Re: IPSEC/ISAKMPD routing question

2011-01-10 Thread Martin Pelikan 
2011/1/10, Christoph Leser le...@sup-logistik.de:
 Hello,

 I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
 like:

 ike active esp tunnel from my_internal_net to his_internal_net peer
 his_gateway_address main_mode_parameters quick_mode_parameters
 preshared_key

 My isakmpd.policy file is

 # cat /etc/isakmpd/isakmpd.policy
 Keynote-version: 2
 Authorizer: POLICY
 Conditions: app_domain == IPsec policy 
 esp_present == yes 
 esp_enc_alg != null - true;


 Every thing works fine.

 But today, one of the remote_gateways was replaced by a misconfigured
 new one, leading to the following phase-2 packet:

 13:29:01.098526 remote_gateway_ip.500  my_gateway_ip.500: [udp sum
 ok] isakmp v1.0 exchange QUICK_MODE
 cookie: 70de03ee348066c9-76aabe706bed52c2 msgid: 301c68c8 len:
 300
 payload: HASH len: 24
 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
 payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP
 spisz: 4 xforms: 1 SPI: 0xcb2d2b94
 payload: TRANSFORM len: 32
 transform: 1 ID: AES
 attribute LIFE_TYPE = SECONDS
 attribute LIFE_DURATION = 28800
 attribute ENCAPSULATION_MODE = TUNNEL
 attribute KEY_LENGTH = 128
 attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
 attribute GROUP_DESCRIPTION = 2
 payload: NONCE len: 20
 payload: KEY_EXCH len: 132
 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0
 [ttl 0] (id 1, len 328)


 Please note that both ID parameters in this packet are 0.0.0.0.

 This lead to a routing entry ( made by isakmpd, I suppose ):
 # netstat -rn | grep his_ip
 default0 default0 0
 remote_gateway_ip/esp/use/in
 default0 default0 0
 remote_gateway_ip/esp/require/out

 This route virtually disconnected my gateway from the external and from
 the internal network, no ping to any address was successful.

 I would like to ask:

 1. Is it true, that isakmpd is supposed to accept any ID parameter of
 type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
 even when it is the 'default' route?

 2. What would I have to change to only accept those remote network Ids
 that are configured in ipsec.conf?

 Thanks




--
Martin PelikC!n, Steadynet
E-mail: martin.peli...@gmail.com, gpg key  0x7176E4C9
Tel: +420 724 818 573
Jabber: sztor...@jabber.cz
web: http://cap.potazmo.cz/

Re: IPSEC/ISAKMPD routing question

2011-01-10 Thread Martin Pelikan 
2011/1/10, Christoph Leser le...@sup-logistik.de:

 I would like to ask:

 1. Is it true, that isakmpd is supposed to accept any ID parameter of
 type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route,
 even when it is the 'default' route?

Yes, some people want all their traffic through encrypted tunnel. I
used to bring IPv6 to places where people were ignoring it -- exactly
this way.

You might want to specify it in your policy file, like:
remote_filter != 000.000.000.000-255.255.255.255
or
remote_filter_type != IPv4 subnet

 2. What would I have to change to only accept those remote network Ids
 that are configured in ipsec.conf?

The above, or more specific.

Sorry for the previous empty reply, I'll finally try to learn how to
use an email client.

-- 
Martin Pelikan