Re: ipsec via iked

2015-11-04 Thread trondd 
> I do have read the puffysecurity website

Did you?  I struggled with this for a while, too, and found the
puffysecurity example, when followed, works.

>
> For example, the laptop is connected to internet through a network
> 192.168.100.0/24 (ip 192.168.100.37)
>
> The working configuration is (using now ca, no more psk) :
>
> On the gateway :
> distantnet="192.168.100.0/24"
> ikev2 "qcvpn" passive ipcomp esp \
> from 192.168.0.0/24 to $distantnet \
> peer any \
> srcid ets.qualitycenter.fr
>

> I've tried other configurations like this :
>
> On the gateway :
> distantnet="192.168.33.0/24"
> ikev2 "qcvpn" passive ipcomp esp \
> from 192.168.0.0/24 to $distantnet \
> peer any \
> srcid ets.qualitycenter.fr \
> config address 192.168.33.2 \
> config name-server 192.168.0.190
>

Why do you keep configuring a specific network if that is not what you
want to do?  Did you try 0.0.0.0/0?

> I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and
> SAD ok (same as in the working configuration but 192.168.100 is replaced
> by
> 192.168.33 which looks like fine to me), but I'm not able to get access to
> any distant computer. The laptop pf is as simple as possible :
> pass in
> match out on enc0 nat-to 192.168.33.2
>

I don't think you're supposed to NAT on the enc0 interface.  That's a
special internal interface.  If you're going out to the internet you have
to NAT on the egress interface.  Why are you doing NAT on the laptop at
all, actually?  If you're trying to get the laptop to talk over the VPN
tunnel, that's what iked does, you only need to allow VPN ports and
protocols through the laptop firewall.

I can't get to my working config from where I am now, if I remember, I'll
send it along this evening.

Tim.

Re: ipsec via iked

2015-11-04 Thread Sébastien Morand 
> While not an endorsed FAQ or man page from the project, this:
>> http://puffysecurity.com/wiki/openikedoffshore.html should give you a
>> few tips on how to achieve this.  The man page (iked.conf) and the
>> references for pf within it should be enough to work it out.  But from my
>> observations of your ikev2 configs, you are making it a little more complex
>> than it needs to.
>>
>
>
Hi,

I do have read the puffysecurity website, man pages and all the docs I have
found here and there, still the same problem. I make a more simple example :

I'm able to make it works but the gateway configuration has to know the
laptop network.

For example, the laptop is connected to internet through a network
192.168.100.0/24 (ip 192.168.100.37)

The working configuration is (using now ca, no more psk) :

On the gateway :
distantnet="192.168.100.0/24"
ikev2 "qcvpn" passive ipcomp esp \
from 192.168.0.0/24 to $distantnet \
peer any \
srcid ets.qualitycenter.fr

On the laptop (xxx.xxx.xxx.xxx is my real company external IP) :
localip=egress
ikev2 "qcvpn" active esp \
from $localip to 192.168.0.0/24 \
peer xxx.xxx.xxx.xxx \
srcid boutxy

That's working (can ping 192.168.0.190 for instance or get ssh access) but
the gateway knows I'm using a 192.168.100.0/24 network which is not really
acceptable.

I've tried other configurations like this :

On the gateway :
distantnet="192.168.33.0/24"
ikev2 "qcvpn" passive ipcomp esp \
from 192.168.0.0/24 to $distantnet \
peer any \
srcid ets.qualitycenter.fr \
config address 192.168.33.2 \
config name-server 192.168.0.190

On the laptop :
localip="192.168.33.2 (192.168.100.37)"
ikev2 "qcvpn" active esp \
from $localip to 192.168.0.0/24 \
peer xxx.xxx.xxx.xxx \
srcid boutxy

I got the flows from peer 196.207.241.154 to 192.168.33.0 in both sens and
SAD ok (same as in the working configuration but 192.168.100 is replaced by
192.168.33 which looks like fine to me), but I'm not able to get access to
any distant computer. The laptop pf is as simple as possible :
pass in
match out on enc0 nat-to 192.168.33.2
pass out

on the gateway the same :
pass in quick on enc0
pass out quick on enc0

Any idea?

Regards,
Sebastien

ipsec via iked

2015-11-02 Thread Sébastien Morand 
Hi,

I set up an ipsec VPN via iked.

on the server :

distantnet="192.168.100.0/24"
ikev2 passive ipcomp esp \
from 192.168.0.0/24 to $distantnet \
from 192.168.1.0/24 to $distantnet \
from 192.168.2.0/24 to $distantnet \
from 192.168.4.0/24 to $distantnet \
from 192.168.10.0/24 to $distantnet \
from 192.168.20.0/24 to $distantnet \
from 192.168.21.0/24 to $distantnet \
from 192.168.24.0/24 to $distantnet \
peer any \
psk "my-preshared-key"

on my laptop :
ikev2 ipcomp esp \
from egress to 192.168.0.0/24 \
from egress to 192.168.1.0/24 \
from egress to 192.168.2.0/24 \
from egress to 192.168.4.0/24 \
from egress to 192.168.10.0/24 \
from egress to 192.168.20.0/24 \
from egress to 192.168.24.0/24 \
peer entrepriseexternalip \
psk "my-preshared-key"

The point is that the server has to know my home network (192.168.100.0/24).
How to make it works wherever my laptop is?

I tried with config address options but can't make it work.

Thanks by advance,
Sebastien

Re: ipsec via iked

2015-11-02 Thread Jason Tubnor 
On 3 November 2015 at 03:14, Sébastien Morand  wrote:

> Hi,
>
> I set up an ipsec VPN via iked.
>
>
>
> The point is that the server has to know my home network (192.168.100.0/24
> ).
> How to make it works wherever my laptop is?
>
> I tried with config address options but can't make it work.
>

While not an endorsed FAQ or man page from the project, this:
http://puffysecurity.com/wiki/openikedoffshore.html should give you a few
tips on how to achieve this.  The man page (iked.conf) and the references
for pf within it should be enough to work it out.  But from my observations
of your ikev2 configs, you are making it a little more complex than it
needs to.

Cheers.