Hans-Joerg Hoexer wrote: > what ipsec software is running on the clients? What does your > ipsec.conf on the firewall look like? > > On Sat, Sep 02, 2006 at 04:01:51PM -0400, Axton Grams wrote: >> Hoping someone can point me in the right direction to get isakmpd working. >> >> The scenario: >> - the router drops all traffic directed to it from the dmz net >> - the router drops all traffic destined for the lan from the dmz >> - the router drops all traffic destined for the dmz from the lan >> - vlan1 (dmz) has linux hosts >> - vlan2 (lan) has windows and linux hosts, for the purpose of this >> exercise, I am using a windows host >> >> The goals: >> - create a way by which hosts in the lan can connect to the dmz network >> using ipsec/isakmpd >> - starting off with simple auth, shared secret passphrase >> >> Some background Info: >> >> My network is as follows: >> (trunking is next on my list, but for now, I have separate interfaces on >> the router for each vlan) >> >> | >> Internet (dynamic ip) >> |1.1.1.2 >> +------------------------+ >> | router/fw/isakmpd | >> +------------------------+ >> 10.180.16.1 | |10.107.208.1 >> dmz | | lan >> +--------+ +--------+ >> | | >> +-----------------------------+ >> | switch | >> | vlan1 | vlan2 | >> +-----------------------------+ >> | | >> | | >> +---------------+ +-------------------+ >> | www server | | workstation 1 + >> | 10.180.16.250 | | 10.107.208.20 + >> +---------------+ +-------------------+ >> >> - OpenBSD Router: >> - relevant ifconfig >> ** internet >> hme0: >> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr xxx >> groups: egress >> media: Ethernet 100baseTX full-duplex >> status: active >> inet6 xxx%hme0 prefixlen 64 scopeid 0x2 >> inet 1.1.1.2 netmask 0xffffe000 broadcast 1.1.1.255 >> ** lan >> hme1: >> flags=8363<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,MULTICAST> >> mtu 1500 >> lladdr 08:00:20:ca:7d:c5 >> media: Ethernet 100baseTX >> status: active >> inet 10.107.208.1 netmask 0xffffff00 broadcast 10.107.208.255 >> inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 >> ** dmz >> hme2: >> flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> >> mtu 1500 >> lladdr 08:00:20:ca:7d:c6 >> media: Ethernet autoselect (100baseTX full-duplex) >> status: active >> inet 10.180.16.1 netmask 0xffffff00 broadcast 10.180.16.255 >> inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 >> >
I see the SA established on both machines when I generate traffic from the lan machine to the dmz machine: # ipsecctl -s all FLOWS: flow esp in from 10.107.208.20 to 10.180.0.0/16 peer 10.107.208.20 flow esp out from 10.180.0.0/16 to 10.107.208.20 peer 10.107.208.20 SADB: esp tunnel from 10.107.208.1 to 10.107.208.20 spi 0x6a1e4b88 enc 3des-cbc auth hmac-sha1 esp tunnel from 10.107.208.20 to 10.107.208.1 spi 0x2f9e0f0b enc 3des-cbc auth hmac-sha1 C:\Program Files\Support Tools>ipseccmd show sas Main Mode SAs ------------------------------ Main Mode SA #1: From 10.107.208.20 To 10.107.208.1 Policy Id : {F692F46D-7E01-4929-9DA3-AAEFD79B7A97} Offer Used : 3DES SHA1 DH Group 2 Quickmode limit : 0, Lifetime 0Kbytes/28800seconds Auth Used : Preshared Key Initiator cookie 4d9a6c5aa8ea5bf1 Responder cookie ef0f72aba9f15fc8 Source UDP Encap port : 500 Dest UDP Encap port: 500 Quick Mode SAs ------------------------------ Quick Mode SA #1: Filter Id : {22A8F939-89C3-4978-9F9A-BEA0B46B4163} Tunnel Filter From 10.107.208.20 To subnet 10.180.0.0 mask 255.255.0.0 Protocol : 0 Src Port : 0 Des Port : 0 Direction : Outbound Tunnel From 10.107.208.20 Tunnel To 10.107.208.1 Policy