Hans-Joerg Hoexer wrote:
> what ipsec software is running on the clients? What does your
> ipsec.conf on the firewall look like?
>
> On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote:
>> Hoping someone can point me in the right direction to get isakmpd working.
>>
>> The scenario:
>> - the router drops all traffic directed to it from the dmz net
>> - the router drops all traffic destined for the lan from the dmz
>> - the router drops all traffic destined for the dmz from the lan
>> - vlan1 (dmz) has linux hosts
>> - vlan2 (lan) has windows and linux hosts, for the purpose of this
>> exercise, I am using a windows host
>>
>> The goals:
>> - create a way by which hosts in the lan can connect to the dmz network
>> using ipsec/isakmpd
>> - starting off with simple auth, shared secret passphrase
>>
>> Some background Info:
>>
>> My network is as follows:
>> (trunking is next on my list, but for now, I have separate interfaces on
>> the router for each vlan)
>>
>> |
>> Internet (dynamic ip)
>> |1.1.1.2
>> +------------------------+
>> | router/fw/isakmpd |
>> +------------------------+
>> 10.180.16.1 | |10.107.208.1
>> dmz | | lan
>> +--------+ +--------+
>> | |
>> +-----------------------------+
>> | switch |
>> | vlan1 | vlan2 |
>> +-----------------------------+
>> | |
>> | |
>> +---------------+ +-------------------+
>> | www server | | workstation 1 +
>> | 10.180.16.250 | | 10.107.208.20 +
>> +---------------+ +-------------------+
>>
>> - OpenBSD Router:
>> - relevant ifconfig
>> ** internet
>> hme0:
>> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
>> mtu 1500
>> lladdr xxx
>> groups: egress
>> media: Ethernet 100baseTX full-duplex
>> status: active
>> inet6 xxx%hme0 prefixlen 64 scopeid 0x2
>> inet 1.1.1.2 netmask 0xffffe000 broadcast 1.1.1.255
>> ** lan
>> hme1:
>> flags=8363<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST>
>> mtu 1500
>> lladdr 08:00:20:ca:7d:c5
>> media: Ethernet 100baseTX
>> status: active
>> inet 10.107.208.1 netmask 0xffffff00 broadcast 10.107.208.255
>> inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3
>> ** dmz
>> hme2:
>> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
>> mtu 1500
>> lladdr 08:00:20:ca:7d:c6
>> media: Ethernet autoselect (100baseTX full-duplex)
>> status: active
>> inet 10.180.16.1 netmask 0xffffff00 broadcast 10.180.16.255
>> inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4
>>
>
I see the SA established on both machines when I generate traffic from
the lan machine to the dmz machine:
# ipsecctl -s all
FLOWS:
flow esp in from 10.107.208.20 to 10.180.0.0/16 peer 10.107.208.20
flow esp out from 10.180.0.0/16 to 10.107.208.20 peer 10.107.208.20
SADB:
esp tunnel from 10.107.208.1 to 10.107.208.20 spi 0x6a1e4b88 enc
3des-cbc auth hmac-sha1
esp tunnel from 10.107.208.20 to 10.107.208.1 spi 0x2f9e0f0b enc
3des-cbc auth hmac-sha1
C:\Program Files\Support Tools>ipseccmd show sas
Main Mode SAs
------------------------------
Main Mode SA #1:
From 10.107.208.20
To 10.107.208.1
Policy Id : {F692F46D-7E01-4929-9DA3-AAEFD79B7A97}
Offer Used :
3DES SHA1 DH Group 2
Quickmode limit : 0, Lifetime 0Kbytes/28800seconds
Auth Used : Preshared Key
Initiator cookie 4d9a6c5aa8ea5bf1
Responder cookie ef0f72aba9f15fc8
Source UDP Encap port : 500 Dest UDP Encap port: 500
Quick Mode SAs
------------------------------
Quick Mode SA #1:
Filter Id : {22A8F939-89C3-4978-9F9A-BEA0B46B4163}
Tunnel Filter
From 10.107.208.20
To subnet 10.180.0.0 mask 255.255.0.0
Protocol : 0 Src Port : 0 Des Port : 0
Direction : Outbound
Tunnel From 10.107.208.20
Tunnel To 10.107.208.1
Policy Id : {F7161316-2A79-495C-8FB8-DC7662246113}
Offer Used :
Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds)
(20secbytes/0secrounds)
MySpi 1780370312 PeerSpi 798887691
PFS : False, Lifetime 100000Kbytes/3600seconds
Initiator cookie 4d9a6c5aa8ea5bf1
Responder cookie ef0f72aba9f15fc8
The command completed successfully.
