Re: OpenBSD IPSec setup

2017-06-30 Thread Rupert Gallagher 
Oh no, he really wanted to know why you are not using openvpn instead. I'd say 
because I can transfer at 1GBps with ipsec, without the bugs of openvpn...
Sent from ProtonMail Mobile

On Fri, Jun 30, 2017 at 9:20 PM, Rupert Gallagher  wrote:

> I think he wanted to know why you are still using ipsec/IKEv1 
> (/etc/ipsec.conf) instead of ipsec/IKEv2 (/etc/iked.conf). Sent from 
> ProtonMail Mobile On Thu, Jun 29, 2017 at 12:59 PM, Marko Cupać wrote: > On 
> Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are you using 
> ipsec in the 21th century: Because it is in OpenBSD base. Because, at least 
> on OpenBSD, it integrates great with the rest of networking ecosystem (carp, 
> sasync, ospf, pf etc.) Because it pays my bills for more than a decade now. 
> Because my users are satisfied. Because my employers are satisfied. Because I 
> haven't encountered anything better for site-to-site VPNs so far (I also use 
> both OpenVPN and npppd for my road warriors' needs). I could go on. -- Before 
> enlightenment - chop wood, draw water. After enlightenment - chop wood, draw 
> water. Marko Cupać https://www.mimar.rs/ @tango.lu>@mimar.rs>

Re: OpenBSD IPSec setup

2017-06-30 Thread Rupert Gallagher 
I think he wanted to know why you are still using ipsec/IKEv1 (/etc/ipsec.conf) 
instead of ipsec/IKEv2 (/etc/iked.conf).
Sent from ProtonMail Mobile

On Thu, Jun 29, 2017 at 12:59 PM, Marko Cupać  wrote:

> On Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are you using 
> ipsec in the 21th century: Because it is in OpenBSD base. Because, at least 
> on OpenBSD, it integrates great with the rest of networking ecosystem (carp, 
> sasync, ospf, pf etc.) Because it pays my bills for more than a decade now. 
> Because my users are satisfied. Because my employers are satisfied. Because I 
> haven't encountered anything better for site-to-site VPNs so far (I also use 
> both OpenVPN and npppd for my road warriors' needs). I could go on. -- Before 
> enlightenment - chop wood, draw water. After enlightenment - chop wood, draw 
> water. Marko Cupać https://www.mimar.rs/ @tango.lu>

Re: OpenBSD IPSec setup

2017-06-29 Thread Jasper Siepkes 
I know I'm venturing of topic but I can't resist. 

I'll go for OpenBSD with IPSec any day. Only last week OpenVPN had a security
fallout:

https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

One of these exploits even has a high probability of being remotely exploitable.


-Jasper

> Op 29 juni 2017 om 12:59 schreef Marko Cupać :
> 
> On Thu, 29 Jun 2017 12:32:01 +0200
> Luescher Claude  wrote:
> 
> > Why are you using ipsec in the 21th century:
> 
> Because it is in OpenBSD base. Because, at least on OpenBSD, it
> integrates great with the rest of networking ecosystem (carp, sasync,
> ospf, pf etc.) Because it pays my bills for more than a decade
> now. Because my users are satisfied. Because my employers are
> satisfied. Because I haven't encountered anything better for
> site-to-site VPNs so far (I also use both OpenVPN and npppd for my road
> warriors' needs).
> 
> I could go on.
> -- 
> Before enlightenment - chop wood, draw water.
> After enlightenment - chop wood, draw water.
> 
> Marko Cupać
> https://www.mimar.rs/

>

Re: OpenBSD IPSec setup

2017-06-29 Thread Marko Cupać 
On Thu, 29 Jun 2017 12:32:01 +0200
Luescher Claude  wrote:

> Why are you using ipsec in the 21th century:

Because it is in OpenBSD base. Because, at least on OpenBSD, it
integrates great with the rest of networking ecosystem (carp, sasync,
ospf, pf etc.) Because it pays my bills for more than a decade
now. Because my users are satisfied. Because my employers are
satisfied. Because I haven't encountered anything better for
site-to-site VPNs so far (I also use both OpenVPN and npppd for my road
warriors' needs).

I could go on.
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: OpenBSD IPSec setup

2017-06-29 Thread Daniel Gracia 
My two-cents:

* IPsec hardware crypto is supported for a lot more platforms than OpenVPN
out of the box, so IPsec uses to be noticeably faster. i.e, and UBNT
Edgerouter Lite will give me about 20Mbps over OpenVPN vs almost 1Gbps
(line rate) over IPsec.
* IPsec code in OpenBSD is audited, OpenVPN is a port.

