Re: ipsec home network to colo server

Lord Sporkton Wed, 14 May 2008 18:25:18 -0700

2008/5/13 Jonathan <[EMAIL PROTECTED]>:
> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]> wrote:
>> I am trying to set up a ipsec link between my home network(private ip
>>  network behind dynamic public ip)
>>  and my colo server(single public static ip). I was a bit unclear on
>>  how to set up a tunnel between a static
>>  and dynamic ip
>>
>>  interesting traffic:
>>  208.70.72.13 -> 10.0.0.0/16
>>
>>
>>  My sad seems to set up ok, however afterward i get no flows and can not pass
>>  data, ive checked out logs, and ipsecctl -m, but see nothing of use.
>>
>>  Below is data i believe relevant, if anything else is requested i will
>>  do my best to post it back in a timely fashion
>>  thank you
>>
>>
>>  colo server:
>>
>>  # uname -a
>>  OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
>>  # cat /etc/ipsec.conf
>>
>>  ike passive from 208.70.72.13 to 10.0.0.0/16 \
>>         aggressive auth hmac-sha1 enc 3des group modp1024       \
>>         quick auth hmac-sha1 enc 3des \
>>         srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
>>         psk "password"
>>  # ipsecctl -sa
>>  FLOWS:
>>  No flows
>>
>>  SAD:
>>  esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>>  hmac-sha1 enc 3des-cbc
>>  esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>>  hmac-sha1 enc 3des-cbc
>>  #
>>
>>  ipsecctl -m output:
>>
>>  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>>         address_src: 67.159.171.204
>>         address_dst: 208.70.72.13
>>         spirange: min 0x00000100 max 0xffffffff
>>  sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>>         sa: spi 0x581ea1f0 auth none enc none
>>                 state mature replay 0 flags 0
>>         address_src: 67.159.171.204
>>         address_dst: 208.70.72.13
>>  sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
>>         sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 208.70.72.13
>>         address_dst: 67.159.171.204
>>         key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
>>         key_encrypt: bits 192: 
>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
>>         identity_src: type fqdn id 0: angie.sporkton.com
>>         identity_dst: type fqdn id 0: fire.sporkton.com
>>         src_mask: 255.255.255.255
>>         dst_mask: 255.255.0.0
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction out
>>         src_flow: 208.70.72.13
>>         dst_flow: 10.0.0.0
>>  sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
>>         sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 208.70.72.13
>>         address_dst: 67.159.171.204
>>         identity_src: type fqdn id 0: angie.sporkton.com
>>         identity_dst: type fqdn id 0: fire.sporkton.com
>>         src_mask: 255.255.255.255
>>         dst_mask: 255.255.0.0
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction out
>>         src_flow: 208.70.72.13
>>         dst_flow: 10.0.0.0
>>  sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
>>         sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 67.159.171.204
>>         address_dst: 208.70.72.13
>>         key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
>>         key_encrypt: bits 192: 
>> 496cd320b35638d36dd8f899b8ce76c150840092db466715
>>         identity_src: type fqdn id 0: fire.sporkton.com
>>         identity_dst: type fqdn id 0: angie.sporkton.com
>>         src_mask: 255.255.0.0
>>         dst_mask: 255.255.255.255
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction in
>>         src_flow: 10.0.0.0
>>         dst_flow: 208.70.72.13
>>  sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
>>         sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 67.159.171.204
>>         address_dst: 208.70.72.13
>>         identity_src: type fqdn id 0: fire.sporkton.com
>>         identity_dst: type fqdn id 0: angie.sporkton.com
>>         src_mask: 255.255.0.0
>>         dst_mask: 255.255.255.255
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction in
>>         src_flow: 10.0.0.0
>>         dst_flow: 208.70.72.13
>>
>>
>>
>>  Home firewall:
>>
>>  # uname -a
>>  OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
>>  # cat /etc/ipsec.conf
>>  ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \
>>         aggressive auth hmac-sha1 enc 3des group modp1024 \
>>         quick auth hmac-sha1 enc 3des \
>>         srcid "fire.sporkton.com" dstid "angie.sporkton.com" \
>>         psk "password"
>>  # ipsecctl -sa
>>  FLOWS:
>>  No flows
>>
>>  SAD:
>>  esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>>  hmac-sha1 enc 3des-cbc
>>  esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>>  hmac-sha1 enc 3des-cbc
>>  #
>>
>>
>>  ipsecctl -m output:
>>  sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>>         address_src: 208.70.72.13
>>         address_dst: 67.159.171.204
>>         spirange: min 0x00000100 max 0xffffffff
>>  sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>>         sa: spi 0xeac5bef2 auth none enc none
>>                 state mature replay 0 flags 0
>>         address_src: 208.70.72.13
>>         address_dst: 67.159.171.204
>>  sadb_add: satype esp vers 2 len 50 seq 5 pid 27351
>>         sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 67.159.171.204
>>         address_dst: 208.70.72.13
>>         key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308
>>         key_encrypt: bits 192: 
>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57
>>         identity_src: type fqdn id 0: fire.sporkton.com
>>         identity_dst: type fqdn id 0: angie.sporkton.com
>>         src_mask: 255.255.0.0
>>         dst_mask: 255.255.255.255
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction out
>>         src_flow: 10.0.0.0
>>         dst_flow: 208.70.72.13
>>  sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
>>         sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 67.159.171.204
>>         address_dst: 208.70.72.13
>>         identity_src: type fqdn id 0: fire.sporkton.com
>>         identity_dst: type fqdn id 0: angie.sporkton.com
>>         src_mask: 255.255.0.0
>>         dst_mask: 255.255.255.255
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction out
>>         src_flow: 10.0.0.0
>>         dst_flow: 208.70.72.13
>>  sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
>>         sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 208.70.72.13
>>         address_dst: 67.159.171.204
>>         key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
>>         key_encrypt: bits 192: 
>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
>>         identity_src: type fqdn id 0: angie.sporkton.com
>>         identity_dst: type fqdn id 0: fire.sporkton.com
>>         src_mask: 255.255.255.255
>>         dst_mask: 255.255.0.0
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction in
>>         src_flow: 208.70.72.13
>>         dst_flow: 10.0.0.0
>>  sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
>>         sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>>                 state mature replay 16 flags 4
>>         lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>         lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>         address_src: 208.70.72.13
>>         address_dst: 67.159.171.204
>>         identity_src: type fqdn id 0: angie.sporkton.com
>>         identity_dst: type fqdn id 0: fire.sporkton.com
>>         src_mask: 255.255.255.255
>>         dst_mask: 255.255.0.0
>>         protocol: proto 0 flags 0
>>         flow_type: type unknown direction in
>>         src_flow: 208.70.72.13
>>         dst_flow: 10.0.0.0
>
> I would recommend taking a look at if you haven't already:
> http://www.securityfocus.com/infocus/1859
>
> Jonathan
>
>


I have indeed seen this document, however i do not think it helps me
much, i am using some what of an "off" configuration. I have never
seen a dynamic subnet to a static host, ive only seen static subnet to
static subnet and dynamic host to static host. being as one side is
dynamic im not really sure how to use the public keys, thats why im
using the psk key(i will look into that though).

thank you

-- 
-Lawrence

Re: ipsec home network to colo server

Reply via email to