pf and ipsec troubles

Sun, 28 Jan 2007 12:33:17 -0800 

Hi guys,

I just overcome some configuration issues with pf and ipsecctl and I'd
like to share my experience with these tools.

Firstly, I played with pf and a new feature named 'urpf'. It simplify
a lot antispoofing configurations but be aware that it can cause you
troubles.
After enabling urpf with the following line at the begining of my
ruleset :

        block in quick on ! enc0 from urpf-failed

I was unable to telnet my email gateway. I was systematically getting a
"Connection reset". Nothing was found in tcpdump -ni pflog0, and the
mail service was perfectly working locally.
After some reseach I found that urpf was the cause of my troubles. It
sends back a RST on urpf-failed instead of dropping packets (default
behavior) and filtered my rdr. I don't know if its a bug, but the packet
should not have been blocked according the documentation. 
The workaround was to add the "pass" keyword to the rdr rules, in order
to bypass the block from urpf-failed. I also added the log keyword to
the antispoofing rule, so that I can diagnose faster the next time :-)

Second big problem was the IPSEC negociation between another OpenBSD box
and a Cisco PIX.
Here is my small setup :
192.168.4.0/24_-_PIX_-_(random lan)_-_OpenBSD_-_172.16.[123].0/24
             [10.10.2.253]          [10.10.3.253]

I inserted the following in my ipsec.conf :

ike esp from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253 \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha1 enc aes \
        psk "openbsd"
flow esp from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253

The negociation never happened from the OpenBSD to the Pix. But a ping
from the 192.168.4.0 network create the tunnel.
ipsecctl -nf reported no error, everything seems to be OK.

With the network tech. (the one who configured the pix), we saw that
OpenBSD is trying to negociate the tunnel with 3des!!

Reviewing the man pages many times, I finally figured that I missed the
keyword "group none" for the quick phase negociation. Then I changed the
configuration to something more correct :

ike dynamic esp tunnel \
        from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253 \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha1 enc aes group none \
        psk "openbsd"
flow esp from 172.16.1.0/24 to 192.168.4.0/24 peer 10.10.2.253

The tunnel worked fine since that moment :-)


A happy user,

Claer

Reply via email to