Regards!


2017-06-29 12:32 GMT+02:00 Luescher Claude :

> Why are you using ipsec in the 21th century:
>
> https://serverfault.com/questions/202917/openvpn-vs-ipsec-
> pros-and-cons-what-to-use
>
> I see no pros here just cons unless you need to setup a vpn with some
> crappy old device which should be just switched out with an obsd box anyway
> :)
>
>
> On 2017-06-29 11:29, Liviu Daia wrote:
>
>> On 29 June 2017, Liviu Daia  wrote:
>> [...]
>>
>>> On the server:
>>>
>>> # iked -d
>>> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 0, 510 bytes
>>> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to
>>> 89.136.163.27:500 msgid 0, 471 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 1, 1520 bytes
>>> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500
>>> msgid 1, 1440 bytes
>>> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500
>>> policy 'sb1'
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>>
>>> On the home router:
>>>
>>> # iked -d
>>> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
>>> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to
>>> x.y.z.t:500 msgid 0, 510 bytes
>>> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to
>>> 89.136.163.27:500 policy 'home' id 0, 471 bytes
>>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
>>> msgid 1, 1520 bytes
>>> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to
>>> 89.136.163.27:500 policy 'home' id 1, 1440 bytes
>>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
>>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
>>> msgid 2, 1520 bytes
>>>
>>> The warning about pubkey doesn't go away if I copy the server's
>>> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
>>> /etc/iked/certs.  And then there's this, which doesn't look normal:
>>>
>>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
>>>
>> [...]
>>
>> Ok this post sent me on the right course:
>>
>> http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html
>>
>> Here's what I did:
>>
>> cd /etc/ssl/vpn/private
>> openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
>> ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router.
>>
>> After that the VPN works, I can send packets from a machine at home
>> and I'm seeing them on enc0 on the remote server:
>>
>> # tcpdump -n -i enc0
>>
>> tcpdump: listening on enc0, link-type ENC
>> 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
>> > 10.0.0.102: icmp: echo request (encap)
>> 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
>> > 10.0.0.102: icmp: echo request (encap)
>> 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
>> > 10.0.0.102: icmp: echo request (encap)
>> ...
>>
>> However, I'm now running into what seems to be a firewall problem,
>> an I'm getting no answer.  I do have "pass quick inet proto esp" on both
>> VPN ends.  Any idea where / how to fix this?
>>
>> Also, IPs aren't assigned automatically to the VPN ends.  I can
>> add them to hostname.enc0, but is this the right thing to do?  I tried
>> adding a line
>>
>> config address 10.0.0.102
>>
>> to /etc/iked.conf, but that's rejected as a syntax error.  A clue stick
>> again please?
>>
>> Regards,
>>
>> Liviu Daia
>>
>
>

Re: OpenBSD IPSec setup

2017-06-29 Thread Philipp Buehler 

Am 29.06.2017 12:32 schrieb Luescher Claude:

Why are you using ipsec in the 21th century:

https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use


just a week after four CVEs (incl RCE) in openvpn? Great.

--
pb

Re: OpenBSD IPSec setup

2017-06-29 Thread Luescher Claude 

Why are you using ipsec in the 21th century:

https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use

I see no pros here just cons unless you need to setup a vpn with some 
crappy old device which should be just switched out with an obsd box 
anyway :)


On 2017-06-29 11:29, Liviu Daia wrote:

On 29 June 2017, Liviu Daia  wrote:
[...]

On the server:

# iked -d
ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to 
x.y.z.t:500 policy 'sb1' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 
89.136.163.27:500 msgid 0, 471 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to 
x.y.z.t:500 policy 'sb1' id 1, 1520 bytes
ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 
89.136.163.27:500 msgid 1, 1440 bytes
sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1'
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to 
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to 
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to 
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to 
x.y.z.t:500 policy 'sb1' id 2, 1520 bytes


On the home router:

# iked -d
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to 
x.y.z.t:500 msgid 0, 510 bytes
ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 
89.136.163.27:500 policy 'home' id 0, 471 bytes
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 
msgid 1, 1520 bytes
ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 
89.136.163.27:500 policy 'home' id 1, 1440 bytes

ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 
msgid 2, 1520 bytes


The warning about pubkey doesn't go away if I copy the server's
certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
/etc/iked/certs.  And then there's this, which doesn't look normal:

ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG

[...]

