Re: L2TP VPN / pf

2014-02-27 Thread Paul B. Henson 
 From: YASUOKA Masahiko
 Sent: Wednesday, February 26, 2014 8:46 PM

 set skip on pppx0 needs to be improved because npppd may use pppx1,
 pppx2 ...

Once I've got things working, I'm probably going to want to have more
explicit rules rather than skipping; if I understand correctly I can just
use the generic interface group pppx rather than a specific instance so it
won't matter which one a given VPN connection is using.

   sysctl net.pipex.enable=1

Hmm, yeah, that... I had updated my /etc/sysctl.conf with that change, but
the system had not been rebooted since I did that; and it does appear I
forgot to run it by hand 8-/. I could have sworn I manually tweaked it when
I updated the config, but when I double checked, it was not set, so clearly
I did not sigh. After enabling that setting, I can ping the client from
the server and vice versa, yay! It looks like ospfd isn't propagating the
route for the VPN addresses, so I can't talk to anything past the router,
presumably I need to update that config next.

  For this rule pass quick proto { esp, ah } from any to any, does it
really
  need to be any to any with no interface defined?
 
 I think it is required only from/to the listening address of L2TP.

Cool. Now that it's somewhat working I will go back and clean that up.

 In L2TP/IPsec, transport mode IPsec is used instead of tunnel mode.
 This means enc(4) is not used.  And de-capsulated L2TP packets are
 received on the same interface which receives IPsec packet.

Hmm, that's not what I'm seeing. On the regular WAN interface (em1), when a
connection is established, I see some initial isakmp packets, and after
that, the only packets on that interface are the esp protocol:

12:23:29.614487 host-134-71-203-161.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isak
mp: isakmp v1.0 exchange ID_PROT
cookie: 3d028e2c298bc357- msgid:  len: 500
12:23:29.614490 host-134-71-203-161.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isak
mp: isakmp v1.0 exchange ID_PROT
cookie: 3d028e2c298bc357- msgid:  len: 500
[...]
mp: isakmp v1.0 exchange QUICK_MODE encrypted
cookie: 3d028e2c298bc357-d01b5baa5e938551 msgid: 080e9e87 len: 60
12:23:30.696974 host-134-71-203-161.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isak
mp: isakmp v1.0 exchange QUICK_MODE encrypted
cookie: 3d028e2c298bc357-d01b5baa5e938551 msgid: 080e9e87 len: 60
12:23:30.697094 esp host-134-71-203-161.allocated.csupomona.edu 
bart.pbhware.com spi 0x9
81e7ad1 seq 1 len 116
12:23:30.697096 esp host-134-71-203-161.allocated.csupomona.edu 
bart.pbhware.com spi 0x9
81e7ad1 seq 1 len 116

And on the enc0 interface, I do see traffic, in particular what appears to
be the l2tp communication:

12:23:31.599555 (authentic,confidential): SPI 0x981e7ad1:
host-134-71-203-161.allocated.cs
upomona.edu.63807  bart.pbhware.com.l2tp: l2tp:[TLS](0/0)Ns=0,Nr=0
*MSGTYPE(SCCRQ) *PROTO
_VER(1.0) *FRAMING_CAP(AS) *HOST_NAME(Dogbert) *ASSND_TUN_ID(15)
*RECV_WIN_SIZE(4) [|l2tp]
12:23:31.599714 (authentic,confidential): SPI 0x0173ea42:
bart.pbhware.com.l2tp  host-134
-71-203-161.allocated.csupomona.edu.63807: l2tp:[TLS](15/0)Ns=0,Nr=1
*MSGTYPE(SCCRP) *PROT
O_VER(1.0) *FRAMING_CAP(S) *HOST_NAME(bart.pbhware.com) *ASSND_TUN_ID(1)
FIRM_VER(1282) |.
..[|l2tp]
12:23:31.622116 (authentic,confidential): SPI 0x981e7ad1:
host-134-71-203-161.allocated.cs
upomona.edu.63807  bart.pbhware.com.l2tp: l2tp:[TLS](1/0)Ns=1,Nr=1
*MSGTYPE(SCCCN) [|l2tp
]
12:23:31.622181 (authentic,confidential): SPI 0x0173ea42:
bart.pbhware.com.l2tp  host-134
-71-203-161.allocated.csupomona.edu.63807: l2tp:[TLS](15/0)Ns=1,Nr=2
ZLB[|l2tp]
12:23:31.624720 (authentic,confidential): SPI 0x981e7ad1:
host-134-71-203-161.allocated.cs
upomona.edu.63807  bart.pbhware.com.l2tp: l2tp:[TLS](1/0)Ns=2,Nr=1
*MSGTYPE(ICRQ) *ASSND_
SESS_ID(4051) *CALL_SER_NUM(1) [|l2tp]

