Re: l2tp / ipsec follow up
On 2014-07-28 08:43, John wrote:
On Sun, Jul 27, 2014 at 02:07:34PM -0400, Gordon Turner wrote:
On 2014-07-27 10:16, John wrote:
On Sat, Jul 26, 2014 at 05:34:56PM -0400, Gordon Turner wrote:
On 2014-07-23 20:30, Gordon Turner wrote:
Does your gateway at 192.168.2.1 know how to reach 10.0.0.0/24? Does it
have a route telling it to use 192.168.2.140 to reach 10.0.0.0/24?
I don't have any other routes setup, I guess I am struggling with
where
should I add them?
If I understand your network topology correctly, you need to add a
route
to 10.0.0.0/24 on the gateway device 192.168.2.1 otherwise return
traffic from 192.168.2.0/24 to 10.0.0.0/24 is probably taking some
other
path or getting dropped.
So on the gateway which is 192.168.2.1:
/sbin/route add 10.0.0.0/24 192.168.2.140
That, eventually, did the the trick.
That was one of the first things I tried, but the route (for some
reason) wasn't used immediately. I rebooted the OpenVPN and restarted
the gateway router and then things were working! Yay!
I will eventually move the VPN end point to the new gateway / router,
but for now it is nice to have them decoupled.
I did have 2 more questions that someone might be able to help with:
Does `framed-ip-address` in `npppd-users` assign an ip address to the
user when authenticated? That was my expectation, but when I provide an
ip from the `pool-address` range, the value is not used. Another value
from the pool is used instead.
```
jtest:\
:password=SEEKRIT:\
:framed-ip-address=10.0.0.2:
```
With regards to adding extra rules to pf.conf for the VPN traffic, if I
am relying on l2tp and ipsec for authentication, and I trust those
connecting completely (ie me) is there any risk NOT not adding
additional filtering rules?
To put a different way, I want to have VPN clients treated as if they
were on the private network natively. I am only forwarding TCP 500,
4500 to the VPN endpoint which is listening for them.
```
set skip on pppx0
pass in quick on egress proto udp from any to any port {500, 4500} keep
state
pass on enc0 from any to any keep state (if-bound)
```
Thanks!
Gord.
Re: l2tp / ipsec follow up
I suggested to re-configure your cable modem as a bridge, so your OpenBSD-box gets public IP and not private (as you have it now). On old days then I had a cable modem, I done exactly like this. This WILL make your life easier. Trust me. As you dont really have any control of OS(Linux) inside your cable modem. Nor services (ex. dhcpd) running inside. And then you get connection problems, youll look for a problem and will end up in resetting/rebooting several devices(modem, openbsd-box). //mxb On 27 jul 2014, at 22:58, Gordon Turner tur...@ftn.net wrote: The OpenBSD ip (192.168.2.232) is statically assigned by the dhcp server.
Re: l2tp / ipsec follow up
On 2014-07-27 08:06, Stefan Sieg wrote:
On 26.07.2014 17:34, Gordon Turner wrote:
But any attempt to reach the 192.168.2.0/24 network fails.
did you set the route on your clients accordingly, so that they know
how to reach that network?
After connecting the VPN, I tried adding different routes on the client:
/sbin/route add 192.168.2.0/24 10.0.0.186
and when that didn't work I rebooted, connected the VPN and tried:
/sbin/route add 192.168.2.0/24 10.0.0.1
I admit that I have never needed to add routes before so I am starting
from scratch here.
I also check the 'Send all traffic over VPN connection', but if I
understand things correctly, the traffic gets to 10.0.0.1 and has no
where to go.
pass in quick on egress proto udp from any to any port {500, 4500,
1701} keep state
You don't need to forward l2tp on your router, it is encapsulated in
ipsec.
pass quick proto { esp, ah } from any to any
As long as NAT is involved you dont need ESP in your pf.conf, it is
encapsulated in UDP. You dont need AH.
Thanks for that, I have updated my pf.conf to:
```
set skip on pppx0
pass in quick on egress proto udp from any to any port {500, 4500} keep
state
pass on enc0 from any to any keep state (if-bound)
```
Looking for some help with finishing this last piece, I am no longer
sure if it a pf issue, it might be a default route problem.
tcpdump and pfs log option are very usefull to see whats going on.
$ sudo tcpdump -ni pppx0
tcpdump: listening on pppx0, link-type LOOP
12:41:04.014922 10.0.0.75.54342 8.8.8.8.53: 39507+ SRV?
_ldap._tcp.mythum.lan. (39)
12:41:05.783767 10.0.0.75.55149 8.8.8.8.53: 37421+ A?
p01-streams.icloud.com. (40)
12:41:06.982890 10.0.0.75.54342 8.8.8.8.53: 39507+ SRV?
