Re: l2ip + ipsec question
21.07.2020 11:43, Stuart Henderson пишет: most endpoints cope wigh slightly less terrible crypto, you can try something like ike passive esp transport \ proto udp from my.external.ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp2048 \ quick auth "hmac-sha2-256" enc "aes-256" \ psk "0s5jTDcMziOVw3DXZqaGOVlEZyoe8I9c" (psk generated randomly from "openssl rand -base64 (length)", use something complex if you can copy-and-paste to the other devices) Yep, mod2048 works, thanks! 2) ipsec.conf man, says that "esp" is default. But if I omit this option, it stops working with error like: PAYLOAD_MALFORMED. 3) and the most difficult for me to understand: Why does all howto's use this fragment: proto udp from my.ga.te.ip to any port 1701 ?? the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port dport] so, this line declare a tunnel, where our gate use any port, and our expected remote client use port 1701?? why does this even work? Thank you in advance for help! It relies on the fact that l2tp uses a fixed source port, iirc you can use "from my.gate.ip port 1701 to any port 1701" if you want. btw I strongly recommend avoiding l2tp+ipsec if you have another choice. Plain ipsec (ikev1 or ikev2) or other protocols like wireguard/openvpn cope better if you end up on a natted network. i'm sorry but i still do not understand. I have fired up tcpdump on enc0 and what's that I see there: 12:20:01.791795 (authentic,confidential): SPI 0x0e3e51b6: 212.233.112.12.l2tp > mx.kasakoff.net.59516: l2tp:[LS](14/9936)Ns=13,Nr=65535[hdlc|][|l2tp] 12:20:01.894911 (authentic,confidential): SPI 0x0e3e51b6: 212.233.112.12.l2tp > mx.kasakoff.net.59516: l2tp:[LS](14/9936)Ns=14,Nr=65535[hdlc|][|l2tp] 12:20:05.066256 (authentic,confidential): SPI 0xd5815d86: mx.kasakoff.net.59516 > 212.233.112.12.l2tp: l2tp:[L](83/7415)[hdlc|][|l2tp] 12:20:06.073233 (authentic,confidential): SPI 0xd5815d86: mx.kasakoff.net.59516 > 212.233.112.12.l2tp: l2tp:[L](83/7415)[hdlc|][|l2tp] Here, 212.233.112.12 is my gateway ip, and mx.kasakoff.net is the client. As I can see, the client side does not use 1701 port. But either "from 212.233.112.12 port l2tp to any" or "from 212.233.112.12 to any port l2tp" works! I can't fully understand why.
Re: l2ip + ipsec question
On 2020-07-20, kasak wrote: > Hello misc. > Recently, i needed to setup l2tp-ipsec for some ip phones to reach my > network. > > so, the l2tp part is not trouble at all with npppd, but, the ipsec part > is harder to understand. > > after reading ipsec and ipsec.conf man, > > i tryed to add just one line: > > ike passive from my.ga.te.ip to any psk "mykey" > > but this didn't work. > > after some googling, i have found this line: > > ike passive esp transport \ > proto udp from 1.2.3.4 to any port 1701 \ > main auth "hmac-sha1" enc "3des" group modp1024 \ > quick auth "hmac-sha1" enc "aes" \ > psk "password" > > it was found on undeadly.org most endpoints cope wigh slightly less terrible crypto, you can try something like ike passive esp transport \ proto udp from my.external.ip to any port 1701 \ main auth "hmac-sha1" enc "aes-256" group modp2048 \ quick auth "hmac-sha2-256" enc "aes-256" \ psk "0s5jTDcMziOVw3DXZqaGOVlEZyoe8I9c" (psk generated randomly from "openssl rand -base64 (length)", use something complex if you can copy-and-paste to the other devices) > I need help to understand how it even works. > > 1) why does somebody use "transport" here and somebody use "tunnel"? I > myself tryed "transport" and it works. than, what is the difference for > l2tp? "tunnel" adds an extra header to the packet carrying src/dest addresses so ipsec can directly protect packets from other machines. "transport" doesn't have the extra header so ipsec can only carry packets from endpoint to endpoint - but this reduces overheads and increases max usable packet size. the "endpoint-endpoint" traffic can itself be a tunnel as is the case with