For the purpose of writing pf rules, I'd like to understand exactly what
interfaces the packets are traversing. It looks like initially there are
isakmp packets from the remote client to the server on the external WAN
interface, followed by encapsulated esp packets. At that point, it looks
like the packets are flowing through the enc0 interface, from the remote
client to the l2tp server. Once that tunnel is established, it looks like
the tunneled packets flow through the pppx0 interface. So from a firewall
perspective, I think I just need a minimal set of rules on the WAN interface
and the enc0 interface to allow the l2tp tunnel to get established, and then
restrict the actual VPN traffic on the pppx interfaces.

Thanks much for helping point out my obvious mistake with pipex :). I wish I
would have thought to double check that yesterday when I was beating my head
against the wall trying to figure out why it wasn't working...

Re: L2TP VPN / pf

2014-02-27 Thread YASUOKA Masahiko 
On Thu, 27 Feb 2014 13:51:10 -0800
Paul B. Henson hen...@acm.org wrote:
 From: YASUOKA Masahiko
 Sent: Wednesday, February 26, 2014 8:46 PM
   sysctl net.pipex.enable=1
 
 Hmm, yeah, that... I had updated my /etc/sysctl.conf with that change, but
 the system had not been rebooted since I did that; and it does appear I
 forgot to run it by hand 8-/. I could have sworn I manually tweaked it when
 I updated the config, but when I double checked, it was not set, so clearly
 I did not sigh. After enabling that setting, I can ping the client from
 the server and vice versa, yay! It looks like ospfd isn't propagating the
 route for the VPN addresses, so I can't talk to anything past the router,
 presumably I need to update that config next.

I'm glad to hear that.

 In L2TP/IPsec, transport mode IPsec is used instead of tunnel mode.
 This means enc(4) is not used.  And de-capsulated L2TP packets are
 received on the same interface which receives IPsec packet.
 
 Hmm, that's not what I'm seeing. On the regular WAN interface (em1), when a
 connection is established, I see some initial isakmp packets, and after
 that, the only packets on that interface are the esp protocol:

You're right.  I was confused, sorry.

 For the purpose of writing pf rules, I'd like to understand exactly what
 interfaces the packets are traversing. It looks like initially there are
 isakmp packets from the remote client to the server on the external WAN
 interface, followed by encapsulated esp packets. At that point, it looks
 like the packets are flowing through the enc0 interface, from the remote
 client to the l2tp server. Once that tunnel is established, it looks like
 the tunneled packets flow through the pppx0 interface.

Exactly.

 Thanks much for helping point out my obvious mistake with pipex :). I wish I
 would have thought to double check that yesterday when I was beating my head
 against the wall trying to figure out why it wasn't working...

Not at all.  I'll fix npppd to warn in the log when the pipex sysctl
is not set.

--yasuoka

Re: L2TP VPN / pf

2014-02-27 Thread Paul B. Henson 
 From: YASUOKA Masahiko
 Sent: Thursday, February 27, 2014 5:44 PM
  In L2TP/IPsec, transport mode IPsec is used instead of tunnel mode.
  This means enc(4) is not used.  And de-capsulated L2TP packets are
  received on the same interface which receives IPsec packet.
 
