Re: ipsec vpn unexpected flow
On 2010/11/27 23:47, Andrea Parazzini wrote: On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson s...@spacehopper.org wrote: isakmpd.policy(5), and have some aspirin ready for the inevitable headache. Stuart is right. I tried to play with isakmpd.policy and it's rather complicated. Reading the manuals again I noticed the -a option of isakmpd. So my new configuration could be the following: /etc/rc.conf.local ipsec=YES isakmpd_flags=-a -K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY flow esp from 0.0.0.0/0 to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z It might work? What do you think? Hmm, yes it might do. If you test and find out, please let misc@ know :)
Re: ipsec vpn unexpected flow
On Thu, 11/25/10, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson s...@spacehopper.org wrote: isakmpd.policy(5), and have some aspirin ready for the inevitable headache. Stuart is right. I tried to play with isakmpd.policy and it's rather complicated. Reading the manuals again I noticed the -a option of isakmpd. So my new configuration could be the following: /etc/rc.conf.local ipsec=YES isakmpd_flags=-a -K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY flow esp from 0.0.0.0/0 to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z It might work? What do you think? Thanks. Regards, Andrea
Re: ipsec vpn unexpected flow
On Fri, 26 Nov 2010 10:32:59 +0330, Bahador NazariFard bahador.nazarif...@gmail.com wrote: On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: Hi, from 10.1.0.0/16 is the network id that I would negotiate with the remote peer. (0.0.0.0/0) is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel. 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out Why this flow? I would only flows defined in the configuration files. Thanks Andrea On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser damons...@yahoo.com wrote: 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: From: Andrea Parazzini a.parazz...@sirtisistemi.net Subject: ipsec vpn unexpected flow To: misc@openbsd.org Date: Thursday, November 25, 2010, 2:40 PM Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea pleas read ipsec.conf manual page agian specially OUTGOING NETWORK ADDRESS TRANSLATION Section. 10.1.0.0/16 (0.0.0.0/0) means you want to nat anything from 10.1.0.0/16to 0.0.0.0/0 ! I think this is so strange .I can not understand your configuration rule. Are you sure your traffic really pass through your IPSec Tunnel. Yes the traffic pass through the tunnel. The vpn works fine. If I understand the manual 10.1.0.0/16 (0.0.0.0/0) means that I can perform NAT on traffic leaving through the VPN tunnel to 10.1.0.0/16 addresses. Thanks. Andrea
Re: ipsec vpn unexpected flow
On 2010-11-25, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? Yes. This is especially fun when you end up accidentally routing all traffic from a 100mb-connected site down an ADSL link by getting a flow for 0.0.0.0/0 added... How can I protect myself from an incorrect configuration on the remote peer? isakmpd.policy(5), and have some aspirin ready for the inevitable headache.
Re: ipsec vpn unexpected flow
On Fri, 26 Nov 2010 12:58:09 + (UTC), Stuart Henderson s...@spacehopper.org wrote: On 2010-11-25, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? Yes. This is especially fun when you end up accidentally routing all traffic from a 100mb-connected site down an ADSL link by getting a flow for 0.0.0.0/0 added... How can I protect myself from an incorrect configuration on the remote peer? isakmpd.policy(5), and have some aspirin ready for the inevitable headache. Thank you for your reply. Now I have to study the manual. Regards, Andrea
ipsec vpn unexpected flow
Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea
Re: ipsec vpn unexpected flow
1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: From: Andrea Parazzini a.parazz...@sirtisistemi.net Subject: ipsec vpn unexpected flow To: misc@openbsd.org Date: Thursday, November 25, 2010, 2:40 PM Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea
Re: ipsec vpn unexpected flow
Hi, from 10.1.0.0/16 is the network id that I would negotiate with the remote peer. (0.0.0.0/0) is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel. 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out Why this flow? I would only flows defined in the configuration files. Thanks Andrea On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser damons...@yahoo.com wrote: 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: From: Andrea Parazzini a.parazz...@sirtisistemi.net Subject: ipsec vpn unexpected flow To: misc@openbsd.org Date: Thursday, November 25, 2010, 2:40 PM Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea
Re: ipsec vpn unexpected flow
On Fri, Nov 26, 2010 at 8:50 AM, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: Hi, from 10.1.0.0/16 is the network id that I would negotiate with the remote peer. (0.0.0.0/0) is our real network, we have a lot of networks behind this box. We perform NAT on traffic leaving through the VPN tunnel. 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out Why this flow? I would only flows defined in the configuration files. Thanks Andrea On Thu, 25 Nov 2010 13:39:33 -0800 (PST), Damon Schlosser damons...@yahoo.com wrote: 1. what is the (0.0.0.0/0) good for?2. how are you inspecting traffic in the tunnel?3. is nat allowed in the tunnel? 4. you may have let in more networks than you realize -damon --- On Thu, 11/25/10, Andrea Parazzini a.parazz...@sirtisistemi.net wrote: From: Andrea Parazzini a.parazz...@sirtisistemi.net Subject: ipsec vpn unexpected flow To: misc@openbsd.org Date: Thursday, November 25, 2010, 2:40 PM Hi, we have a vpn connection with a customer. The remote peer is not under our management. Our box is an OpenBSD 4.7 i386. We have configured the vpn as follows: /etc/rc.conf.local ipsec=YES isakmpd_flags=-K -v /etc/ipsec.conf ike active esp tunnel \ from 10.1.0.0/16 (0.0.0.0/0) to 192.168.90.0/24 \ local A.B.C.D peer W.X.Y.Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk PRESHAREDKEY The vpn works fine, but there is a strange thing. Whith netstat -nrf encap I see something like: Source Port DestinationPort Proto SA 192.168.71/24 0 10.1/160 0 W.X.Y.Z/esp/use/in 10.1/160 192.168.71/24 0 0 W.X.Y.Z/esp/require/out 192.168.90/24 0 default0 0 W.X.Y.Z/esp/use/in default0 192.168.90/24 0 0 W.X.Y.Z/esp/require/out As you can see there is a flow that is not configured on our box. It is probably configured on the remote peer. Is a normal behavior? How can I protect myself from an incorrect configuration on the remote peer? Thanks. Regards, Andrea pleas read ipsec.conf manual page agian specially OUTGOING NETWORK ADDRESS TRANSLATION Section. 10.1.0.0/16 (0.0.0.0/0) means you want to nat anything from 10.1.0.0/16to 0.0.0.0/0 ! I think this is so strange .I can not understand your configuration rule. Are you sure your traffic really pass through your IPSec Tunnel. -- Gula_Gula =;=; BNF