subject:"ipsec outgoing address translation question"

ipsec outgoing address translation question

2013-09-16 Thread Christoph Leser

Hello,

with ipsecctl  I can configure outgoing address translation in ipsec.conf like 
this:

 ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24  peer 
10.10.20.1



Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T I 
need to use isakmpd.conf and cannot use ipsec.conf for the moment )

Thanks

Re: ipsec outgoing address translation question

2013-09-16 Thread mxb

It is possible to achieve this via pf.conf.
Sorry, no example, as this was done long time ago and for testing only.

On 16 sep 2013, at 12:55, Christoph Leser le...@sup-logistik.de wrote:

 Hello,
 
 with ipsecctl  I can configure outgoing address translation in ipsec.conf 
 like this:
 
 ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24  peer 
 10.10.20.1
 
 
 
 Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T 
 I need to use isakmpd.conf and cannot use ipsec.conf for the moment )
 
 Thanks

Re: ipsec outgoing address translation question

2013-09-16 Thread Christian Weisgerber

Christoph Leser le...@sup-logistik.de wrote:

 with ipsecctl  I can configure outgoing address translation in
 ipsec.conf like this:
 
  ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 
 peer 10.10.20.1
 
 Is there an equivalent syntax for isakmpd.conf?

All that ipsecctl does with ike rules is to translate them into a
piece of isakmpd.conf-style configuration and pass it to isakmpd's
FIFO control socket.  Use ipsecctl -n -v to inspect or capture
and re-use that output.

C set [Phase 1]:10.10.20.1=peer-10.10.20.1 force
C set [peer-10.10.20.1]:Phase=1 force
C set [peer-10.10.20.1]:Address=10.10.20.1 force
C set [peer-10.10.20.1]:Configuration=phase1-peer-10.10.20.1 force
C set [phase1-peer-10.10.20.1]:EXCHANGE_TYPE=ID_PROT force
C add 
[phase1-peer-10.10.20.1]:Transforms=phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024
 force
C set 
[phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG
 force
C set 
[phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:HASH_ALGORITHM=SHA
 force
C set 
[phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC
 force
C set 
[phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:KEY_LENGTH=128,128:256
 force
C set 
[phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024
 force
C set 
[phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:Life=LIFE_MAIN_MODE
 force
C set [from-10.10.10.1-to-192.168.2.0/24]:Phase=2 force
C set [from-10.10.10.1-to-192.168.2.0/24]:ISAKMP-peer=peer-10.10.20.1 force
C set 
[from-10.10.10.1-to-192.168.2.0/24]:Configuration=phase2-from-10.10.10.1-to-192.168.2.0/24
 force
C set [from-10.10.10.1-to-192.168.2.0/24]:Local-ID=from-10.10.10.1 force
C set [from-10.10.10.1-to-192.168.2.0/24]:NAT-ID=nat-192.168.1.0/24 force
C set [from-10.10.10.1-to-192.168.2.0/24]:Remote-ID=to-192.168.2.0/24 force
C set [phase2-from-10.10.10.1-to-192.168.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force
C set 
[phase2-from-10.10.10.1-to-192.168.2.0/24]:Suites=phase2-suite-from-10.10.10.1-to-192.168.2.0/24
 force
C set 
[phase2-suite-from-10.10.10.1-to-192.168.2.0/24]:Protocols=phase2-protocol-from-10.10.10.1-to-192.168.2.0/24
 force
C set [phase2-protocol-from-10.10.10.1-to-192.168.2.0/24]:PROTOCOL_ID=IPSEC_ESP 
force
C set 
[phase2-protocol-from-10.10.10.1-to-192.168.2.0/24]:Transforms=phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL
 force
C set 
[phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES
 force
C set 
[phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256
 force
C set 
[phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL
 force
C set 
[phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256
 force
C set 
[phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024
 force
C set 
[phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE
 force
C set [from-10.10.10.1]:ID-type=IPV4_ADDR force
C set [from-10.10.10.1]:Address=10.10.10.1 force
C set [nat-192.168.1.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [nat-192.168.1.0/24]:Network=192.168.1.0 force
C set [nat-192.168.1.0/24]:Netmask=255.255.255.0 force
C set [to-192.168.2.0/24]:ID-type=IPV4_ADDR_SUBNET force
C set [to-192.168.2.0/24]:Network=192.168.2.0 force
C set [to-192.168.2.0/24]:Netmask=255.255.255.0 force
C add [Phase 2]:Connections=from-10.10.10.1-to-192.168.2.0/24

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: ipsec outgoing address translation question

2013-09-16 Thread Christoph Leser

Great hint, you saved me a lot of time.

