iked vs. isakmpd + carp
Two part question: 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 (amd64)? We can get it working with isakmpd. The issue seems to be that iked wants to send out packets as the physical interface IP instead of the carp IP. iked documentation eludes to the fact that it should work. 2. I can't get isakmpd to use groups above modp1024 when using aes-256 or aes in main. Is there a catch I'm not aware of? Works: gwA = 1.1.1.1 gwB = 2.2.2.2 ike active esp from 192.168.1.1 to 172.16.1.1 \ local $gwA peer $gwB \ main auth hmac-sha1 enc aes-256 group modp1024 \ quick auth hmac-sha1 enc aes-256 \ psk foobar Does not work: gwA = 1.1.1.1 gwB = 2.2.2.2 ike active esp from 192.168.1.1 to 172.16.1.1 \ local $gwA peer $gwB \ main auth hmac-sha1 enc aes-256 group modp2048 \ quick auth hmac-sha1 enc aes-256 \ psk foobar The error message isakmpd spits out on one side is says MALFORMED_PAYLOAD and the other NO_PROPOSAL_CHOSEN. I can provide more details if needed. Just odd it works with only a change to the group field. thanks Jim
Re: iked vs. isakmpd + carp
On 10/19/2012 1:16 AM, Jim Miller wrote: Two part question: 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 (amd64)? We can get it working with isakmpd. The issue seems to be that iked wants to send out packets as the physical interface IP instead of the carp IP. iked documentation eludes to the fact that it should work. In my experience under 5.1 isakmpd wants to use the IP from the real physical interface instead of the virtual carp interface too, so I have to use the local x.x.x.x command in ipsec.conf, where x.x.x.x = my carp IP -- this forces it onto the carp IP and all is well. iked.conf(5) has a similar local command. Does it not work? and keep in mind the caveat: iked is not yet finished and is missing some important security features. It should not yet be used in production networks. -- iked(8)
Re: iked vs. isakmpd + carp
Hi, On Fri, Oct 19, 2012 at 8:10 PM, Tyler Morgan tyl...@tradetech.net wrote: On 10/19/2012 1:16 AM, Jim Miller wrote: Two part question: 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 (amd64)? We can get it working with isakmpd. The issue seems to be that iked wants to send out packets as the physical interface IP instead of the carp IP. iked documentation eludes to the fact that it should work. thanks for reporting, I can reproduce the problem. In my experience under 5.1 isakmpd wants to use the IP from the real physical interface instead of the virtual carp interface too, so I have to use the local x.x.x.x command in ipsec.conf, where x.x.x.x = my carp IP -- this forces it onto the carp IP and all is well. iked.conf(5) has a similar local command. Does it not work? It does not work. You can see that iked is setting the carp address correctly but the address on the wire is the primary one. Fail. The code doesn't bind() to the IP used in the local command and the kernel uses the primary address for the related route. btw. you can also specify local carp0 instead of the IP address and it will pick the interface's first address. and keep in mind the caveat: iked is not yet finished and is missing some important security features. It should not yet be used in production networks. -- iked(8) Yeah, but we're working on it. I actually added this comment before mikeb@ added support for SA expiration, lifetimes and retransmits. So iked is still not ready, but the situation is much better now ;-) reyk
Re: iked vs. isakmpd + carp
I think this can be fixed by: shell# cat /etc/isakmpd/isakmpd.conf [General] Listen-on= 1.2.3.4 I runs this setup in prod. It works. In my case 1.2.3.4 is a CARP:ed IP. //mxb On 19 okt 2012, at 20:10, Tyler Morgan tyl...@tradetech.net wrote: isakmpd wants to use the IP from the real physical interface
Re: iked vs. isakmpd + carp
Thanks Reky. I'll stick with isakmp for now but would like to swtich to iked when its ready. BTW. Any known issues with isakmp and groups larger than modp1024? I still can't get isakmpd to use anything larger than that? -Jim On 10/19/12 3:35 PM, Reyk Floeter wrote: Hi, On Fri, Oct 19, 2012 at 8:10 PM, Tyler Morgan tyl...@tradetech.net wrote: On 10/19/2012 1:16 AM, Jim Miller wrote: Two part question: 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 (amd64)? We can get it working with isakmpd. The issue seems to be that iked wants to send out packets as the physical interface IP instead of the carp IP. iked documentation eludes to the fact that it should work. thanks for reporting, I can reproduce the problem. In my experience under 5.1 isakmpd wants to use the IP from the real physical interface instead of the virtual carp interface too, so I have to use the local x.x.x.x command in ipsec.conf, where x.x.x.x = my carp IP -- this forces it onto the carp IP and all is well. iked.conf(5) has a similar local command. Does it not work? It does not work. You can see that iked is setting the carp address correctly but the address on the wire is the primary one. Fail. The code doesn't bind() to the IP used in the local command and the kernel uses the primary address for the related route. btw. you can also specify local carp0 instead of the IP address and it will pick the interface's first address. and keep in mind the caveat: iked is not yet finished and is missing some important security features. It should not yet be used in production networks. -- iked(8) Yeah, but we're working on it. I actually added this comment before mikeb@ added support for SA expiration, lifetimes and retransmits. So iked is still not ready, but the situation is much better now ;-) reyk