Id : {F7161316-2A79-495C-8FB8-DC7662246113} Offer Used : Algo #1 : Encryption 3DES SHA1 (24bytes/0rounds) (20secbytes/0secrounds) MySpi 1780370312 PeerSpi 798887691 PFS : False, Lifetime 100000Kbytes/3600seconds Initiator cookie 4d9a6c5aa8ea5bf1 Responder cookie ef0f72aba9f15fc8 The command completed successfully. The ipsec settings are configured using the following: ipseccmd.exe -u ipseccmd.exe -f 0=10.180.16.0/255.255.255.0 -n ESP[3DES,SHA] -t 10.107.208.1 -a PRESHARE:"sharedsecret" -1s 3DES-SHA-2 ipseccmd.exe -f 10.180.16.0/255.255.255.0=0 -n ESP[3DES,SHA] -t 10.107.208.20 -a PRESHARE:"sharedsecret" -1s 3DES-SHA-2 For some reason though, traffic from the lan machine to the dmz machine is going into a black hole. pflog0 shows no dropped packets, nothing odd in messages. C:\WINDOWS>ping 10.180.16.250 Pinging 10.180.16.250 with 32 bytes of data: Negotiating IP Security. Request timed out. Request timed out. Request timed out. These are the stats from the client side. You can see the outgoing traffic, but no returning traffic: IKE Statistics ------------------------------ Main Modes 28 Quick Modes 44 Soft SAs 1 Authentication Failures 0 Active Acquire 1 Active Receive 0 Acquire fail 0 Receive fail 11 Send fail 0 Acquire Heap size 2 Receive Heap size 2 Negotiation Failures 7 Invalid Cookies Rcvd 0 Total Acquire 17 TotalGetSpi 45 TotalKeyAdd 45 TotalKeyUpdate 45 GetSpiFail 0 KeyAddFail 0 KeyUpdateFail 0 IsadbListSize 1 ConnListSize 1 IPSec Statistics ------------------------------ Active Assoc 1 Pending Key 0 Key Adds 45 Key Deletes 44 ReKeys 6 Active Tunnels 1 Bad SPI Pkts 0 Pkts not Decrypted 0 Pkts not Authenticated 0 Pkts with Replay Detection 0 Confidential Bytes Sent 27,642 Confidential Bytes Received 0 Authenticated Bytes Sent 33,144 Authenticated Bytes Received 0 Offloaded Bytes Sent 0 Offloaded Bytes Received 0 Bytes Sent In Tunnels 7,700 Bytes Received In Tunnels 0 Transport Bytes Sent 23,778 Transport Bytes Received 0 Packet capture on the dmz host shows no packets entering the network interface. Packet capture on the router dmz iface shows no traffic either. These are all the packets that get generated, even after attempting ping, ssh , etc. to the dmz host. # tcpdump -nvv -r /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 96 to 65536 tcpdump: WARNING: compensating for unaligned libpcap packets 01:43:27.783751 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0daf9b6a2eb9dfe5->0000000000000000 msgid: 00000000 len: 148 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: VENDOR len: 24 payload: VENDOR len: 20 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) [ttl 0] (id 1, len 176) 01:43:27.792156 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 164 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute GROUP_DESCRIPTION = MODP_1024 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 00007080 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 192) 01:43:27.835181 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 232 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260) 01:43:27.930881 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 232 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: NAT-D-DRAFT len: 24 payload: NAT-D-DRAFT len: 24 [ttl 0] (id 1, len 260) 01:43:28.037826 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 68 payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20 payload: HASH len: 24 [ttl 0] (id 1, len 96) 01:43:28.040117 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: 00000000 len: 92 payload: ID len: 12 type: IPV4_ADDR = 