Re: vpn difficulties
On Tue, Dec 05, 2006 at 07:48:26AM -0600, Ryan Corder wrote: On Tue, 2006-12-05 at 12:06 +0900, Mathieu Sauve-Frankel wrote: now, I got the tunnel setup just fine using just ipsec.conf. I was just curios if there was a quick and simple way to to test traffic through the tunnel since it is just a host to host configuration. I'm curious to know why you don't think ping is a good tool to test this with ? run ping and run tcpdump. if tcpdump shows esp packets well you can assume the tunnel is working. If the tunnel shows icmp packets your tunnel probably doesn't work. I never said that ping wasn't a good test...if I could use ping I would. However, in the setup where I have two machines, A and B that have addresses 192.168.2.5 and 192.168.2.6 respectively and an IPSec tunnel setup as so: A - ike esp from 192.168.2.5 to 192.168.2.6 B - ike esp from 192.168.2.6 to 192.168.2.5 trying to ping the other's address doesn't go out via the enc0 interface, but the regular bge0 default interface. or am I completely wrong on this one? I presume you are correct, but ping *should* use the enc0 interface. Joachim
Re: vpn difficulties
On Tue, 2006-12-05 at 12:06 +0900, Mathieu Sauve-Frankel wrote: now, I got the tunnel setup just fine using just ipsec.conf. I was just curios if there was a quick and simple way to to test traffic through the tunnel since it is just a host to host configuration. I'm curious to know why you don't think ping is a good tool to test this with ? run ping and run tcpdump. if tcpdump shows esp packets well you can assume the tunnel is working. If the tunnel shows icmp packets your tunnel probably doesn't work. I never said that ping wasn't a good test...if I could use ping I would. However, in the setup where I have two machines, A and B that have addresses 192.168.2.5 and 192.168.2.6 respectively and an IPSec tunnel setup as so: A - ike esp from 192.168.2.5 to 192.168.2.6 B - ike esp from 192.168.2.6 to 192.168.2.5 trying to ping the other's address doesn't go out via the enc0 interface, but the regular bge0 default interface. or am I completely wrong on this one? TIA, ryanc -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: vpn difficulties
On 12/5/06, Ryan Corder [EMAIL PROTECTED] wrote: I never said that ping wasn't a good test...if I could use ping I would. However, in the setup where I have two machines, A and B that have addresses 192.168.2.5 and 192.168.2.6 respectively and an IPSec tunnel setup as so: A - ike esp from 192.168.2.5 to 192.168.2.6 B - ike esp from 192.168.2.6 to 192.168.2.5 trying to ping the other's address doesn't go out via the enc0 interface, but the regular bge0 default interface. As Mathieu suggested, when you ping the other host and run a tcpdump on your bge0 interface, do you see ESP or ICMP traffic? -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: vpn difficulties
On Sat, 2006-12-02 at 21:33 +0900, Mathieu Sauve-Frankel wrote: output of '/sbin/isakmpd -SKvd' give no output on either host. Don't use -S. It should ONLY be used when running two ipsec gateways in failover mode with carp and sasyncd. if anyone knows, what is a good way to test a host 2 host VPN? Since I'm not routing two different networks across the VPN, there is nothing easy to test like pinging a host on the other end of the tunnel. TIA. ryanc -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: vpn difficulties
Original message Date: Mon, 04 Dec 2006 10:38:07 -0600 From: Ryan Corder [EMAIL PROTECTED] Subject: Re: vpn difficulties Cc: misc@openbsd.org On Sat, 2006-12-02 at 21:33 +0900, Mathieu Sauve-Frankel wrote: output of '/sbin/isakmpd -SKvd' give no output on either host. Don't use -S. It should ONLY be used when running two ipsec gateways in failover mode with carp and sasyncd. if anyone knows, what is a good way to test a host 2 host VPN? Since I'm not routing two different networks across the VPN, there is nothing easy to test like pinging a host on the other end of the tunnel. this is easy enough to setup using isakmpd.conf files, but i don't know how to do it with ipsec.conf yet. a rosetta stone for such translations would be nice. i recommend you google for an isakmpd.conf based setup that tunnels from one computer to another. if you can't find one, i can send a link later today. cheers, jake TIA. ryanc -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: vpn difficulties
On 12/4/06, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: if anyone knows, what is a good way to test a host 2 host VPN? Since I'm not routing two different networks across the VPN, there is nothing easy to test like pinging a host on the other end of the tunnel. this is easy enough to setup using isakmpd.conf files, but i don't know how to do it with ipsec.conf yet. a rosetta stone for such translations would be nice. Isn't the first example from the following excerpt of the 'ipsec.conf' man page exactly this (i.e. a host 2 host VPN)? # First between the gateway machines 192.168.3.1 and 192.168.3.2 # Second between the networks 10.1.1.0/24 and 10.1.2.0/24 ike esp from 192.168.3.1 to 192.168.3.2 ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: vpn difficulties
