On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]> wrote: > I am trying to set up a ipsec link between my home network(private ip > network behind dynamic public ip) > and my colo server(single public static ip). I was a bit unclear on > how to set up a tunnel between a static > and dynamic ip > > interesting traffic: > 208.70.72.13 -> 10.0.0.0/16 > > > My sad seems to set up ok, however afterward i get no flows and can not pass > data, ive checked out logs, and ipsecctl -m, but see nothing of use. > > Below is data i believe relevant, if anything else is requested i will > do my best to post it back in a timely fashion > thank you > > > colo server: > > # uname -a > OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 > # cat /etc/ipsec.conf > > ike passive from 208.70.72.13 to 10.0.0.0/16 \ > aggressive auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > srcid "angie.sporkton.com" dstid "fire.sporkton.com" \ > psk "password" > # ipsecctl -sa > FLOWS: > No flows > > SAD: > esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth > hmac-sha1 enc 3des-cbc > esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth > hmac-sha1 enc 3des-cbc > # > > ipsecctl -m output: > > sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 > address_src: 67.159.171.204 > address_dst: 208.70.72.13 > spirange: min 0x00000100 max 0xffffffff > sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 > sa: spi 0x581ea1f0 auth none enc none > state mature replay 0 flags 0 > address_src: 67.159.171.204 > address_dst: 208.70.72.13 > sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 > sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 208.70.72.13 > address_dst: 67.159.171.204 > key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 > key_encrypt: bits 192: > 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 > identity_src: type fqdn id 0: angie.sporkton.com > identity_dst: type fqdn id 0: fire.sporkton.com > src_mask: 255.255.255.255 > dst_mask: 255.255.0.0 > protocol: proto 0 flags 0 > flow_type: type unknown direction out > src_flow: 208.70.72.13 > dst_flow: 10.0.0.0 > sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 > sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 208.70.72.13 > address_dst: 67.159.171.204 > identity_src: type fqdn id 0: angie.sporkton.com > identity_dst: type fqdn id 0: fire.sporkton.com > src_mask: 255.255.255.255 > dst_mask: 255.255.0.0 > protocol: proto 0 flags 0 > flow_type: type unknown direction out > src_flow: 208.70.72.13 > dst_flow: 10.0.0.0 > sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 > sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 67.159.171.204 > address_dst: 208.70.72.13 > key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 > key_encrypt: bits 192: > 496cd320b35638d36dd8f899b8ce76c150840092db466715 > identity_src: type fqdn id 0: fire.sporkton.com > identity_dst: type fqdn id 0: angie.sporkton.com > src_mask: 255.255.0.0 > dst_mask: 255.255.255.255 > protocol: proto 0 flags 0 > flow_type: type unknown direction in > src_flow: 10.0.0.0 > dst_flow: 208.70.72.13 > sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 > sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 67.159.171.204 > address_dst: 208.70.72.13 > identity_src: type fqdn id 0: fire.sporkton.com > identity_dst: type fqdn id 0: angie.sporkton.com > src_mask: 255.255.0.0 > dst_mask: 255.255.255.255 > protocol: proto 0 flags 0 > flow_type: type unknown direction in > src_flow: 10.0.0.0 > dst_flow: 208.70.72.13 > > > > Home firewall: > > # uname -a > OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 > # cat /etc/ipsec.conf > ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ > aggressive auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > srcid "fire.sporkton.com" dstid "angie.sporkton.com" \ > psk "password" > # ipsecctl -sa > FLOWS: > No flows > > SAD: > esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth > hmac-sha1 enc 3des-cbc > esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth > hmac-sha1 enc 3des-cbc > # > > > ipsecctl -m output: > sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 > address_src: 208.70.72.13 > address_dst: 67.159.171.204 > spirange: min 0x00000100 max 0xffffffff > sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 > sa: spi 0xeac5bef2 auth none enc none > state mature replay 0 flags 0 > address_src: 208.70.72.13 > address_dst: 67.159.171.204 > sadb_add: satype esp vers 2 len 50 seq 5 pid 27351 > sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 67.159.171.204 > address_dst: 208.70.72.13 > key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308 > key_encrypt: bits 192: > 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57 > identity_src: type fqdn id 0: fire.sporkton.com > identity_dst: type fqdn id 0: angie.sporkton.com > src_mask: 255.255.0.0 > dst_mask: 255.255.255.255 > protocol: proto 0 flags 0 > flow_type: type unknown direction out > src_flow: 10.0.0.0 > dst_flow: 208.70.72.13 > sadb_add: satype esp vers 2 len 42 seq 5 pid 27351 > sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 67.159.171.204 > address_dst: 208.70.72.13 > identity_src: type fqdn id 0: fire.sporkton.com > identity_dst: type fqdn id 0: angie.sporkton.com > src_mask: 255.255.0.0 > dst_mask: 255.255.255.255 > protocol: proto 0 flags 0 > flow_type: type unknown direction out > src_flow: 10.0.0.0 > dst_flow: 208.70.72.13 > sadb_update: satype esp vers 2 len 50 seq 6 pid 27351 > sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 208.70.72.13 > address_dst: 67.159.171.204 > key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac > key_encrypt: bits 192: > a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe > identity_src: type fqdn id 0: angie.sporkton.com > identity_dst: type fqdn id 0: fire.sporkton.com > src_mask: 255.255.255.255 > dst_mask: 255.255.0.0 > protocol: proto 0 flags 0 > flow_type: type unknown direction in > src_flow: 208.70.72.13 > dst_flow: 10.0.0.0 > sadb_update: satype esp vers 2 len 42 seq 6 pid 27351 > sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc > state mature replay 16 flags 4 > lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > address_src: 208.70.72.13 > address_dst: 67.159.171.204 > identity_src: type fqdn id 0: angie.sporkton.com > identity_dst: type fqdn id 0: fire.sporkton.com > src_mask: 255.255.255.255 > dst_mask: 255.255.0.0 > protocol: proto 0 flags 0 > flow_type: type unknown direction in > src_flow: 208.70.72.13 > dst_flow: 10.0.0.0
I would recommend taking a look at if you haven't already: http://www.securityfocus.com/infocus/1859 Jonathan