The ipsec settings are configured using the following:
ipseccmd.exe -u
ipseccmd.exe -f 0=10.180.16.0/255.255.255.0 -n ESP[3DES,SHA] -t
10.107.208.1 -a PRESHARE:"sharedsecret" -1s 3DES-SHA-2
ipseccmd.exe -f 10.180.16.0/255.255.255.0=0 -n ESP[3DES,SHA] -t
10.107.208.20 -a PRESHARE:"sharedsecret" -1s 3DES-SHA-2
For some reason though, traffic from the lan machine to the dmz machine
is going into a black hole. pflog0 shows no dropped packets, nothing
odd in messages.
C:\WINDOWS>ping 10.180.16.250
Pinging 10.180.16.250 with 32 bytes of data:
Negotiating IP Security.
Request timed out.
Request timed out.
Request timed out.
These are the stats from the client side. You can see the outgoing
traffic, but no returning traffic:
IKE Statistics
------------------------------
Main Modes 28
Quick Modes 44
Soft SAs 1
Authentication Failures 0
Active Acquire 1
Active Receive 0
Acquire fail 0
Receive fail 11
Send fail 0
Acquire Heap size 2
Receive Heap size 2
Negotiation Failures 7
Invalid Cookies Rcvd 0
Total Acquire 17
TotalGetSpi 45
TotalKeyAdd 45
TotalKeyUpdate 45
GetSpiFail 0
KeyAddFail 0
KeyUpdateFail 0
IsadbListSize 1
ConnListSize 1
IPSec Statistics
------------------------------
Active Assoc 1
Pending Key 0
Key Adds 45
Key Deletes 44
ReKeys 6
Active Tunnels 1
Bad SPI Pkts 0
Pkts not Decrypted 0
Pkts not Authenticated 0
Pkts with Replay Detection 0
Confidential Bytes Sent 27,642
Confidential Bytes Received 0
Authenticated Bytes Sent 33,144
Authenticated Bytes Received 0
Offloaded Bytes Sent 0
Offloaded Bytes Received 0
Bytes Sent In Tunnels 7,700
Bytes Received In Tunnels 0
Transport Bytes Sent 23,778
Transport Bytes Received 0
Packet capture on the dmz host shows no packets entering the network
interface. Packet capture on the router dmz iface shows no traffic either.
These are all the packets that get generated, even after attempting
ping, ssh , etc. to the dmz host.