_ldap._tcp.mythum.lan. (39)
12:41:08.454573 10.0.0.75.53042 8.8.8.8.53: 57936+ A?
p21-calendars.icloud.com. (42)
12:41:09.464456 10.0.0.75.53042 8.8.8.8.53: 57936+ A?
p21-calendars.icloud.com. (42)
12:41:12.493838 10.0.0.75.53042 8.8.8.8.53: 57936+ A?
p21-calendars.icloud.com. (42)
12:41:13.513972 10.0.0.75.53042 8.8.8.8.53: 57936+ A?
p21-calendars.icloud.com. (42)
12:41:14.444208 10.0.0.75.51500 8.8.8.8.53: 52450+ SRV?
_kerberos._udp.MYTHUM.LAN. (43)
12:41:14.892284 10.0.0.75.55149 8.8.8.8.53: 37421+ A?
p01-streams.icloud.com. (40)
12:41:15.474692 10.0.0.75.51500 8.8.8.8.53: 52450+ SRV?
_kerberos._udp.MYTHUM.LAN. (43)
12:41:16.103557 10.0.0.75.54342 8.8.8.8.53: 39507+ SRV?
_ldap._tcp.mythum.lan. (39)
tcpdump: WARNING: compensating for unaligned libpcap packets
12:41:16.574507 10.0.0.75.53042 8.8.8.8.53: 57936+ A?
p21-calendars.icloud.com. (42)
12:41:18.493783 10.0.0.75.51500 8.8.8.8.53: 52450+ SRV?
_kerberos._udp.MYTHUM.LAN. (43)
12:41:19.365219 10.0.0.75.49404 8.8.8.8.53: 56240+ A?
12-courier.push.apple.com. (43)
12:41:19.574170 10.0.0.75.51500 8.8.8.8.53: 52450+ SRV?
_kerberos._udp.MYTHUM.LAN. (43)
12:41:20.372149 10.0.0.75.49404 8.8.8.8.53: 56240+ A?
12-courier.push.apple.com. (43)
12:41:22.664149 10.0.0.75.51500 8.8.8.8.53: 52450+ SRV?
_kerberos._udp.MYTHUM.LAN. (43)
12:41:23.451963 10.0.0.75.49404 8.8.8.8.53: 56240+ A?
12-courier.push.apple.com. (43)
12:41:24.453283 10.0.0.75 192.168.2.225: icmp: echo request
12:41:24.461780 10.0.0.75.49404 8.8.8.8.53: 56240+ A?
12-courier.push.apple.com. (43)
12:41:24.461833 10.0.0.75.64324 8.8.8.8.53: 32547+ SRV?
_kerberos._tcp.MYTHUM.LAN. (43)
12:41:25.453901 10.0.0.75 192.168.2.225: icmp: echo request
12:41:25.542776 10.0.0.75.64324 8.8.8.8.53: 32547+ SRV?
_kerberos._tcp.MYTHUM.LAN. (43)
12:41:25.592847 10.0.0.75.53042 8.8.8.8.53: 57936+ A?
p21-calendars.icloud.com. (42)
12:41:26.453321 10.0.0.75 192.168.2.225: icmp: echo request
12:41:27.453650 10.0.0.75 192.168.2.225: icmp: echo request
12:41:27.532806 10.0.0.75.49404 8.8.8.8.53: 56240+ A?
12-courier.push.apple.com. (43)
12:41:28.463647 10.0.0.75 192.168.2.225: icmp: echo request
12:41:28.663012 10.0.0.75.64324 8.8.8.8.53: 32547+ SRV?
_kerberos._tcp.MYTHUM.LAN. (43)
12:41:29.723006 10.0.0.75.64324 8.8.8.8.53: 32547+ SRV?
