Re: OpenBSD IPSec setup
Oh no, he really wanted to know why you are not using openvpn instead. I'd say because I can transfer at 1GBps with ipsec, without the bugs of openvpn... Sent from ProtonMail Mobile On Fri, Jun 30, 2017 at 9:20 PM, Rupert Gallagher wrote: > I think he wanted to know why you are still using ipsec/IKEv1 > (/etc/ipsec.conf) instead of ipsec/IKEv2 (/etc/iked.conf). Sent from > ProtonMail Mobile On Thu, Jun 29, 2017 at 12:59 PM, Marko Cupać wrote: > On > Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are you using > ipsec in the 21th century: Because it is in OpenBSD base. Because, at least > on OpenBSD, it integrates great with the rest of networking ecosystem (carp, > sasync, ospf, pf etc.) Because it pays my bills for more than a decade now. > Because my users are satisfied. Because my employers are satisfied. Because I > haven't encountered anything better for site-to-site VPNs so far (I also use > both OpenVPN and npppd for my road warriors' needs). I could go on. -- Before > enlightenment - chop wood, draw water. After enlightenment - chop wood, draw > water. Marko Cupać https://www.mimar.rs/ @tango.lu>@mimar.rs>
Re: OpenBSD IPSec setup
I think he wanted to know why you are still using ipsec/IKEv1 (/etc/ipsec.conf) instead of ipsec/IKEv2 (/etc/iked.conf). Sent from ProtonMail Mobile On Thu, Jun 29, 2017 at 12:59 PM, Marko Cupać wrote: > On Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are you using > ipsec in the 21th century: Because it is in OpenBSD base. Because, at least > on OpenBSD, it integrates great with the rest of networking ecosystem (carp, > sasync, ospf, pf etc.) Because it pays my bills for more than a decade now. > Because my users are satisfied. Because my employers are satisfied. Because I > haven't encountered anything better for site-to-site VPNs so far (I also use > both OpenVPN and npppd for my road warriors' needs). I could go on. -- Before > enlightenment - chop wood, draw water. After enlightenment - chop wood, draw > water. Marko Cupać https://www.mimar.rs/ @tango.lu>
Re: OpenBSD IPSec setup
I know I'm venturing of topic but I can't resist. I'll go for OpenBSD with IPSec any day. Only last week OpenVPN had a security fallout: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 One of these exploits even has a high probability of being remotely exploitable. -Jasper > Op 29 juni 2017 om 12:59 schreef Marko Cupać : > > On Thu, 29 Jun 2017 12:32:01 +0200 > Luescher Claude wrote: > > > Why are you using ipsec in the 21th century: > > Because it is in OpenBSD base. Because, at least on OpenBSD, it > integrates great with the rest of networking ecosystem (carp, sasync, > ospf, pf etc.) Because it pays my bills for more than a decade > now. Because my users are satisfied. Because my employers are > satisfied. Because I haven't encountered anything better for > site-to-site VPNs so far (I also use both OpenVPN and npppd for my road > warriors' needs). > > I could go on. > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
Re: OpenBSD IPSec setup
On Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are you using ipsec in the 21th century: Because it is in OpenBSD base. Because, at least on OpenBSD, it integrates great with the rest of networking ecosystem (carp, sasync, ospf, pf etc.) Because it pays my bills for more than a decade now. Because my users are satisfied. Because my employers are satisfied. Because I haven't encountered anything better for site-to-site VPNs so far (I also use both OpenVPN and npppd for my road warriors' needs). I could go on. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: OpenBSD IPSec setup
My two-cents: * IPsec hardware crypto is supported for a lot more platforms than OpenVPN out of the box, so IPsec uses to be noticeably faster. i.e, and UBNT Edgerouter Lite will give me about 20Mbps over OpenVPN vs almost 1Gbps (line rate) over IPsec. * IPsec code in OpenBSD is audited, OpenVPN is a port. Regards! 2017-06-29 12:32 GMT+02:00 Luescher Claude : > Why are you using ipsec in the 21th century: > > https://serverfault.com/questions/202917/openvpn-vs-ipsec- > pros-and-cons-what-to-use > > I see no pros here just cons unless you need to setup a vpn with some > crappy old device which should be just switched out with an obsd box anyway > :) > > > On 2017-06-29 11:29, Liviu Daia wrote: > >> On 29 June 2017, Liviu Daia wrote: >> [...] >> >>> On the server: >>> >>> # iked -d >>> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 0, 510 bytes >>> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to >>> 89.136.163.27:500 msgid 0, 471 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 1, 1520 bytes >>> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 >>> msgid 1, 1440 bytes >>> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 >>> policy 'sb1' >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to >>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes >>> >>> On the home router: >>> >>> # iked -d >>> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t >>> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to >>> x.y.z.t:500 msgid 0, 510 bytes >>> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to >>> 89.136.163.27:500 policy 'home' id 0, 471 bytes >>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 >>> msgid 1, 1520 bytes >>> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to >>> 89.136.163.27:500 policy 'home' id 1, 1440 bytes >>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG >>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 >>> msgid 2, 1520 bytes >>> >>> The warning about pubkey doesn't go away if I copy the server's >>> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in >>> /etc/iked/certs. And then there's this, which doesn't look normal: >>> >>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG >>> >> [...] >> >> Ok this post sent me on the right course: >> >> http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html >> >> Here's what I did: >> >> cd /etc/ssl/vpn/private >> openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t >> ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router. >> >> After that the VPN works, I can send packets from a machine at home >> and I'm seeing them on enc0 on the remote server: >> >> # tcpdump -n -i enc0 >> >> tcpdump: listening on enc0, link-type ENC >> 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >> > 10.0.0.102: icmp: echo request (encap) >> 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >> > 10.0.0.102: icmp: echo request (encap) >> 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 >> > 10.0.0.102: icmp: echo request (encap) >> ... >> >> However, I'm now running into what seems to be a firewall problem, >> an I'm getting no answer. I do have "pass quick inet proto esp" on both >> VPN ends. Any idea where / how to fix this? >> >> Also, IPs aren't assigned automatically to the VPN ends. I can >> add them to hostname.enc0, but is this the right thing to do? I tried >> adding a line >> >> config address 10.0.0.102 >> >> to /etc/iked.conf, but that's rejected as a syntax error. A clue stick >> again please? >> >> Regards, >> >> Liviu Daia >> > >
Re: OpenBSD IPSec setup
Am 29.06.2017 12:32 schrieb Luescher Claude: Why are you using ipsec in the 21th century: https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use just a week after four CVEs (incl RCE) in openvpn? Great. -- pb
Re: OpenBSD IPSec setup
Why are you using ipsec in the 21th century: https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use I see no pros here just cons unless you need to setup a vpn with some crappy old device which should be just switched out with an obsd box anyway :) On 2017-06-29 11:29, Liviu Daia wrote: On 29 June 2017, Liviu Daia wrote: [...] On the server: # iked -d ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 0, 510 bytes ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 msgid 0, 471 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 1, 1520 bytes ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 1, 1440 bytes sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes On the home router: # iked -d set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 0, 510 bytes ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 0, 471 bytes ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 1520 bytes ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 1, 1440 bytes ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 1520 bytes The warning about pubkey doesn't go away if I copy the server's certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in /etc/iked/certs. And then there's this, which doesn't look normal: ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG [...] Ok this post sent me on the right course: http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html Here's what I did: cd /etc/ssl/vpn/private openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router. After that the VPN works, I can send packets from a machine at home and I'm seeing them on enc0 on the remote server: # tcpdump -n -i enc0 tcpdump: listening on enc0, link-type ENC 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 10.0.0.102: icmp: echo request (encap) 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 10.0.0.102: icmp: echo request (encap) 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 10.0.0.102: icmp: echo request (encap) ... However, I'm now running into what seems to be a firewall problem, an I'm getting no answer. I do have "pass quick inet proto esp" on both VPN ends. Any idea where / how to fix this? Also, IPs aren't assigned automatically to the VPN ends. I can add them to hostname.enc0, but is this the right thing to do? I tried adding a line config address 10.0.0.102 to /etc/iked.conf, but that's rejected as a syntax error. A clue stick again please? Regards, Liviu Daia
Re: OpenBSD IPSec setup
On 29 June 2017, Liviu Daia wrote: [...] > On the server: > > # iked -d > ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to > x.y.z.t:500 policy 'sb1' id 0, 510 bytes > ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 > msgid 0, 471 bytes > ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 > policy 'sb1' id 1, 1520 bytes > ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid > 1, 1440 bytes > sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy > 'sb1' > ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 > policy 'sb1' id 2, 1520 bytes > ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 > policy 'sb1' id 2, 1520 bytes > ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 > policy 'sb1' id 2, 1520 bytes > ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 > policy 'sb1' id 2, 1520 bytes > > On the home router: > > # iked -d > set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t > ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 > msgid 0, 510 bytes > ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to > 89.136.163.27:500 policy 'home' id 0, 471 bytes > ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid > 1, 1520 bytes > ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 > policy 'home' id 1, 1440 bytes > ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG > ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid > 2, 1520 bytes > > The warning about pubkey doesn't go away if I copy the server's > certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in > /etc/iked/certs. And then there's this, which doesn't look normal: > > ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG [...] Ok this post sent me on the right course: http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html Here's what I did: cd /etc/ssl/vpn/private openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home router. After that the VPN works, I can send packets from a machine at home and I'm seeing them on enc0 on the remote server: # tcpdump -n -i enc0 tcpdump: listening on enc0, link-type ENC 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 10.0.0.102: icmp: echo request (encap) 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 10.0.0.102: icmp: echo request (encap) 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2 > 10.0.0.102: icmp: echo request (encap) ... However, I'm now running into what seems to be a firewall problem, an I'm getting no answer. I do have "pass quick inet proto esp" on both VPN ends. Any idea where / how to fix this? Also, IPs aren't assigned automatically to the VPN ends. I can add them to hostname.enc0, but is this the right thing to do? I tried adding a line config address 10.0.0.102 to /etc/iked.conf, but that's rejected as a syntax error. A clue stick again please? Regards, Liviu Daia