  Hmm, that's not what I'm seeing. On the regular WAN interface (em1),
  when a
  connection is established, I see some initial isakmp packets, and after
  that, the only packets on that interface are the esp protocol:
 
 You're right.  I was confused, sorry.

When I shut down the VPN client, it does look like there are some
non-encapsulated packets coming from the client to the l2tp port on the WAN
interface:

17:52:50.434908 esp bart.pbhware.com 
host-134-71-203-251.allocated.csupomona.edu spi 0x0
d875c54 seq 23 len 68
17:52:50.512023 host-134-71-203-251.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isak
mp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f-83a0e65155bcbcf8 msgid: c52320cb len: 76
17:52:50.512028 host-134-71-203-251.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isakmp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f-83a0e65155bcbcf8 msgid: c52320cb len: 76
17:52:50.512030 host-134-71-203-251.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isak
mp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f-83a0e65155bcbcf8 msgid: 64cf721d len: 92
17:52:50.512032 host-134-71-203-251.allocated.csupomona.edu.isakmp 
bart.pbhware.com.isakmp: isakmp v1.0 exchange INFO encrypted
cookie: 5eaec242bc98f28f-83a0e65155bcbcf8 msgid: 64cf721d len: 92
17:52:50.961996 host-134-71-203-251.allocated.csupomona.edu.62139 
bart.pbhware.com.l2tp:
 l2tp:[TLS](6/24262)Ns=4,Nr=2 *MSGTYPE(CDN) *ASSND_SESS_ID(4330)
*RESULT_CODE(768/0 ) [|l2tp]
17:52:50.962000 host-134-71-203-251.allocated.csupomona.edu.62139 
bart.pbhware.com.l2tp: l2tp:[TLS](6/24262)Ns=4,Nr=2 *MSGTYPE(CDN)
*ASSND_SESS_ID(4330) *RESULT_CODE(768/0 ) [|l2

They result in warnings from npppd though:

2014-02-27 17:52:50:INFO: l2tpd Received from=134.71.203.251:62139: bad
control message: tunnelId=6 is not found.  mestype=CDN
2014-02-27 17:52:52:INFO: l2tpd Received from=134.71.203.251:62139: bad
control message: tunnelId=6 is not found.  mestype=CDN

So they're clearly not important. The client I'm testing right now is an
iPhone, maybe it's a bug on that side.

 Not at all.  I'll fix npppd to warn in the log when the pipex sysctl
 is not set.

Yeah, that's a great idea. I was running in debug mode, and it logged:

2014-02-27 17:37:44:NOTICE: ppp id=0 layer=base Using pipex=yes

If there would have been a warning right next to it that pipex was disabled
that would've been quite helpful in pointing out the forgotten step.

L2TP VPN / pf

2014-02-26 Thread Paul B. Henson 
I'm trying to get a L2TP VPN working using npppd; I think I'm most of the
way there but packets just aren't quite flowing. I'm not sure why, but I
think I might be missing something or misunderstanding something with pf.

I've got ipsec=YES and isakmpd_flags=-K in rc.conf.local,  and
/etc/ipsec.conf configured as:

-
ike passive esp transport \
proto udp from 96.251.22.154 to any port 1701 \
psk somesekretkeyhere
-

My /etc/npppd/npppd.conf is:

-
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}

tunnel L2TP_ipv4 protocol l2tp {
listen on 96.251.22.154
}

ipcp IPCP {
pool-address 10.128.120.2-10.128.120.254
dns-servers 10.128.0.4
}

interface pppx0 address 10.128.120.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
-

I currently have the following in pf.conf:

-
pass quick proto { esp, ah } from any to any
pass in quick on em1 proto udp from any to 96.251.22.154 port {500, 4500,
1701} keep state
set skip on enc0
set skip on pppx0
-