l2tp. the usual setup for l2tp+ipsec has transport mode to reduce overheads. (both ends need to be set the same way). > 2) ipsec.conf man, says that "esp" is default. But if I omit this > option, it stops working with error like: PAYLOAD_MALFORMED. > > 3) and the most difficult for me to understand: Why does all howto's use > this fragment: > > proto udp from my.ga.te.ip to any port 1701 ?? > > the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port > dport] > > so, this line declare a tunnel, where our gate use any port, and our > expected remote client use port 1701?? why does this even work? > > Thank you in advance for help! > > > It relies on the fact that l2tp uses a fixed source port, iirc you can use "from my.gate.ip port 1701 to any port 1701" if you want. btw I strongly recommend avoiding l2tp+ipsec if you have another choice. Plain ipsec (ikev1 or ikev2) or other protocols like wireguard/openvpn cope better if you end up on a natted network.
l2ip + ipsec question
Hello misc. Recently, i needed to setup l2tp-ipsec for some ip phones to reach my network. so, the l2tp part is not trouble at all with npppd, but, the ipsec part is harder to understand. after reading ipsec and ipsec.conf man, i tryed to add just one line: ike passive from my.ga.te.ip to any psk "mykey" but this didn't work. after some googling, i have found this line: ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth "hmac-sha1" enc "3des" group modp1024 \ quick auth "hmac-sha1" enc "aes" \ psk "password" it was found on undeadly.org I need help to understand how it even works. 1) why does somebody use "transport" here and somebody use "tunnel"? I myself tryed "transport" and it works. than, what is the difference for l2tp? 2) ipsec.conf man, says that "esp" is default. But if I omit this option, it stops working with error like: PAYLOAD_MALFORMED. 3) and the most difficult for me to understand: Why does all howto's use this fragment: proto udp from my.ga.te.ip to any port 1701 ?? the ipsec.conf man says: from src [port sport] [(srcnat)] to dst [port dport] so, this line declare a tunnel, where our gate use any port, and our expected remote client use port 1701?? why does this even work? Thank you in advance for help!
enc and IPSec question
Hello, I configured an IPSec tunnel with ipssecctl and ipsec.conf. The default interface of the gateway is 219.17.10.1. The other gateway runs Checkpoint. Here is a part of my ipsec.conf : ike active esp from 192.168.36.0/24 to 10.128.203.0/24 \ peer 161.144.27.32 \ main auth hmac-md5 enc 3des group grp2 \ quick auth hmac-md5 enc 3des group none \ psk x Last friday, I ran a ping every 5 seconds, from 192.168.36.254 to 10.128.203.1. Ping was not replying, but tcpdump on enc0 was ok. This morning, I looked at the enc0 interface : # tcpdump -envps 1500 -i enc0 -l 10:35:15.920320 (authentic,confidential): SPI 0xa63e5fd1: 219.10.10.1 161.144.27.32: 219.10.10.1 10.128.203.1: icmp: echo request (id:b4e2 seq:47649) (ttl 63, id 34775, len 84) (ttl 64, id 30353, len 104, bad cksum 0!) Why does the source address of the ping has become the internet address of the gateway ? Part of my pf.conf : int_if = sis0 ext_if = sis2 ext_addr = 219.10.10.1 maint_net = 192.168.36.0/24 ipsec_vpn_addr=161.144.27.32 ipsec_remote_lan_net=10.128.203.0/24 block in all # Some other traffic than the IPsec one can reach the internet. nat on $ext_if from $maint_net to any - $ext_addr # Traffic from internal network the the internet pass in on $int_if inet from $maint_net to any keep state # IPsec traffic from the other VPN gateway pass in on $ext_if proto udp from $ipsec_vpn_addr port = isakmp \ to $ext_addr port {isakmp, ipsec-nat-t} pass in on $int_if inet from $maint_net to $ipsec_remote_lan_net keep state pass in on enc0 from $ipsec_remote_lan_net to $maint_net keep state (if-bound) pass out on enc0 from $maint_net to $ipsec_remote_lan_net keep state (if-bound) Thanks for your help.
