subject:"OpenBSD as an IKEv2 IPsec client with L\/P authent"

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-23 Thread csszep

Hi!

So the OpenBSD kernel catch udp encapsulated ESP packets by default:

netstat -s

esp:
4288 input ESP packets
0 output ESP packets
0 packets from unsupported protocol families
0 packets shorter than header shows
0 packets dropped due to policy
4281 packets for which no TDB was found


I disabled it, and Strongswan works!

openbsdvm1# sysctl net.inet.esp.enable=0
net.inet.esp.enable: 1 -> 0
openbsdvm1# sysctl net.inet.esp.udpencap=0
net.inet.esp.udpencap: 1 -> 0


Thx
Csszep


2018-02-23 10:29 GMT+01:00 csszep :

> Hi!
>
> I tried to complie strongswan with "kernel-libipsec" plugin fro the same
> reason
>
> https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
>
> The *kernel-libipsec* plugin provides an IPsec backend that works
> entirely in userland, using TUN devices
>
> My experience is that there is some work to be done to use, but my C fu
> isnt strong enough to finish.
>
> I made a simple patch, for the tun handling:
>
> --- src/libstrongswan/networking/tun_device.c.orig  Fri Feb 23
> 10:10:34 2018
> +++ src/libstrongswan/networking/tun_device.c   Fri Feb 23 10:43:38 2018
> @@ -62,6 +62,10 @@
>  #include 
>  #include 
>  #include 
> +#elif __OpenBSD__
> +#include 
> +#include 
> +#include 
>  #else
>  #include 
>  #endif
> @@ -338,6 +342,12 @@
> uint32_t proto = htonl(AF_INET);
> packet = chunk_cata("cc", chunk_from_thing(proto), packet);
>  #endif
> +#ifdef __OpenBSD__
> +/* OpenBSD tun expect the packets to be prepended by a 32-bit
> protocol number
> + * instead of parsing the packet again, we assume IPv4 for now */
> +uint32_t proto = htonl(AF_INET);
> +packet = chunk_cata("cc", chunk_from_thing(proto), packet);
> +#endif
> s = write(this->tunfd, packet.ptr, packet.len);
> if (s < 0)
> {
> @@ -374,6 +384,10 @@
>  #ifdef __APPLE__
> /* UTUN's prepend packets with a 32-bit protocol number */
> data = chunk_skip(data, sizeof(uint32_t));
> +#endif
> +#ifdef __OpenBSD__
> +/* OpenBSD tun prepend packets with a 32-bit protocol number */
> +data = chunk_skip(data, sizeof(uint32_t));
>  #endif
> *packet = chunk_clone(data);
> return TRUE;
>
>
> I compile Strongswan 5.6.2 with the following options:
>
> CC=clang ./configure --disable-kernel-netlink --enable-kernel-pfroute
> --enable-kernel-libipsec --disable-scripts --enable-eap-mschapv2
> --enable-md4 --enable-eap-tls --enable-eap-ttls --enable-eap-peap
> --enable-eap-radius --enable-eap-identity --enable-aesni --enable-gcm
> make
> make install
>
> openbsdvm1# ipsec start
> Starting strongSwan 5.6.2 IPsec [starter]...
> no netkey IPsec stack detected
> no KLIPS IPsec stack detected
> no known IPsec stack detected, ignoring!
>
>
> I"m using EAP-MSCHAPv2 client config with virtual IP address request , and
> the IKE part is working out of the box:
>
> conn vpn.csszep.net
> left=192.168.56.11
> leftsourceip=%config
> leftauth=eap
> eap_identity=carol
> right=vpn.csszep.net
> rightauth=pubkey
> #rightid=@vpn.csszep.net
> rightid="C=HU O=Strongswan CN=vpn.csszep.net"
> rightsubnet=192.0.2.0/24
> auto=add
>
>
> openbsdvm1# ipsec up vpn.csszep.net
> initiating IKE_SA vpn.csszep.net[1] to 192.168.56.16
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.56.11[500] to 192.168.56.16[500] (748 bytes)
> received packet: from 192.168.56.16[500] to 192.168.56.11[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group CURVE_25519, it requested MODP_3072
> initiating IKE_SA vpn.csszep.net[1] to 192.168.56.16
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.56.11[500] to 192.168.56.16[500] (1100 bytes)
> received packet: from 192.168.56.16[500] to 192.168.56.11[500] (592 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> faking NAT situation to enforce UDP encapsulation
> sending cert request for "C=HU O=Strongswan CN=Strongswan CA"
> establishing CHILD_SA vpn.csszep.net{1}
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR
> DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY)
> N(MSG_ID_SYN_SUP) ]
> sending packet: from 192.168.56.11[4500] to 192.168.56.16[4500] (384 bytes)
> received packet: from 192.168.56.16[4500] to 192.168.56.11[4500] (1184
> bytes)
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> received end entity cert "C=HU O=Strongswan CN=vpn.csszep.net"
>   using certificate "C=HU O=Strongswan CN=vpn.csszep.net"
>   using trusted ca certificate "C=HU O=Strongswan CN=Strongswan CA"
> checking certificate status of "C=HU

