
Sorry, I copied in the flows from the wrong server (testing all different
ways trying to get things to work).  Here is the ipsecctl to match the
iked.conf listed:

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.72.0/24 to 192.168.1.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type use
flow esp out from 192.168.1.0/24 to 192.168.72.0/24 peer 192.168.232.129
srcid FQDN/hovpn.local dstid FQDN/rovpn.local type require
flow esp out from ::/0 to ::/0 type deny

SAD:
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0x1d3ef308 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0x22b8b189 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.128 to 192.168.232.129 spi 0xb8b060e1 auth
hmac-sha2-256 enc aes-256
esp tunnel from 192.168.232.129 to 192.168.232.128 spi 0xbda3e596 auth
hmac-sha2-256 enc aes-256

Cheers,

Jason