# tcpdump -nvv -r /var/run/isakmpd.pcap
tcpdump: WARNING: snaplen raised from 96 to 65536
tcpdump: WARNING: compensating for unaligned libpcap packets
01:43:27.783751 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 0daf9b6a2eb9dfe5->0000000000000000 msgid: 00000000 len: 148
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
payload: VENDOR len: 24
payload: VENDOR len: 20
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02) [ttl 0] (id 1, len 176)
01:43:27.792156 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 164
payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 36
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute GROUP_DESCRIPTION = MODP_1024
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 00007080
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192)
01:43:27.835181 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 232
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
01:43:27.930881 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 232
payload: KEY_EXCH len: 132
payload: NONCE len: 24
payload: NAT-D-DRAFT len: 24
payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260)
01:43:28.037826 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 68
payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20
payload: HASH len: 24 [ttl 0] (id 1, len 96)
01:43:28.040117 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok]
isakmp v1.0 exchange ID_PROT
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 92
payload: ID len: 12 type: IPV4_ADDR = 10.107.208.1
payload: HASH len: 24
payload: NOTIFICATION len: 28
notification: INITIAL CONTACT
(0daf9b6a2eb9dfe5->d530537930e4e5f4) [ttl 0] (id 1, len 120)
01:43:28.053501 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok]
isakmp v1.0 exchange QUICK_MODE
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: af7e14b1 len: 148
payload: HASH len: 24
payload: SA len: 40 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 28 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0xc5f7c202
payload: TRANSFORM len: 16
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
10.180.0.0/255.255.0.0 [ttl 0] (id 1, len 176)
01:43:28.060752 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok]
isakmp v1.0 exchange QUICK_MODE
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: af7e14b1 len: 144
payload: HASH len: 24
payload: SA len: 40 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 28 proposal: 1 proto: IPSEC_ESP
spisz: 4 xforms: 1 SPI: 0x8329971e
payload: TRANSFORM len: 16
transform: 1 ID: 3DES
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
payload: NONCE len: 24
payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20
payload: ID len: 16 type: IPV4_ADDR_SUBNET =
10.180.0.0/255.255.0.0 [ttl 0] (id 1, len 172)
01:43:28.072797 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok]
isakmp v1.0 exchange QUICK_MODE
cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: af7e14b1 len: 52
payload: HASH len: 24 [ttl 0] (id 1, len 80)
The console output for isakmpd is:
# isakmpd -d -4 -L -DA=20
021603.047035 Default log_debug_cmd: log level changed from 0 to 20 for
class 0 [priv]
021603.048645 Default log_debug_cmd: log level changed from 0 to 20 for
class 1 [priv]
021603.049299 Default log_debug_cmd: log level changed from 0 to 20 for
class 2 [priv]
021603.049707 Default log_debug_cmd: log level changed from 0 to 20 for
class 3 [priv]
021603.050203 Default log_debug_cmd: log level changed from 0 to 20 for
class 4 [priv]
021603.050589 Default log_debug_cmd: log level changed from 0 to 20 for
class 5 [priv]
021603.051084 Default log_debug_cmd: log level changed from 0 to 20 for
class 6 [priv]
021603.051449 Default log_debug_cmd: log level changed from 0 to 20 for
class 7 [priv]
021603.051917 Default log_debug_cmd: log level changed from 0 to 20 for
class 8 [priv]
021603.052290 Default log_debug_cmd: log level changed from 0 to 20 for
class 9 [priv]
021603.052773 Default log_debug_cmd: log level changed from 0 to 20 for
class 10 [priv]
021603.062411 Misc 10 monitor_init: privileges dropped for child process
021603.713971 Misc 20 udp_make: transport 0x4ff9a200 socket 7 ip
10.107.208.1 port 500
021603.715768 Misc 20 udp_encap_make: transport 0x4ff9a280 socket 8 ip
10.107.208.1 port 4500
021603.719217 Default log_packet_init: starting IKE packet capture to
file "/var/run/isakmpd.pcap"