10.107.208.1 payload: HASH len: 24 payload: NOTIFICATION len: 28 notification: INITIAL CONTACT (0daf9b6a2eb9dfe5->d530537930e4e5f4) [ttl 0] (id 1, len 120) 01:43:28.053501 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: af7e14b1 len: 148 payload: HASH len: 24 payload: SA len: 40 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 28 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xc5f7c202 payload: TRANSFORM len: 16 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: NONCE len: 24 payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.180.0.0/255.255.0.0 [ttl 0] (id 1, len 176) 01:43:28.060752 10.107.208.1.500 > 10.107.208.20.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: af7e14b1 len: 144 payload: HASH len: 24 payload: SA len: 40 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 28 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x8329971e payload: TRANSFORM len: 16 transform: 1 ID: 3DES attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA payload: NONCE len: 24 payload: ID len: 12 type: IPV4_ADDR = 10.107.208.20 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.180.0.0/255.255.0.0 [ttl 0] (id 1, len 172) 01:43:28.072797 10.107.208.20.500 > 10.107.208.1.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 0daf9b6a2eb9dfe5->d530537930e4e5f4 msgid: af7e14b1 len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) The console output for isakmpd is: # isakmpd -d -4 -L -DA=20 021603.047035 Default log_debug_cmd: log level changed from 0 to 20 for class 0 [priv] 021603.048645 Default log_debug_cmd: log level changed from 0 to 20 for class 1 [priv] 021603.049299 Default log_debug_cmd: log level changed from 0 to 20 for class 2 [priv] 021603.049707 Default log_debug_cmd: log level changed from 0 to 20 for class 3 [priv] 021603.050203 Default log_debug_cmd: log level changed from 0 to 20 for class 4 [priv] 021603.050589 Default log_debug_cmd: log level changed from 0 to 20 for class 5 [priv] 021603.051084 Default log_debug_cmd: log level changed from 0 to 20 for class 6 [priv] 021603.051449 Default log_debug_cmd: log level changed from 0 to 20 for class 7 [priv] 021603.051917 Default log_debug_cmd: log level changed from 0 to 20 for class 8 [priv] 021603.052290 Default log_debug_cmd: log level changed from 0 to 20 for class 9 [priv] 021603.052773 Default log_debug_cmd: log level changed from 0 to 20 for class 10 [priv] 021603.062411 Misc 10 monitor_init: privileges dropped for child process 021603.713971 Misc 20 udp_make: transport 0x4ff9a200 socket 7 ip 10.107.208.1 port 500 021603.715768 Misc 20 udp_encap_make: transport 0x4ff9a280 socket 8 ip 10.107.208.1 port 4500 021603.719217 Default log_packet_init: starting IKE packet capture to file "/var/run/isakmpd.pcap" 021606.421447 Timr 10 timer_add_event: event exchange_free_aux(0x46012c00) added last, expiration in 120s 021606.422516 Exch 10 exchange_setup_p1: 0x46012c00 client Default-main-mode policy responder phase 1 doi 1 exchange 2 step 0 021606.423070 Exch 10 exchange_setup_p1: icookie 1645bfaf23ed4dcc rcookie da96438bc626181a 021606.423655 Exch 10 exchange_setup_p1: msgid 00000000 021606.424328 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected 021606.425220 Negt 20 ike_phase_1_validate_prop: success 021606.425726 Misc 20 ipsec_decode_transform: transform 1 chosen 021606.426131 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 021606.426201 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 021606.426249 Exch 10 exchange_handle_leftover_payloads: unexpected payload VENDOR 021606.427345 Timr 10 timer_add_event: event message_send_expire(0x46716e00) added before exchange_free_aux(0x46012c00), expiration in 7s 021606.469008 Mesg 20 message_free: freeing 0x46716e00 021606.469614 Timr 10 timer_remove_event: removing event message_send_expire(0x46716e00) 021606.470301 Mesg 20 message_free: freeing 0x46716a00 021606.554761 Timr 10 timer_add_event: event message_send_expire(0x46716a00) added before exchange_free_aux(0x46012c00), expiration in 7s 021606.662615 Mesg 20 message_free: freeing 0x46716a00 021606.663388 Timr 10 timer_remove_event: removing event message_send_expire(0x46716a00) 021606.664671 Mesg 20 message_free: freeing 0x46716f00 021606.666208 Exch 10 exchange_finalize: 0x46012c00 client Default-main-mode policy responder phase 1 doi 1 exchange 2 step 6 021606.666776 Exch 10 exchange_finalize: icookie 1645bfaf23ed4dcc rcookie da96438bc626181a 021606.667430 Exch 10 exchange_finalize: msgid 00000000 021606.667967 Exch 10 exchange_finalize: phase 1 done: initiator id 0a6bd014: 10.107.208.20, responder id 0a6bd001: 10.107.208.1, src: 10.107.208.1 dst: 10.107.208.20 021606.668701 Timr 10 timer_add_event: event sa_soft_expire(0x46012e00) added last, expiration in 26928s 021606.669153 Timr 10 timer_add_event: event sa_hard_expire(0x46012e00) added last, expiration in 28800s 021606.670682 Timr 10 timer_add_event: event exchange_free_aux(0x46013000) added before sa_soft_expire(0x46012e00), expiration in 120s 021606.671255 Exch 10 exchange_setup_p2: 0x46013000 <unnamed> <no policy> policy responder phase 2 doi 1 exchange 32 step 0 021606.671857 Exch 10 exchange_setup_p2: icookie 1645bfaf23ed4dcc rcookie da96438bc626181a 021606.672258 Exch 10 exchange_setup_p2: msgid d714ff5c sa_list 021606.674172 Misc 20 ipsec_decode_transform: transform 1 chosen 021606.676392 Timr 10 timer_add_event: event message_send_expire(0x46717400) added before exchange_free_aux(0x46012c00), expiration in 7s 021606.679284 Mesg 20 message_free: freeing 0x46717400 021606.679907 Timr 10 timer_remove_event: removing event message_send_expire(0x46717400) 021606.681151 Mesg 20 message_free: freeing 0x46716b00 021606.681760 Exch 10 exchange_finalize: 0x46013000 client-netB <no policy> policy responder phase 2 doi 1 exchange 32 step 2 021606.682584 Exch 10 exchange_finalize: icookie 1645bfaf23ed4dcc rcookie da96438bc626181a 021606.682999 Exch 10 exchange_finalize: msgid d714ff5c sa_list 0x46013200 021606.683713 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.20 SPI 0xdfa6bce4 021606.684802 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.107.208.1 SPI 0xbdb0f4ce 021606.686333 Timr 10 timer_remove_event: removing event exchange_free_aux(0x46013000) 021606.686943 Mesg 20 message_free: freeing 0x46717500 Really lost as to what I am missing at this point. Any insight is greatly appreciated. For reference, these are the ipsakmpd.conf and policy files: # cat isakmpd.conf |grep -v '#' [General] Listen-On= 10.107.208.1 [Phase 1] Default= client [Phase 2] Passive-connections= client-netB [client] Phase= 1 Transport= udp Configuration= Default-main-mode Authentication= sharedsecret [client-netB] Phase= 2 ISAKMP-peer= client Configuration= Default-quick-mode Local-ID= netB Remote-ID= client [client] ID-type= IPV4_ADDR Address= 10.107.208.20 [netB] ID-type= IPV4_ADDR_SUBNET Network= 10.180.16.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA,3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE # cat isakmpd.policy |grep -v '#' Keynote-version: 2 Authorizer: "POLICY" Conditions: esp_present == "yes" && esp_enc_alg != "null" -> "true"; Thanks, Axton Grams