Ok this post sent me on the right course:

http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html

Here's what I did:

cd /etc/ssl/vpn/private
openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home 
router.


After that the VPN works, I can send packets from a machine at home
and I'm seeing them on enc0 on the remote server:

# tcpdump -n -i enc0

tcpdump: listening on enc0, link-type ENC
05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> 10.0.0.102: icmp: echo request (encap)
05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> 10.0.0.102: icmp: echo request (encap)
05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> 10.0.0.102: icmp: echo request (encap)
...

However, I'm now running into what seems to be a firewall problem,
an I'm getting no answer.  I do have "pass quick inet proto esp" on 
both

VPN ends.  Any idea where / how to fix this?

Also, IPs aren't assigned automatically to the VPN ends.  I can
add them to hostname.enc0, but is this the right thing to do?  I tried
adding a line

config address 10.0.0.102

to /etc/iked.conf, but that's rejected as a syntax error.  A clue stick
again please?

Regards,

Liviu Daia

Re: OpenBSD IPSec setup

2017-06-29 Thread Liviu Daia 
On 29 June 2017, Liviu Daia  wrote:
[...]
> On the server:
> 
> # iked -d
> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to 
> x.y.z.t:500 policy 'sb1' id 0, 510 bytes
> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 
> msgid 0, 471 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
> policy 'sb1' id 1, 1520 bytes
> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 
> 1, 1440 bytes
> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 
> 'sb1'
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
> policy 'sb1' id 2, 1520 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
> policy 'sb1' id 2, 1520 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
> policy 'sb1' id 2, 1520 bytes
> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
> policy 'sb1' id 2, 1520 bytes
> 
> On the home router:
> 
> # iked -d
> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 
> msgid 0, 510 bytes
> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 
> 89.136.163.27:500 policy 'home' id 0, 471 bytes
> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 
> 1, 1520 bytes
> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 
> policy 'home' id 1, 1440 bytes
> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 
> 2, 1520 bytes
> 
> The warning about pubkey doesn't go away if I copy the server's
> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
> /etc/iked/certs.  And then there's this, which doesn't look normal:
> 
> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
[...]

Ok this post sent me on the right course:

http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html

Here's what I did:

cd /etc/ssl/vpn/private
openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router.

After that the VPN works, I can send packets from a machine at home
and I'm seeing them on enc0 on the remote server:

# tcpdump -n -i enc0
   
tcpdump: listening on enc0, link-type ENC
05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 
10.0.0.102: icmp: echo request (encap)
05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 
10.0.0.102: icmp: echo request (encap)
05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 
10.0.0.102: icmp: echo request (encap)
...

However, I'm now running into what seems to be a firewall problem,
an I'm getting no answer.  I do have "pass quick inet proto esp" on both
VPN ends.  Any idea where / how to fix this?

Also, IPs aren't assigned automatically to the VPN ends.  I can
add them to hostname.enc0, but is this the right thing to do?  I tried
adding a line

config address 10.0.0.102

to /etc/iked.conf, but that's rejected as a syntax error.  A clue stick
again please?

Regards,

Liviu Daia

Re: OpenBSD IPSec setup

2017-06-29 Thread Liviu Daia 
On 28 June 2017, Rupert Gallagher  wrote:
> You need a server-signed certificate.

Ok, let me redo this from scratch:

(1) On the server:

ikectl ca vpn create
ikectl ca vpn install
ikectl ca vpn certificate x.y.z.t create
ikectl ca vpn certificate x.y.z.t install
ikectl ca vpn certificate 10.0.0.1 create
ikectl ca vpn certificate 10.0.0.1 export

... copy 10.0.0.1.tgz to the home router

(2) On the home router:

tar -C /etc/iked -xzpf 10.0.0.1.tgz

Nothing seems to have changed:

On the server:

# iked -d
ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 
msgid 0, 471 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 1, 1520 bytes
ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 
1, 1440 bytes
sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 
'sb1'
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes

On the home router:

# iked -d
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 
0, 510 bytes
ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 
89.136.163.27:500 policy 'home' id 0, 471 bytes
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 
1520 bytes
ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 
policy 'home' id 1, 1440 bytes
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 
1520 bytes

The warning about pubkey doesn't go away if I copy the server's
certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
/etc/iked/certs.  And then there's this, which doesn't look normal:

ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG

I'm using 6.1 release on the server, and the current snapshot on the
home router:

OpenBSD sb1.x.net 6.1 GENERIC#10 amd64
OpenBSD router.x.net 6.1 GENERIC.MP#44 amd64

Regards,

Liviu Daia

Re: OpenBSD IPSec setup

2017-06-28 Thread Rupert Gallagher 
You need a server-signed certificate.
Sent from ProtonMail Mobile

On Wed, Jun 28, 2017 at 11:18 AM, Liviu Daia  wrote:

> I'm trying to create a VPN between my home network (sitting behind an OpenBSD 
> router), and a remote server (also an OpenBSD machine). After reading many 
> man pages and searching previous posts, I'm still thoroughly confused. What I 
> have so far: (1) On the remote server: - fixed IP, let's call it x.y.z.t - 
> pf.conf: set skip on { lo, enc } pass in quick on egress inet proto udp to 
> any port { isakmp, ipsec-nat-t } - iked.conf: ikev2 "sb1" passive esp from 
> 10.0.0.102 to 10.0.0.1 local x.y.z.t peer any srcid x.y.z.t (2) On the home 
> router: - the internal network is 192.168.7.0/24, the external IP is dynamic 
> - pf.conf: set skip on { lo, enc } pass in quick on egress inet proto udp to 
> any port { isakmp, ipsec-nat-t } match out on enc inet to 10.0.0.102 nat-to 
> 10.0.0.1 match out on egress inet from !(egress:network) nat-to (egress:0) - 
> iked.conf: ikev2 "home" active esp from 10.0.0.1 (192.168.7.0/24) to 
> 10.0.0.102 local egress peer x.y.z.t srcid 10.0.0.1 Anyone, a clue stick 
> please? Regards, Liviu Daia

Re: OpenBSD IPSec setup

2017-06-28 Thread Liviu Daia 
On 28 June 2017, Philipp Buehler  
wrote:
> Am 28.06.2017 11:18 schrieb Liviu Daia:
> > 
> > set skip on { lo, enc }
> > pass  in quick on egress inet proto udp to any port { isakmp,
> > ipsec-nat-t }
> 
> needs (on both) a 'pass quick inet proto esp', too

I addded that, and still no dice.

Logs on the server:

# iked -d   
 
ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 0, 510 bytes
ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 
msgid 0, 471 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 1, 1520 bytes
ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 
1, 1440 bytes
sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 
'sb1'
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes
ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 
policy 'sb1' id 2, 1520 bytes

Logs on the home router:

# iked -d   
set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 
0, 510 bytes
ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 
89.136.163.27:500 policy 'home' id 0, 471 bytes
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 
1520 bytes
ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 
policy 'home' id 1, 1440 bytes
ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 
1520 bytes

Regards,

Liviu Daia

Re: OpenBSD IPSec setup

2017-06-28 Thread Philipp Buehler 

Am 28.06.2017 11:18 schrieb Liviu Daia:


set skip on { lo, enc }
pass  in quick on egress inet proto udp to any port { isakmp,
ipsec-nat-t }


needs (on both) a 'pass quick inet proto esp', too


--
pb

OpenBSD IPSec setup

2017-06-28 Thread Liviu Daia 
I'm trying to create a VPN between my home network (sitting behind
an OpenBSD router), and a remote server (also an OpenBSD machine).
After reading many man pages and searching previous posts, I'm still
thoroughly confused.  What I have so far:

(1) On the remote server:

  - fixed IP, let's call it x.y.z.t

  - pf.conf:

set skip on { lo, enc }
pass  in quick on egress inet proto udp to any port { isakmp, 
ipsec-nat-t }

  - iked.conf:

ikev2 "sb1" passive esp \
from 10.0.0.102 to 10.0.0.1 \
local x.y.z.t peer any \
srcid x.y.z.t

(2) On the home router:

  - the internal network is 192.168.7.0/24, the external IP is dynamic

  - pf.conf:

set skip on { lo, enc }
pass  in quick on egress inet proto udp to any port { isakmp, 
ipsec-nat-t }
match out on enc inet to 10.0.0.102 nat-to 10.0.0.1
match out on egress inet from !(egress:network) nat-to (egress:0)

  - iked.conf:

ikev2 "home" active esp \
from 10.0.0.1 (192.168.7.0/24) to 10.0.0.102 \
local egress peer x.y.z.t \
srcid 10.0.0.1

Anyone, a clue stick please?

Regards,

Liviu Daia