Thanks a lot

Christoph

 -Ursprüngliche Nachricht-
 Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im
 Auftrag von Christian Weisgerber
 Gesendet: Montag, 16. September 2013 16:42
 An: misc@openbsd.org
 Betreff: Re: ipsec outgoing address translation question
 
 Christoph Leser le...@sup-logistik.de wrote:
 
  with ipsecctl  I can configure outgoing address translation in
  ipsec.conf like this:
 
   ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24
  peer 10.10.20.1
 
  Is there an equivalent syntax for isakmpd.conf?
 
 All that ipsecctl does with ike rules is to translate them into a piece of
 isakmpd.conf-style configuration and pass it to isakmpd's FIFO control
 socket.  Use ipsecctl -n -v to inspect or capture and re-use that output.
 
 C set [Phase 1]:10.10.20.1=peer-10.10.20.1 force C set [peer-
 10.10.20.1]:Phase=1 force C set [peer-10.10.20.1]:Address=10.10.20.1 force C
 set [peer-10.10.20.1]:Configuration=phase1-peer-10.10.20.1 force C set
 [phase1-peer-10.10.20.1]:EXCHANGE_TYPE=ID_PROT force C add [phase1-
 peer-10.10.20.1]:Transforms=phase1-transform-peer-10.10.20.1-RSA_SIG-
 SHA-AES128-MODP_1024 force C set [phase1-transform-peer-10.10.20.1-
 RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG
 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-
 MODP_1024]:HASH_ALGORITHM=SHA force C set [phase1-transform-peer-
 10.10.20.1-RSA_SIG-SHA-AES128-
 MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1-
 transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-
 MODP_1024]:KEY_LENGTH=128,128:256 force C set [phase1-transform-peer-
 10.10.20.1-RSA_SIG-SHA-AES128-
 MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1-
 transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-
 MODP_1024]:Life=LIFE_MAIN_MODE force C set [from-10.10.10.1-to-
 192.168.2.0/24]:Phase=2 force C set [from-10.10.10.1-to-
 192.168.2.0/24]:ISAKMP-peer=peer-10.10.20.1 force C set [from-10.10.10.1-
 to-192.168.2.0/24]:Configuration=phase2-from-10.10.10.1-to-192.168.2.0/24
 force C set [from-10.10.10.1-to-192.168.2.0/24]:Local-ID=from-10.10.10.1
 force C set [from-10.10.10.1-to-192.168.2.0/24]:NAT-ID=nat-192.168.1.0/24
 force C set [from-10.10.10.1-to-192.168.2.0/24]:Remote-ID=to-192.168.2.0/24
 force C set [phase2-from-10.10.10.1-to-
 192.168.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-
 10.10.10.1-to-192.168.2.0/24]:Suites=phase2-suite-from-10.10.10.1-to-
 192.168.2.0/24 force C set [phase2-suite-from-10.10.10.1-to-
 192.168.2.0/24]:Protocols=phase2-protocol-from-10.10.10.1-to-
 192.168.2.0/24 force C set [phase2-protocol-from-10.10.10.1-to-
 192.168.2.0/24]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol-
 from-10.10.10.1-to-192.168.2.0/24]:Transforms=phase2-transform-from-
 10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL force C
 set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-
 MODP_1024-TUNNEL]:TRANSFORM_ID=AES force C set [phase2-transform-
 from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-
 TUNNEL]:KEY_LENGTH=128,128:256 force C set [phase2-transform-from-
 10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-
 TUNNEL]:ENCAPSULATION_MODE=TUNNEL force C set [phase2-transform-
 from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-
 TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force C set
 [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-
 MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force C set
 [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-
 MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force C set [from-
 10.10.10.1]:ID-type=IPV4_ADDR force C set [from-
 10.10.10.1]:Address=10.10.10.1 force C set [nat-192.168.1.0/24]:ID-
 type=IPV4_ADDR_SUBNET force C set [nat-
 192.168.1.0/24]:Network=192.168.1.0 force C set [nat-
 192.168.1.0/24]:Netmask=255.255.255.0 force C set [to-192.168.2.0/24]:ID-
 type=IPV4_ADDR_SUBNET force C set [to-
 192.168.2.0/24]:Network=192.168.2.0 force C set [to-
 192.168.2.0/24]:Netmask=255.255.255.0 force C add [Phase
 2]:Connections=from-10.10.10.1-to-192.168.2.0/24
 
 --
 Christian naddy Weisgerber  na...@mips.inka.de

ipsec outgoing address translation question

Re: ipsec outgoing address translation question

Re: ipsec outgoing address translation question

Re: ipsec outgoing address translation question

4 matches

Site Navigation

Mail list logo

Footer information