Original message Date: Mon, 4 Dec 2006 17:16:51 -0500 From: Martin Gignac [EMAIL PROTECTED] Subject: Re: vpn difficulties To: misc@openbsd.org On 12/4/06, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: if anyone knows, what is a good way to test a host 2 host VPN? Since I'm not routing two different networks across the VPN, there is nothing easy to test like pinging a host on the other end of the tunnel. this is easy enough to setup using isakmpd.conf files, but i don't know how to do it with ipsec.conf yet. a rosetta stone for such translations would be nice. Isn't the first example from the following excerpt of the 'ipsec.conf' man page exactly this (i.e. a host 2 host VPN)? # First between the gateway machines 192.168.3.1 and 192.168.3.2 # Second between the networks 10.1.1.0/24 and 10.1.2.0/24 ike esp from 192.168.3.1 to 192.168.3.2 ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 for simple configs this is sufficient. however, when experimenting with winxp to openbsd ipsec, i was not able to figure out how to convert from the below isakmpd.conf (from http://72.14.203.104/search?q=cache:gspcrTnrOq8J:www.openbsd.cz/~pruzicka/vpn.html+ipsec+windows+xp+openbsdhl=engl=usct=clnkcd=4client=firefox-a ): [General] Retransmits = 5 Exchange-max-time = 120 Listen-on = 10.0.0.1 [Phase 1] Default = ISAKMP-clients [Phase 2] Passive-Connections = IPSec-clients [ISAKMP-clients] Phase = 1 Transport = udp Configuration = win-main-mode Authentication = shared_secret_password [IPsec-clients] Phase = 2 Configuration = win-quick-mode Local-ID= default-route Remote-ID = dummy-remote [default-route] ID-type = IPV4_ADDR_SUBNET Network = 0.0.0.0 Netmask = 0.0.0.0 [dummy-remote] ID-type = IPV4_ADDR Address = 0.0.0.0 [win-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA-GRP2 [win-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE to an ipsec.conf entry. i tried a number of variations on the suggested entry in http://marc.theaimsgroup.com/?l=openbsd-miscm=116318344106832w=2 to no avail. cheers, jake -Martin -- Suburbia is where the developer bulldozes out the trees, then names the streets after them. --Bill Vaughan
Re: vpn difficulties
On Mon, Dec 04, 2006 at 02:26:21PM -0600, Jacob Yocom-Piatt wrote: this is easy enough to setup using isakmpd.conf files, but i don't know how to do it with ipsec.conf yet. a rosetta stone for such translations would be nice. ipsecctl -nvf /etc/ipsec.conf will show you all of the FIFO commands that ipsecctl will write to /var/run/isakmpd.fifo, you can also get a dump of isakmpd's config state by running pkill -USR1 isakmpd and looking at /var/run/isakmpd.report -- Mathieu Sauve-Frankel
Re: vpn difficulties
openbsd ipsec, i was not able to figure out how to convert from the below isakmpd.conf (from http://72.14.203.104/search?q=cache:gspcrTnrOq8J:www.openbsd.cz/~pruzicka/vpn.html+ipsec+windows+xp+openbsdhl=engl=usct=clnkcd=4client=firefox-a ): try this. You probably want to try this on 4.0's ipsecctl or up. ike passive esp from any to any main auth hmac-sha1 enc 3des-cbc \ quick auth hmac-sha1 enc 3des-cbc group modp1024 \ psk sharedsecret -- Mathieu Sauve-Frankel
Re: vpn difficulties
ike passive esp from any to any main auth hmac-sha1 enc 3des-cbc \ quick auth hmac-sha1 enc 3des-cbc group modp1024 \ psk sharedsecret actually, this is more what you're looking for ike passive esp from any to 0.0.0.0 main auth hmac-sha1 enc 3des-cbc \ quick auth hmac-sha1 enc 3des-cbc group modp1024 \ psk sharedsecret -- Mathieu Sauve-Frankel
Re: vpn difficulties
On Mon, 2006-12-04 at 14:26 -0600, Jacob Yocom-Piatt wrote: this is easy enough to setup using isakmpd.conf files, but i don't know how to do it with ipsec.conf yet. a rosetta stone for such translations would be nice. i recommend you google for an isakmpd.conf based setup that tunnels from one computer to another. if you can't find one, i can send a link later today. now, I got the tunnel setup just fine using just ipsec.conf. I was just curios if there was a quick and simple way to to test traffic through the tunnel since it is just a host to host configuration. -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: vpn difficulties
now, I got the tunnel setup just fine using just ipsec.conf. I was just curios if there was a quick and simple way to to test traffic through the tunnel since it is just a host to host configuration. I'm curious to know why you don't think ping is a good tool to test this with ? run ping and run tcpdump. if tcpdump shows esp packets well you can assume the tunnel is working. If the tunnel shows icmp packets your tunnel probably doesn't work. -- Mathieu Sauve-Frankel
Re: vpn difficulties
output of '/sbin/isakmpd -SKvd' give no output on either host. Don't use -S. It should ONLY be used when running two ipsec gateways in failover mode with carp and sasyncd. -- Mathieu Sauve-Frankel