_kerberos._tcp.MYTHUM.LAN. (43)
$ sudo tcpdump -ni enc0
tcpdump: listening on enc0, link-type ENC
12:42:13.722514 (authentic,confidential): SPI 0xc4ae1209:
24.114.54.8.65247 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:14.092443 (authentic,confidential): SPI 0xc4ae1209:
24.114.54.8.65247 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:14.742843 (authentic,confidential): SPI 0xc4ae1209:
24.114.54.8.65247 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:15.163667 (authentic,confidential): SPI 0xc4ae1209:
24.114.54.8.65247 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:17.752480 (authentic,confidential): SPI 0xc4ae1209:
24.114.54.8.65247 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:18.212499 (authentic,confidential): SPI 0xc4ae1209:
24.114.54.8.65247 192.168.2.232.1701: l2tp:[L](3/2779)[hdlc|][|l2tp]
12:42:18.321068 (authentic,confidential): SPI 0xc4ae1209:
Re: l2tp / ipsec follow up
On 2014-07-27 18:04, Stefan Sieg wrote: On 27.07.2014 13:46, Gordon Turner wrote: On 2014-07-27 08:06, Stefan Sieg wrote: On 26.07.2014 17:34, Gordon Turner wrote: and you need a route to 10.0.0.0/24 for the hosts in your 192.168.2.0/24 network. Without that route your hosts in your LAN have no idea how to reach 10.0.0.0/24. This is needed because your VPN is not terminated on your default gateway. If the address of your OpenBSD box is assigned by dhcp, then you should change that to static and use this as the gateway to 10.0.0.0/24. The OpenBSD ip (192.168.2.232) is statically assigned by the dhcp server. I added a static route to my router / firewall: Destination: 10.0.0.0 Gateway: 192.168.2.232 Subnet Mask: 255.255.255.0 But testing with an iOS device that doesn't seem to be enough. Do I have to add routing on the OpenBSD box? If this is your whole config then actually everything is allowed, you might want to change that ... the pf faq is really good. Yeah, definitely, once I get the routing sorted. Gord
Re: l2tp / ipsec follow up
On 2014-07-23 20:30, Gordon Turner wrote:
Hey all,
Based on the feedback from Daniel and others, I have successfully
connected to my OpenBSD instance running behind my router / firewall
from an iOS and OSX client on the Internet. (Updated instructions
below.)
The one issue that I have is that requests to the local private
network are being lost. My Packet Filter kung fu is a little rusty,
the only entries in the pf.conf at the moment are:
Looking for some help with finishing this last piece, I am no longer
sure if it a pf issue, it might be a default route problem.
From a client connecting successfully, I can ping the 10.0.0.1 end point
on the OpenBSD box.
But any attempt to reach the 192.168.2.0/24 network fails.
The routing table looks like:
```
$ netstat -rn -f inet
Routing tables
Internet:
DestinationGatewayFlags Refs Use Mtu Prio
Iface
default192.168.2.1UGS3 99 - 8
vio0
10.0.0.89 10.0.0.1 UH 00 - 4
pppx0
127/8 127.0.0.1 UGRS 00 33144 8
lo0
127.0.0.1 127.0.0.1 UH 10 33144 4
lo0
192.168.2/24 link#1 UC 20 - 4
vio0
192.168.2.100:25:9c:28:2d:4b UHLc 1 159 - 4
vio0
192.168.2.140 7c:d1:c3:e9:68:e9 UHLc 1 228 - 4
vio0
224/4 127.0.0.1 URS00 33144 8
lo0
```
What route should I be adding, if any, to successfully reach the
192.168.2.0/24 network (and the the Internet?) from the VPN client?
Thanks!
Gord.
Current configuration details, slightly updated
--
VPN OpenBSD L2TP-IPSEC
==
Description
---
- Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9
clients.
- Support for iOS, preferably native VPN client
- Support for OSX, preferably native VPN client
- VPN endpoint running on an internal server.
- Forwarding appropriate ports from a router.
- Use npppd, IPsec and Packet Filter (pf).
NAT and Port Forwarding
---
- The VPN end point is behind a NATed firewall and the following ports
are forwarded:
UDP 500 - Internet Key Exchange (IKE)
UDP 1701 - L2TP traffic
UDP 4500 - IPSec Network Address Translation (NAT-T)
npppd Setup
---
- npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable
of L2TP, PPTP, and PPPoE.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/npppd.8
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/npppd.conf.5
- NOTE:
Private network is 192.168.2.0/24 (192.168.2.0-192.168.2.254)
DNS server / router / fire wall is 192.168.2.1
VPN network is 10.0.0.0/24 (10.0.0.2-10.0.0.254)
VPN network gateway to private network is 10.0.0.1
Using local file authentication
- Example npppd.conf file, `/etc/npppd/npppd.conf`:
```
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
#dns-servers 8.8.8.8
dns-servers 192.168.2.1
}
interface pppx0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
```
- NOTE:
The `pool-address` values should be a block of addresses in a
different subnet of the internal network.
The `dns-servers 8.8.8.8` is Google's public dns, local local DNS
servers should be used if available.
- Example npppd-users file, `/etc/npppd/npppd-users`:
```
jtest: \
:password=SEEKRIT: \
:framed-ip-address=10.0.0.100:
```
- NOTE:
Replace `SEEKRIT` with your password.
The `framed-ip-address` value, if used, should be in the
`pool-address` block from `/etc/npppd/npppd.conf`.