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-23 Thread csszep

Hi!

I tried to complie strongswan with "kernel-libipsec" plugin fro the same
reason

https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec

The *kernel-libipsec* plugin provides an IPsec backend that works entirely
in userland, using TUN devices

My experience is that there is some work to be done to use, but my C fu
isnt strong enough to finish.

I made a simple patch, for the tun handling:

--- src/libstrongswan/networking/tun_device.c.orig  Fri Feb 23 10:10:34
2018
+++ src/libstrongswan/networking/tun_device.c   Fri Feb 23 10:43:38 2018
@@ -62,6 +62,10 @@
 #include 
 #include 
 #include 
+#elif __OpenBSD__
+#include 
+#include 
+#include 
 #else
 #include 
 #endif
@@ -338,6 +342,12 @@
uint32_t proto = htonl(AF_INET);
packet = chunk_cata("cc", chunk_from_thing(proto), packet);
 #endif
+#ifdef __OpenBSD__
+/* OpenBSD tun expect the packets to be prepended by a 32-bit
protocol number
+ * instead of parsing the packet again, we assume IPv4 for now */
+uint32_t proto = htonl(AF_INET);
+packet = chunk_cata("cc", chunk_from_thing(proto), packet);
+#endif
s = write(this->tunfd, packet.ptr, packet.len);
if (s < 0)
{
@@ -374,6 +384,10 @@
 #ifdef __APPLE__
/* UTUN's prepend packets with a 32-bit protocol number */
data = chunk_skip(data, sizeof(uint32_t));
+#endif
+#ifdef __OpenBSD__
+/* OpenBSD tun prepend packets with a 32-bit protocol number */
+data = chunk_skip(data, sizeof(uint32_t));
 #endif
*packet = chunk_clone(data);
return TRUE;


I compile Strongswan 5.6.2 with the following options:

CC=clang ./configure --disable-kernel-netlink --enable-kernel-pfroute
--enable-kernel-libipsec --disable-scripts --enable-eap-mschapv2
--enable-md4 --enable-eap-tls --enable-eap-ttls --enable-eap-peap
--enable-eap-radius --enable-eap-identity --enable-aesni --enable-gcm
make
make install

openbsdvm1# ipsec start
Starting strongSwan 5.6.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!


I"m using EAP-MSCHAPv2 client config with virtual IP address request , and
the IKE part is working out of the box:

conn vpn.csszep.net
left=192.168.56.11
leftsourceip=%config
leftauth=eap
eap_identity=carol
right=vpn.csszep.net
rightauth=pubkey
#rightid=@vpn.csszep.net
rightid="C=HU O=Strongswan CN=vpn.csszep.net"
rightsubnet=192.0.2.0/24
auto=add


