Re: Listen-on parameter in iked.conf

2018-04-17 Thread Stuart Henderson 
On 2018/04/17 12:54, Stefan Sperling wrote:
> On Mon, Apr 16, 2018 at 07:05:12AM +, Stuart Henderson wrote:
> > On 2018-04-15, mabi  wrote:
> > > I just moved from isakmpd to iked and could not find the parameter name 
> > > in iked.conf in order to tell iked on which IP it should listen. With 
> > > isakmpd.conf I would use the following:
> > >
> > > [General]
> > > Listen-on=  123.123.123.123
> > >
> > > Is there any equivalent with iked?
> > 
> > There is not, but the main place this is needed is for setting the
> > "from" address for outgoing packets. isakmpd uses the "default" address
> > for this, which is often wrong on a multihomed system so it's necessary
> > to bind to a particular address to fix this. iked (at least in the
> > last few releases) uses the address from "local" in the config instead,
> > so binding isn't needed in most cases.
> > 
> 
> I have run into this exact isakmpd problem in several situations.
> IPsec didn't work reliably, and it turns out that IKE traffic
> was using the wrong source IP.
> 
> This is a nasty pitfall for people want to set up IKEv1 with carp(4).
> It think we should document this better. The diff below scatters some
> hints across relevant man pages.
> 
> OK?

Yes, OK. (Unless anyone has a "sendfromto" diff for isakmpd sitting in
a tree somewhere.. :-)

Re: Listen-on parameter in iked.conf

2018-04-17 Thread Stefan Sperling 
On Mon, Apr 16, 2018 at 07:05:12AM +, Stuart Henderson wrote:
> On 2018-04-15, mabi  wrote:
> > I just moved from isakmpd to iked and could not find the parameter name in 
> > iked.conf in order to tell iked on which IP it should listen. With 
> > isakmpd.conf I would use the following:
> >
> > [General]
> > Listen-on=  123.123.123.123
> >
> > Is there any equivalent with iked?
> 
> There is not, but the main place this is needed is for setting the
> "from" address for outgoing packets. isakmpd uses the "default" address
> for this, which is often wrong on a multihomed system so it's necessary
> to bind to a particular address to fix this. iked (at least in the
> last few releases) uses the address from "local" in the config instead,
> so binding isn't needed in most cases.
> 

I have run into this exact isakmpd problem in several situations.
IPsec didn't work reliably, and it turns out that IKE traffic
was using the wrong source IP.

This is a nasty pitfall for people want to set up IKEv1 with carp(4).
It think we should document this better. The diff below scatters some
hints across relevant man pages.

OK?

Index: ipsecctl/ipsec.conf.5
===
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.154
diff -u -p -r1.154 ipsec.conf.5
--- ipsecctl/ipsec.conf.5   23 Nov 2017 20:49:38 -  1.154
+++ ipsecctl/ipsec.conf.5   17 Apr 2018 10:43:32 -
@@ -288,7 +288,16 @@ The
 .Ic local
 parameter specifies the address or FQDN of the local endpoint.
 Unless we are multi-homed or have aliases,
-this option is generally not needed.
+this parameter is generally not needed.
+This parameter does not affect the set of IP addresses
+.Xr isakmpd 8
+will listen on and send packets from.
+The
+.Em Listen-on
+directive in
+.Xr isakmpd.conf 5
+should additionally be used to ensure that the local endpoint will
+send IKE messages with an appropriate source IP address.
 .Pp
 The
 .Ic peer
Index: isakmpd/isakmpd.8
===
RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v
retrieving revision 1.119
diff -u -p -r1.119 isakmpd.8
--- isakmpd/isakmpd.8   23 Nov 2017 20:49:38 -  1.119
+++ isakmpd/isakmpd.8   17 Apr 2018 10:24:05 -
@@ -806,8 +806,17 @@ It is not possible to change the interfa
 .Nm
 listens on without a restart.
 .Pp
-For redundant setups,
+For redundant setups with
+.Xr carp 4
+and
+.Xr sasyncd 8 ,
 .Xr sasyncd 8
 must be manually restarted every time
 .Nm
-is restarted.
+is restarted, and
+.Xr isakmpd.conf 5
+must explicitly configure
+.Nm
+to listen on the virtual IP address of each
+.Xr carp 4
+interface.
Index: isakmpd/isakmpd.conf.5
===
RCS file: /cvs/src/sbin/isakmpd/isakmpd.conf.5,v
retrieving revision 1.134
diff -u -p -r1.134 isakmpd.conf.5
--- isakmpd/isakmpd.conf.5  27 Oct 2017 08:29:32 -  1.134
+++ isakmpd/isakmpd.conf.5  17 Apr 2018 10:49:39 -
@@ -221,6 +221,9 @@ This list is used as a filter for the se
 configured provides.
 This means that we won't see if an address given here does not exist
 on this host, and thus no error is given for that case.
+On multi-homed systems, this parameter can be used to enforce the
+use of particular source IP addresses in packets sent by
+.Xr isakmpd 8 .
 .It Em Loglevel
 A list of the form
 .Ar class Ns = Ns Ar level ,

Re: Listen-on parameter in iked.conf

2018-04-16 Thread mabi 
On April 16, 2018 9:05 AM, Stuart Henderson  wrote:

> There is not, but the main place this is needed is for setting the
> 
> "from" address for outgoing packets. isakmpd uses the "default" address
> 
> for this, which is often wrong on a multihomed system so it's necessary
> 
> to bind to a particular address to fix this. iked (at least in the
> 
> last few releases) uses the address from "local" in the config instead,
> 
> so binding isn't needed in most cases.

I see, so as long as I use the "local" parameter in iked.conf with the local IP 
address which I use for my site-2-site VPN I am saying to iked to listen only 
on that IP address. Here would be my generic example for a site-2-site VPN 
between two OpenBSD firewalls:

ikev2 passive esp \
from $local_network to $remote_network local $local_ip peer $remote_ip \
srcid $local_ip

I was also wondering in the case of a site-2-site VPN should one side be in 
active mode and the other one in passive mode? or what is usually used for 
site-2-site VPN?

Re: Listen-on parameter in iked.conf

2018-04-16 Thread Stuart Henderson 
On 2018-04-15, mabi  wrote:
> I just moved from isakmpd to iked and could not find the parameter name in 
> iked.conf in order to tell iked on which IP it should listen. With 
> isakmpd.conf I would use the following:
>
> [General]
> Listen-on=  123.123.123.123
>
> Is there any equivalent with iked?

There is not, but the main place this is needed is for setting the
"from" address for outgoing packets. isakmpd uses the "default" address
for this, which is often wrong on a multihomed system so it's necessary
to bind to a particular address to fix this. iked (at least in the
last few releases) uses the address from "local" in the config instead,
so binding isn't needed in most cases.