I'm pretty sure I have the ipsec/npppd pieces correct, as I am successfully
able to connect to the VPN:

-
2014-02-26 15:35:01:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ
from=134.71.203.230:644
68/udp tunnel_id=2/6 protocol=1.0 winsize=4 hostname=Dogbert vendor=(no
vendorname) firm=0
000
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 SendSCCRP
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 RecvSCCN
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 SendZLB
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 call=21438 RecvICRQ session_id=3388
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 call=21438 SendICRP session_id=21438
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 call=21438 RecvICCN session_id=3388
calling_number=
 tx_conn_speed=100 framing=async
2014-02-26 15:35:01:NOTICE: l2tpd ctrl=2 call=21438 logtype=PPPBind ppp=1
2014-02-26 15:35:01:INFO: ppp id=1 layer=base logtype=Started
tunnel=L2TP_ipv4(134.71.203.
230:64468)
2014-02-26 15:35:01:INFO: l2tpd ctrl=2 call=21438 SendZLB
2014-02-26 15:35:04:INFO: ppp id=1 layer=lcp logtype=Opened mru=1360/1360
auth=MS-CHAP-V2 
magic=c638067d/52525adf
2014-02-26 15:35:04:INFO: ppp id=1 layer=chap proto=mschap_v2
logtype=Success username=he
nson realm=LOCAL
2014-02-26 15:35:04:INFO: ppp id=1 layer=ipcp IP Address peer=0.0.0.0
our=10.128.120.160.
2014-02-26 15:35:04:INFO: ppp id=1 layer=base unhandled protocol ipv6cp,
32855(8057)
2014-02-26 15:35:04:INFO: ppp id=1 layer=base unhandled protocol acsp,
3(8235)
2014-02-26 15:35:04:INFO: ppp id=1 layer=ccp CCP is stopped
2014-02-26 15:35:04:INFO: ppp id=1 layer=ipcp logtype=Opened
ip=10.128.120.160 assignType=
dynamic
2014-02-26 15:35:04:NOTICE: ppp id=1 layer=base logtype=TUNNELSTART
user=henson duration
=4sec layer2=L2TP_ipv4 layer2from=134.71.203.230:64468 auth=MS-CHAP-V2
ip=10.128.120.160 
iface=pppx0
2014-02-26 15:35:04:NOTICE: ppp id=1 layer=base Using pipex=yes
-

However, from the VPN client I cannot ping 10.128.120.1, the server
endpoint, and from the server I cannot ping 10.128.120.160, the client
endpoint. When I try to ping the client, I can see traffic on the ethernet
interface:

16:07:56.431711 esp bart.pbhware.com 
host-134-71-203-230.allocated.csupomona.edu spi 0x04e9efec seq 32 len 148
(DF)
16:07:57.441732 esp bart.pbhware.com 
host-134-71-203-230.allocated.csupomona.edu spi 0x04e9efec seq 33 len 148
(DF)
16:07:58.451762 esp bart.pbhware.com 
host-134-71-203-230.allocated.csupomona.edu spi 0x04e9efec seq 34 len 148
(DF)

And on the enc0 interface:

16:07:52.391543 (authentic,confidential): SPI 0x04e9efec:
bart.pbhware.com.l2tp  host-134-71-203-230.allocated.csupomona.edu.51118:
l2tp:[LS](8/3432)Ns=21,Nr=65535[hdlc|][|l2tp]
16:07:53.401575 (authentic,confidential): SPI 0x04e9efec:
bart.pbhware.com.l2tp  host-134-71-203-230.allocated.csupomona.edu.51118:
l2tp:[LS](8/3432)Ns=22,Nr=65535[hdlc|][|l2tp]

Conversely, when I try to ping the server from the client:

16:09:42.857872 esp host-134-71-203-230.allocated.csupomona.edu 
bart.pbhware.com spi 0x506039f8 seq 96 len 148
16:09:42.857875 esp host-134-71-203-230.allocated.csupomona.edu 
bart.pbhware.com spi 0x506039f8 seq 96 len 148
16:09:43.855422 esp host-134-71-203-230.allocated.csupomona.edu 
bart.pbhware.com spi 0x506039f8 seq 97 len 148

16:09:43.855454 (authentic,confidential): SPI 0x506039f8:
host-134-71-203-230.allocated.csupomona.edu.51118  bart.pbhware.com.l2tp:
l2tp:[L](1/12490)[hdlc|][|l2tp]
16:09:44.855469 (authentic,confidential): SPI 0x506039f8:
host-134-71-203-230.allocated.csupomona.edu.51118  bart.pbhware.com.l2tp:
l2tp:[L](1/12490)[hdlc|][|l2tp]
16:09:45.855498 (authentic,confidential): SPI 0x506039f8:
host-134-71-203-230.allocated.csupomona.edu.51118  bart.pbhware.com.l2tp:
l2tp:[L](1/12490)[hdlc|][|l2tp]

Ideally, I would like to completely disable pf at this point to confirm that
is the problem, but unfortunately it is a production router and I can't
really do that 8-/.

Am I missing something in either the ipsec, npppd, or pf

Re: L2TP VPN / pf

2014-02-26 Thread YASUOKA Masahiko 
Hi,

On Wed, 26 Feb 2014 16:32:34 -0800
Paul B. Henson hen...@acm.org wrote:
 I currently have the following in pf.conf:
 
 -
 pass quick proto { esp, ah } from any to any
 pass in quick on em1 proto udp from any to 96.251.22.154 port {500, 4500,
 1701} keep state
 set skip on enc0
 set skip on pppx0
 -

set skip on pppx0 needs to be improved because npppd may use pppx1,
or pppx2 ...

 I'm pretty sure I have the ipsec/npppd pieces correct, as I am successfully
 able to connect to the VPN:
 
 -
 2014-02-26 15:35:01:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ
 from=134.71.203.230:644
(snip)
 2014-02-26 15:35:04:NOTICE: ppp id=1 layer=base logtype=TUNNELSTART
 user=henson duration
 =4sec layer2=L2TP_ipv4 layer2from=134.71.203.230:64468 auth=MS-CHAP-V2
 ip=10.128.120.160 
 iface=pppx0

L2TP/IPsec seems to be established successfully.  This means your
ipsec.conf, npppd.conf and pf.conf are ok.

 However, from the VPN client I cannot ping 10.128.120.1, the server
 endpoint, and from the server I cannot ping 10.128.120.160, the client
 endpoint. When I try to ping the client, I can see traffic on the ethernet
 interface:
(snip)
 Am I missing something in either the ipsec, npppd, or pf configuration?

Did you do

  sysctl net.pipex.enable=1

?  This is required to pass packets through the VPN tunnel.

 For this rule pass quick proto { esp, ah } from any to any, does it really
 need to be any to any with no interface defined?

I think it is required only from/to the listening address of L2TP.

 Wouldn't all of the ipsec traffic be on the WAN interface to/from
 the WAN IP? While I think this piece is working, I'd rather have the
 rule exactly match what is needed than be extra generic.
 
 Regarding this rule pass in quick on em1 proto udp from any to
 96.251.22.154 port {500, 4500, 1701} keep state, it looks like the
 connection to the l2tp port is over the ipsec tunnel and hence via enc0, not
 em1? So it doesn't seem 1701 needs to be allowed in on this rule, I removed
 it and it continued to work, at least as far as successfully connecting but
 not passing traffic over the VPN link sigh.

In L2TP/IPsec, transport mode IPsec is used instead of tunnel mode.
This means enc(4) is not used.  And de-capsulated L2TP packets are
received on the same interface which receives IPsec packet.

--yasuoka