openbsdvm1# ipsec up vpn.csszep.net
initiating IKE_SA vpn.csszep.net[1] to 192.168.56.16
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.56.11[500] to 192.168.56.16[500] (748 bytes)
received packet: from 192.168.56.16[500] to 192.168.56.11[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group CURVE_25519, it requested MODP_3072
initiating IKE_SA vpn.csszep.net[1] to 192.168.56.16
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.56.11[500] to 192.168.56.16[500] (1100 bytes)
received packet: from 192.168.56.16[500] to 192.168.56.11[500] (592 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
faking NAT situation to enforce UDP encapsulation
sending cert request for "C=HU O=Strongswan CN=Strongswan CA"
establishing CHILD_SA vpn.csszep.net{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.56.11[4500] to 192.168.56.16[4500] (384 bytes)
received packet: from 192.168.56.16[4500] to 192.168.56.11[4500] (1184
bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=HU O=Strongswan CN=vpn.csszep.net"
  using certificate "C=HU O=Strongswan CN=vpn.csszep.net"
  using trusted ca certificate "C=HU O=Strongswan CN=Strongswan CA"
checking certificate status of "C=HU O=Strongswan CN=vpn.csszep.net"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'C=HU O=Strongswan CN=vpn.csszep.net' with
RSA_EMSA_PKCS1_SHA2_256 successful
server requested EAP_IDENTITY (id 0x00), sending 'carol'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.56.11[4500] to 192.168.56.16[4500] (80 bytes)
received packet: from 192.168.56.16[4500] to 192.168.56.11[4500] (112 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x42)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.56.11[4500] to 192.168.56.16[4500] (144 bytes)
received packet: from 192.168.56.16[4500] to 192.168.56.11[4500] (144 bytes)
parsed IKE_AUTH response 3 [

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-22 Thread Martijn van Duren


On 02/22/18 09:51, Joel Carnat wrote:

Hi,

Le 22/02/2018 09:35, Stuart Henderson a écrit :

On 2018-02-22, Igor V. Gubenko  wrote:

I am far from an expert; having issues myself at the moment, but maybe
if we get all of the iked experimenters together, we can figure it out
:)


This definitely isn't going to work, iked only supports username/password
authentication as a responder. not initiator.


Is there any software that enables openbsd to be an ipsec initiator 
using user/pass ?


Thanks.

Maybe not as native a solution as you'd like, but I have one environment 
where I have to login with username/password over ikev2. For this I have 
a VM with Alpine Linux+strongswan through which I route the VPN-destined 
traffic.

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-22 Thread Stuart Henderson

On 2018/02/22 09:51, Joel Carnat wrote:
> Hi,
> 
> Le 22/02/2018 09:35, Stuart Henderson a écrit :
> > On 2018-02-22, Igor V. Gubenko  wrote:
> > > I am far from an expert; having issues myself at the moment, but maybe
> > > if we get all of the iked experimenters together, we can figure it out
> > > :)
> > 
> > This definitely isn't going to work, iked only supports
> > username/password
> > authentication as a responder. not initiator.
> 
> Is there any software that enables openbsd to be an ipsec initiator using
> user/pass ?

Not for IKEv2. OpenBSD iked as client supports psk but not EAP for
user/password. afaik no other implementations have been ported.

By far the simplest way which doesn't rely on psk, if the other side
supports it, is to use iked with public keys (without using x509 pki)
- just copy local.pub from one side to the appropriate subdirectory of
pubkeys/ on the other.

It *may* be possible for IKEv1 with xauth using vpnc, but it's old
all-userland software, not using the standard OpenBSD IPsec stack, the
port (and probably upstream software) are not really maintained.
No modern crypto.

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-22 Thread Joel Carnat


Hi,

Le 22/02/2018 09:35, Stuart Henderson a écrit :

On 2018-02-22, Igor V. Gubenko  wrote:

I am far from an expert; having issues myself at the moment, but maybe
if we get all of the iked experimenters together, we can figure it out
:)


This definitely isn't going to work, iked only supports 
username/password

authentication as a responder. not initiator.


Is there any software that enables openbsd to be an ipsec initiator 
using user/pass ?


Thanks.

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-22 Thread Stuart Henderson

On 2018-02-22, Igor V. Gubenko  wrote:
> I am far from an expert; having issues myself at the moment, but maybe
> if we get all of the iked experimenters together, we can figure it out
>:) 

This definitely isn't going to work, iked only supports username/password
authentication as a responder. not initiator.