Re: OpenBSD IPSec setup
On 28 June 2017, Rupert Gallagher wrote: > You need a server-signed certificate. Ok, let me redo this from scratch: (1) On the server: ikectl ca vpn create ikectl ca vpn install ikectl ca vpn certificate x.y.z.t create ikectl ca vpn certificate x.y.z.t install ikectl ca vpn certificate 10.0.0.1 create ikectl ca vpn certificate 10.0.0.1 export ... copy 10.0.0.1.tgz to the home router (2) On the home router: tar -C /etc/iked -xzpf 10.0.0.1.tgz Nothing seems to have changed: On the server: # iked -d ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 0, 510 bytes ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 msgid 0, 471 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 1, 1520 bytes ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 1, 1440 bytes sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes On the home router: # iked -d set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 0, 510 bytes ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 0, 471 bytes ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 1520 bytes ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 1, 1440 bytes ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 1520 bytes The warning about pubkey doesn't go away if I copy the server's certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in /etc/iked/certs. And then there's this, which doesn't look normal: ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG I'm using 6.1 release on the server, and the current snapshot on the home router: OpenBSD sb1.x.net 6.1 GENERIC#10 amd64 OpenBSD router.x.net 6.1 GENERIC.MP#44 amd64 Regards, Liviu Daia
Re: OpenBSD IPSec setup
You need a server-signed certificate. Sent from ProtonMail Mobile On Wed, Jun 28, 2017 at 11:18 AM, Liviu Daia wrote: > I'm trying to create a VPN between my home network (sitting behind an OpenBSD > router), and a remote server (also an OpenBSD machine). After reading many > man pages and searching previous posts, I'm still thoroughly confused. What I > have so far: (1) On the remote server: - fixed IP, let's call it x.y.z.t - > pf.conf: set skip on { lo, enc } pass in quick on egress inet proto udp to > any port { isakmp, ipsec-nat-t } - iked.conf: ikev2 "sb1" passive esp from > 10.0.0.102 to 10.0.0.1 local x.y.z.t peer any srcid x.y.z.t (2) On the home > router: - the internal network is 192.168.7.0/24, the external IP is dynamic > - pf.conf: set skip on { lo, enc } pass in quick on egress inet proto udp to > any port { isakmp, ipsec-nat-t } match out on enc inet to 10.0.0.102 nat-to > 10.0.0.1 match out on egress inet from !(egress:network) nat-to (egress:0) - > iked.conf: ikev2 "home" active esp from 10.0.0.1 (192.168.7.0/24) to > 10.0.0.102 local egress peer x.y.z.t srcid 10.0.0.1 Anyone, a clue stick > please? Regards, Liviu Daia
Re: OpenBSD IPSec setup
On 28 June 2017, Philipp Buehler wrote: > Am 28.06.2017 11:18 schrieb Liviu Daia: > > > > set skip on { lo, enc } > > pass in quick on egress inet proto udp to any port { isakmp, > > ipsec-nat-t } > > needs (on both) a 'pass quick inet proto esp', too I addded that, and still no dice. Logs on the server: # iked -d ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 0, 510 bytes ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 msgid 0, 471 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 1, 1520 bytes ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to 89.136.163.27:500 msgid 1, 1440 bytes sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to x.y.z.t:500 policy 'sb1' id 2, 1520 bytes Logs on the home router: # iked -d set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to x.y.z.t:500 msgid 0, 510 bytes ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 0, 471 bytes ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 1, 1520 bytes ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to 89.136.163.27:500 policy 'home' id 1, 1440 bytes ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500 msgid 2, 1520 bytes Regards, Liviu Daia
Re: OpenBSD IPSec setup
Am 28.06.2017 11:18 schrieb Liviu Daia: set skip on { lo, enc } pass in quick on egress inet proto udp to any port { isakmp, ipsec-nat-t } needs (on both) a 'pass quick inet proto esp', too -- pb
OpenBSD IPSec setup
I'm trying to create a VPN between my home network (sitting behind an OpenBSD router), and a remote server (also an OpenBSD machine). After reading many man pages and searching previous posts, I'm still thoroughly confused. What I have so far: (1) On the remote server: - fixed IP, let's call it x.y.z.t - pf.conf: set skip on { lo, enc } pass in quick on egress inet proto udp to any port { isakmp, ipsec-nat-t } - iked.conf: ikev2 "sb1" passive esp \ from 10.0.0.102 to 10.0.0.1 \ local x.y.z.t peer any \ srcid x.y.z.t (2) On the home router: - the internal network is 192.168.7.0/24, the external IP is dynamic - pf.conf: set skip on { lo, enc } pass in quick on egress inet proto udp to any port { isakmp, ipsec-nat-t } match out on enc inet to 10.0.0.102 nat-to 10.0.0.1 match out on egress inet from !(egress:network) nat-to (egress:0) - iked.conf: ikev2 "home" active esp \ from 10.0.0.1 (192.168.7.0/24) to 10.0.0.102 \ local egress peer x.y.z.t \ srcid 10.0.0.1 Anyone, a clue stick please? Regards, Liviu Daia