IPsec Setup
---
- IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
Authentication Header (AH), which provide security services for IP
datagrams.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/ipsec.4
- Example ipsec.conf file, `/etc/ipsec.conf`:
```
public_ip = XXX.XXX.XXX.XXX
ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk SEEKRIT
```
- NOTE:
Replace XXX.XXX.XXX.XXX with external public ip on the Internet.
Replace SEEKRIT with your password.
Packet Filter Setup
---
- Packet Filter is OpenBSD's system for filtering TCP/IP traffic and
doing Network Address Translation.
- Reference:
http://www.openbsd.org/faq/pf/
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/pf.4
- Example pf.conf file, `/etc/pf.conf`:
```
set skip on pppx0
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any
l2tp / ipsec follow up
Hey all,
Based on the feedback from Daniel and others, I have successfully
connected to my OpenBSD instance running behind my router / firewall
from an iOS and OSX client on the Internet. (Updated instructions
below.)
The one issue that I have is that requests to the local private network
are being lost. My Packet Filter kung fu is a little rusty, the only
entries in the pf.conf at the moment are:
```
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any keep state (if-bound)
```
I am not sure what device to 'passs in' on at the end of the l2tp /
ipsec to enable nat'ing and accessing internal network resources.
(There was feedback that `pool-address 10.0.0.1-10.0.0.100` and
`:framed-ip-address=10.0.0.10:` had to be a different network then the
private internal network.)
The router / firewall has a working dhcp server running.
```
ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33144
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff00
vio0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 52:54:00:9b:3b:bc
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet6 fe80::5054:ff:fe9b:3bbc%vio0 prefixlen 64 scopeid 0x1
inet 192.168.2.232 netmask 0xff00 broadcast 192.168.2.255
enc0: flags=0
priority: 0
groups: enc
status: active
pflog0: flags=141UP,RUNNING,PROMISC mtu 33144
priority: 0
groups: pflog
pppx0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1360
description: gturner
priority: 0
groups: pppx
inet 192.168.2.1 -- 10.0.0.97 netmask 0x
```
Again, any pointers appreciated.
Gord.
VPN OpenBSD L2TP-IPSEC (mostly working-ish)
===
Requirements
---
- Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9
clients.
- Support for iOS, preferably native VPN client
- Support for OSX, preferably native VPN client
- VPN endpoint running on an internal server.
- Forwarding appropriate ports from a router.
Description
---
- Use npppd, IPsec and Packet Filter (pf).
- Configuration files `/etc/npppd/npppd.conf`,
`/etc/npppd/npppd-users`, `/etc/ipsec.conf` and `/etc/pf.conf`.
- Reference:
http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
http://undeadly.org/cgi?action=articlesid=20120427125048
http://comments.gmane.org/gmane.os.openbsd.misc/209636
http://stackoverflow.com/questions/14967962/openbsd-ipsec-vpn-not-routing-traffic
http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
- Claims to have it working, on internet facing machine:
https://www.mail-archive.com/misc@openbsd.org/msg125930.html
- Reference for supported protocols and authentication methods fo iOS:
http://support.apple.com/kb/HT1288
npppd Setup
---
- npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable
of L2TP, PPTP, and PPPoE.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/npppd.8?manpath=OpenBSD-currentsec=8query=npppd
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/npppd.conf.5?manpath=OpenBSD-currentsec=5query=npppd.conf
- NOTE: Private network is 192.168.2.x.
- NOTE: Using local file authentication.
- Example npppd.conf file, `/etc/npppd/npppd.conf`:
```
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
ipcp IPCP {
pool-address 10.0.0.1-10.0.0.100
dns-servers 8.8.8.8
}
interface pppx0 address 192.168.2.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
```
- NOTE: `pool-address` valus should be a block of addresses in the same
subnet of the internal network.
- NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS
servers should be used if available.
- Example npppd-users file, `/etc/npppd/npppd-users`:
```
jtest: \
:password=SEEKRIT:\
:framed-ip-address=10.0.0.10:
```
- NOTE: Replace `SEEKRIT` with your password.
- NOTE: The `framed-ip-address` value should be in the `pool-address`
block from `/etc/npppd/npppd.conf`.
IPsec Setup
---
- IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
Authentication Header (AH), which provide security services for IP
datagrams.
- Reference:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man4/ipsec.4?manpath=OpenBSD-currentquery=ipsec
- NOTE: Private network is 192.168.2.x.
- Example ipsec.conf file, `/etc/ipsec.conf`:
```
public_ip = 192.168.2.2
ike passive esp transport \
proto udp from $public_ip to any port 1701 \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes \
psk SEEKRIT
```
- NOTE:
