Re: isakmpd gateway-to-gateway VPN woes...

2007-03-23 Thread Boris Golberg 
Hello Jack,

Thursday, March 22, 2007, 6:49:14 PM, you wrote:

JB> ... having some trouble getting a LAN-to-LAN VPN working ...

JB>10.0.0.2/24 --- 10.0.0.1/24
JB> L1 F1   F2 L2
JB> 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1

JB> L1,L2 - laptops
JB> F1,F2 - Soekris net4801 firewalls

JB> What works:

JB> L1-F1 lan communication
JB> L2-F2 lan communication
JB> F1-F2 lan communication
JB> F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and
JB> seeing only esp packets in tcpdump)

JB> What doesn't work:

JB> F1-L2 gateway'd VPN
JB> F2-L1 gateway'd VPN
JB> L1-L2 gateway-to-gateway'd VPN

  Sorry   if   I  miss  something,  but  I  don't  see  you  trying to test
Network-to-Network VPN you are talking about. Does it work from an internal
computer in one network to an internal computer in another?
  Gateway-to-Gateway doesn't (and shouldn't, I think) work "out of the box"
with the Network-to-Network VPN. Adding manual routs helped me to solve it.
Something  like "route add 10.2.12.0/22 10.4.14.1" on the F1 and "route add
10.4.12.0/22  10.2.14.1"  on the F2. Your numbers a bit confusing, but it's
a "route add  ".

-- 
Best regards,
 Borismailto:[EMAIL PROTECTED]

Re: isakmpd gateway-to-gateway VPN woes...

2007-03-22 Thread Dag Richards 

Do your firewalls forward ip 4?

sysctl net.inet.ip.forwarding=1


Jack Bates wrote:

If you can help, please feel free to CC: me directly:
[EMAIL PROTECTED]

My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN
working with OpenBSD-4.0-stable isakmpd.  Both firewalls have a relatively
unaltered install.  Both firewalls still have pf, ipsec and isakmpd_flags
"unset" in rc.conf (we are configuring and starting manually - is this a
problem?).  We have followed the directions from the "Zero to IPSec on 4
minutes" webpage.  I hope that this error report is thorough.

Here is a picture of the configuration:

   10.0.0.2/24 --- 10.0.0.1/24
L1 F1   F2 L2
10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1

L1,L2 - laptops
F1,F2 - Soekris net4801 firewalls

What works:

L1-F1 lan communication
L2-F2 lan communication
F1-F2 lan communication
F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and
seeing only esp packets in tcpdump)

What doesn't work:

F1-L2 gateway'd VPN
F2-L1 gateway'd VPN
L1-L2 gateway-to-gateway'd VPN

What is interesting is that the routing tables have a section named
"Encap:" that seem to contain valid routes for the flows that do not work
above, but when attempting to use "ping" on addresses on a broken flow we
get "No route to host".  This has got to be something simple. Thanks in
advance for your help.

Here are the pf.conf files from both firewalls:

###
F1: pf.conf
###

# jack
ext_if="sis0"
int_if="sis1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.1
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

###
F2: pf.conf
###

# sabino
ext_if="sis0"
int_if="sis1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.2
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

##
F1: ipsec.conf
##

# jack to sabino
sabino_ext = "10.0.0.1"
sabino_int = "10.2.12.0/22"
jack_ext   = "10.0.0.2"
jack_int   = "10.4.12.0/22"
ike esp from $jack_int to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_ext

##
F2: ipsec.conf
##

# sabino to jack
sabino_ext="10.0.0.1"
sabino_int="10.2.12.0/22"
jack_ext="10.0.0.2"
jack_int="10.4.12.0/22"
ike passive esp from $sabino_int to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_ext

###
F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
164953.991350 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1
164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
165058.199701 Default isakmpd: shutting down...
165058.219397 Default isakmpd: exit

###
F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
171251.878157 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2
171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171356.739110 Default isakmpd: shutting down...
171356.741411 Default isakmpd: exit

##
F1: routing table after isakmpd negotiates tunnels
##

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface

10.0.0/24  link#1 UC  10  -   sis0
10.0.0.1   00:00:24:c8:1d:60  UHLc2  125  -   sis0
10.4.12/22 link#2 UC  10  -   sis1
10.4.14.1  00:e0:00:c2:6e:2c  UHLc4  644  -   sis1
10.4.16/22 link#3 UC  00  -   sis2
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  14  33224   lo0
224/4  127.0.0.1  URS 00  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source Port  Destinati

isakmpd gateway-to-gateway VPN woes...

2007-03-22 Thread Jack Bates 
If you can help, please feel free to CC: me directly:
[EMAIL PROTECTED]

My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN
working with OpenBSD-4.0-stable isakmpd.  Both firewalls have a relatively
unaltered install.  Both firewalls still have pf, ipsec and isakmpd_flags
"unset" in rc.conf (we are configuring and starting manually - is this a
problem?).  We have followed the directions from the "Zero to IPSec on 4
minutes" webpage.  I hope that this error report is thorough.

Here is a picture of the configuration:

   10.0.0.2/24 --- 10.0.0.1/24
L1 F1   F2 L2
10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1

L1,L2 - laptops
F1,F2 - Soekris net4801 firewalls

What works:

L1-F1 lan communication
L2-F2 lan communication
F1-F2 lan communication
F1-F2 IPSec communication (evidenced by F1 running "ping 10.0.0.1" and
seeing only esp packets in tcpdump)

What doesn't work:

F1-L2 gateway'd VPN
F2-L1 gateway'd VPN
L1-L2 gateway-to-gateway'd VPN

What is interesting is that the routing tables have a section named
"Encap:" that seem to contain valid routes for the flows that do not work
above, but when attempting to use "ping" on addresses on a broken flow we
get "No route to host".  This has got to be something simple. Thanks in
advance for your help.

Here are the pf.conf files from both firewalls:

###
F1: pf.conf
###

# jack
ext_if="sis0"
int_if="sis1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.1
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

###
F2: pf.conf
###

# sabino
ext_if="sis0"
int_if="sis1"
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) -> ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.2
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

##
F1: ipsec.conf
##

# jack to sabino
sabino_ext = "10.0.0.1"
sabino_int = "10.2.12.0/22"
jack_ext   = "10.0.0.2"
jack_int   = "10.4.12.0/22"
ike esp from $jack_int to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_ext

##
F2: ipsec.conf
##

# sabino to jack
sabino_ext="10.0.0.1"
sabino_int="10.2.12.0/22"
jack_ext="10.0.0.2"
jack_int="10.4.12.0/22"
ike passive esp from $sabino_int to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_ext

###
F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
164953.991350 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1
164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
165058.199701 Default isakmpd: shutting down...
165058.219397 Default isakmpd: exit

###
F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
171251.878157 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2
171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171356.739110 Default isakmpd: shutting down...
171356.741411 Default isakmpd: exit

##
F1: routing table after isakmpd negotiates tunnels
##

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface
10.0.0/24  link#1 UC  10  -   sis0
10.0.0.1   00:00:24:c8:1d:60  UHLc2  125  -   sis0
10.4.12/22 link#2 UC  10  -   sis1
10.4.14.1  00:e0:00:c2:6e:2c  UHLc4  644  -   sis1
10.4.16/22 link#3 UC  00  -   sis2
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  14  33224   lo0
224/4  127.0.0.1  URS 00  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
10.0.0.1/320 10.0.0.2