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-21 Thread Igor V. Gubenko

I am far from an expert; having issues myself at the moment, but maybe
if we get all of the iked experimenters together, we can figure it out
:) 

First, try "-dvv" ... an extra "v" might give more info. 

Next, from the existing trace it looks like your endpoint responds,
which is good, but your OpenBSD side doesn't seem to like it. 

My (uneducated) guess is that you should see what encryption pairs for
both phases are configured on the endpoint, and try to explicitly
specify them in your configuration. 

Also make sure that you are not firewall'ing ESP, et al. Check the docs
on what to allow in PF. "tcpdump" the egress interface (and/or pflog0)
to check whether you have anything going to /dev/null.

---
Igor V. Gubenko 

System Engineer 

On 2018-02-15 09:14, Joel Carnat wrote:

> Hi,
> 
> My FTTH home-box provides IKEv2 server support.
> I connected my iPhone, via 3G, to it. I can now access my internal home-LAN. 
> So I know it works.
> 
> I want to do the same with an OpenBSD server hosted in "the Cloud" ; in 
> transport mode as far as I understood the docs.
> I've struggled with ipsec.conf(5), ipsecctl(8) and iked(8) for a couple of 
> hours now but I can't connect OpenBSD to the box.
> 
> The home-box is using IKEv2 and User/Password authentication mode.
> The OpenBSD machine in 6.2/amd64.
> 
> I have configured iked.conf(5) like this:
> ikev2 active esp \
> from egress to 192.168.0.0/24 \
> peer 78.192.10.15
> 
> And running iked(8) goes:
> # iked -dv
> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/78.192.10.15
> ikev2 "policy1" active esp inet from 108.61.176.54 to 192.168.0.0/24 local 
> any peer 78.192.10.15 ikesa enc aes-256,aes-192,aes-128,3des prf 
> hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
> modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
> hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rfc7427
> ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to 78.192.10.15:500 
> msgid 0, 510 bytes
> ikev2_recv: IKE_SA_INIT response from responder 78.192.10.15:500 to 
> 108.61.176.54:500 policy 'policy1' id 0, 456 bytes
> 
> And that's all :(
> 
> Is there a way to use l/p authent with iked(8)?
> Or am I just not using the right software? In which case, what would the 
> proper tool be?
> 
> Thanks for help.

OpenBSD as an IKEv2 IPsec client with L/P authent

2018-02-15 Thread Joel Carnat


Hi,

My FTTH home-box provides IKEv2 server support.
I connected my iPhone, via 3G, to it. I can now access my internal 
home-LAN. So I know it works.


I want to do the same with an OpenBSD server hosted in "the Cloud" ; in 
transport mode as far as I understood the docs.
I've struggled with ipsec.conf(5), ipsecctl(8) and iked(8) for a couple 
of hours now but I can't connect OpenBSD to the box.


The home-box is using IKEv2 and User/Password authentication mode.
The OpenBSD machine in 6.2/amd64.

I have configured iked.conf(5) like this:
ikev2 active esp \
from egress to 192.168.0.0/24 \
peer 78.192.10.15

And running iked(8) goes:
# iked -dv
set_policy: could not find pubkey for 
/etc/iked/pubkeys/ipv4/78.192.10.15
ikev2 "policy1" active esp inet from 108.61.176.54 to 192.168.0.0/24 
local any peer 78.192.10.15 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth 
hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 rfc7427
ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to 78.192.10.15:500 
msgid 0, 510 bytes
ikev2_recv: IKE_SA_INIT response from responder 78.192.10.15:500 to 
108.61.176.54:500 policy 'policy1' id 0, 456 bytes


And that's all :(

Is there a way to use l/p authent with iked(8)?
Or am I just not using the right software? In which case, what would the 
proper tool be?


Thanks for help.

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

Re: OpenBSD as an IKEv2 IPsec client with L/P authent

OpenBSD as an IKEv2 IPsec client with L/P authent

8 matches

Site Navigation

Mail list logo

Footer information