021606.421447 Timr 10 timer_add_event: event
exchange_free_aux(0x46012c00) added last, expiration in 120s
021606.422516 Exch 10 exchange_setup_p1: 0x46012c00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0
021606.423070 Exch 10 exchange_setup_p1: icookie 1645bfaf23ed4dcc
rcookie da96438bc626181a
021606.423655 Exch 10 exchange_setup_p1: msgid 00000000
021606.424328 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer
detected
021606.425220 Negt 20 ike_phase_1_validate_prop: success
021606.425726 Misc 20 ipsec_decode_transform: transform 1 chosen
021606.426131 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
021606.426201 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
021606.426249 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
021606.427345 Timr 10 timer_add_event: event
message_send_expire(0x46716e00) added before
exchange_free_aux(0x46012c00), expiration in 7s
021606.469008 Mesg 20 message_free: freeing 0x46716e00
021606.469614 Timr 10 timer_remove_event: removing event
message_send_expire(0x46716e00)
021606.470301 Mesg 20 message_free: freeing 0x46716a00
021606.554761 Timr 10 timer_add_event: event
message_send_expire(0x46716a00) added before
exchange_free_aux(0x46012c00), expiration in 7s
021606.662615 Mesg 20 message_free: freeing 0x46716a00
021606.663388 Timr 10 timer_remove_event: removing event
message_send_expire(0x46716a00)
021606.664671 Mesg 20 message_free: freeing 0x46716f00
021606.666208 Exch 10 exchange_finalize: 0x46012c00 client
Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6
021606.666776 Exch 10 exchange_finalize: icookie 1645bfaf23ed4dcc
rcookie da96438bc626181a
021606.667430 Exch 10 exchange_finalize: msgid 00000000
021606.667967 Exch 10 exchange_finalize: phase 1 done: initiator id
0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src:
10.107.208.1 dst: 10.107.208.20
021606.668701 Timr 10 timer_add_event: event sa_soft_expire(0x46012e00)
added last, expiration in 26928s
021606.669153 Timr 10 timer_add_event: event sa_hard_expire(0x46012e00)
added last, expiration in 28800s
021606.670682 Timr 10 timer_add_event: event
exchange_free_aux(0x46013000) added before sa_soft_expire(0x46012e00),
expiration in 120s
021606.671255 Exch 10 exchange_setup_p2: 0x46013000 <unnamed> <no
policy> policy responder phase 2 doi 1 exchange 32 step 0
021606.671857 Exch 10 exchange_setup_p2: icookie 1645bfaf23ed4dcc
rcookie da96438bc626181a
021606.672258 Exch 10 exchange_setup_p2: msgid d714ff5c sa_list
021606.674172 Misc 20 ipsec_decode_transform: transform 1 chosen
021606.676392 Timr 10 timer_add_event: event
message_send_expire(0x46717400) added before
exchange_free_aux(0x46012c00), expiration in 7s
021606.679284 Mesg 20 message_free: freeing 0x46717400
021606.679907 Timr 10 timer_remove_event: removing event
message_send_expire(0x46717400)
021606.681151 Mesg 20 message_free: freeing 0x46716b00
021606.681760 Exch 10 exchange_finalize: 0x46013000 client-netB <no
policy> policy responder phase 2 doi 1 exchange 32 step 2
021606.682584 Exch 10 exchange_finalize: icookie 1645bfaf23ed4dcc
rcookie da96438bc626181a
021606.682999 Exch 10 exchange_finalize: msgid d714ff5c sa_list 0x46013200
021606.683713 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI
0xdfa6bce4
021606.684802 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI
0xbdb0f4ce
021606.686333 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x46013000)
021606.686943 Mesg 20 message_free: freeing 0x46717500
Really lost as to what I am missing at this point. Any insight is
greatly appreciated.
For reference, these are the ipsakmpd.conf and policy files:
# cat isakmpd.conf |grep -v '#'
[General]
Listen-On= 10.107.208.1
[Phase 1]
Default= client
[Phase 2]
Passive-connections= client-netB
[client]
Phase= 1
Transport= udp
Configuration= Default-main-mode
Authentication= sharedsecret
[client-netB]
Phase= 2
ISAKMP-peer= client
Configuration= Default-quick-mode
Local-ID= netB
Remote-ID= client
[client]
ID-type= IPV4_ADDR
Address= 10.107.208.20
[netB]
ID-type= IPV4_ADDR_SUBNET
Network= 10.180.16.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA,3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE
# cat isakmpd.policy |grep -v '#'
Keynote-version: 2
Authorizer: "POLICY"
Conditions: esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
Thanks,
Axton Grams