An ipsec question
I've got some basic tuneling working using ipsec, and I'm trying to make it a bit more robuts. Here's what works: Machine A: ike esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37 ike esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37 ike esp from XX.92.176.33 to XX.92.176.37 Machine B: ike esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33 ike esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33 ike esp from XX.92.176.37 to XX.92.176.33 Now both machines are in active mode, which seems a bit of an issue, and machine B has a dynamic IP (with fixed name), so I changed these to: Machine A: ike passive esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37 ike passive esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37 ike passive esp from XX.92.176.33 to XX.92.176.37 Machine B: ike dynamic esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33 ike dynamic esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33 ike dynamic esp from XX.92.176.37 to XX.92.176.33 But now machine A can't ping the interface to the internal net on B B CAN ping the internal interface on A The problem seems to be lack of a route on A A's routes: Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) XX.92.176.37/320 XX.92.176.33/320 0 XX.92.176.37/esp/use/in XX.92.176.33/320 XX.92.176.37/320 0 XX.92.176.37/esp/require/out XX.92.176.37/320 192.168.1/24 0 0 XX.92.176.37/esp/use/in 192.168.1/24 0 XX.92.176.37/320 0 XX.92.176.37/esp/require/out 192.168.9/24 0 192.168.1/24 0 0 XX.92.176.37/esp/use/in 192.168.1/24 0 192.168.9/24 0 0 XX.92.176.37/esp/require/out XX.92.176.35/320 XX.92.176.33/320 0 XX.92.176.35/esp/use/in XX.92.176.33/320 XX.92.176.35/320 0 XX.92.176.35/esp/require/out XX.92.176.35/320 192.168.1/24 0 0 XX.92.176.35/esp/use/in 192.168.1/24 0 XX.92.176.35/320 0 XX.92.176.35/esp/require/out 192.168.8/24 0 192.168.1/24 0 0 XX.92.176.35/esp/use/in 192.168.1/24 0 192.168.8/24 0 0 XX.92.176.35/esp/require/out And B's routes: Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) XX.92.176.33/320 XX.92.176.37/320 0 XX.92.176.33/esp/use/in XX.92.176.37/320 XX.92.176.33/320 0 XX.92.176.33/esp/require/out 192.168.1/24 0 XX.92.176.37/320 0 XX.92.176.33/esp/use/in XX.92.176.37/320 192.168.1/24 0 0 XX.92.176.33/esp/require/out 192.168.1/24 0 192.168.9/24 0 0 XX.92.176.33/esp/use/in 192.168.9/24 0 192.168.1/24 0 0 XX.92.176.33/esp/require/ou What am I doing wrong here? -- Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: ipsec question
yes, you can. You need to encrypt traffic from/to your laptop to 0.0.0.0/0. So instead of using your gw address, use 0.0.0.0/0. HJ. On Thu, Dec 01, 2005 at 08:00:38AM +0100, raff wrote: Hi, I have wireless connection between my machine and router/gateway. I can set up ipsec connection betwen them if i'm connecting directly to gw machine, but is it possible to encrypt traffic between those when i'm connecting to internet via gw ? host--gw--internet | | '---|---' ipsec thanks in advance.
ipsec question
Hi, I have wireless connection between my machine and router/gateway. I can set up ipsec connection betwen them if i'm connecting directly to gw machine, but is it possible to encrypt traffic between those when i'm connecting to internet via gw ? host--gw--internet | | '---|---' ipsec thanks in advance.