On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: > 2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>: > > 2008/5/14 scott learmonth <[EMAIL PROTECTED]>: > >>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]> > >>> wrote: > >>>> I am trying to set up a ipsec link between my home network(private ip > >>>> network behind dynamic public ip) > >>>> and my colo server(single public static ip). I was a bit unclear on > >>>> how to set up a tunnel between a static > >>>> and dynamic ip > >>>> > >>>> interesting traffic: > >>>> 208.70.72.13 -> 10.0.0.0/16 > >>>> > >>>> > >>>> My sad seems to set up ok, however afterward i get no flows and can not > >>>> pass > >>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use. > >>>> > >>>> Below is data i believe relevant, if anything else is requested i will > >>>> do my best to post it back in a timely fashion > >>>> thank you > >>>> > >>>> > >>>> colo server: > >>>> > >>>> # uname -a > >>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 > >>>> # cat /etc/ipsec.conf > >>>> > >>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \ > >>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ > >>>> quick auth hmac-sha1 enc 3des \ > >>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \ > >>>> psk "password" > >>>> # ipsecctl -sa > >>>> FLOWS: > >>>> No flows > >>>> > >>>> SAD: > >>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth > >>>> hmac-sha1 enc 3des-cbc > >>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth > >>>> hmac-sha1 enc 3des-cbc > >>>> # > >>>> > >>>> ipsecctl -m output: > >>>> > >>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 > >>>> address_src: 67.159.171.204 > >>>> address_dst: 208.70.72.13 > >>>> spirange: min 0x00000100 max 0xffffffff > >>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 > >>>> sa: spi 0x581ea1f0 auth none enc none > >>>> state mature replay 0 flags 0 > >>>> address_src: 67.159.171.204 > >>>> address_dst: 208.70.72.13 > >>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 > >>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 208.70.72.13 > >>>> address_dst: 67.159.171.204 > >>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 > >>>> key_encrypt: bits 192: > >>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 > >>>> identity_src: type fqdn id 0: angie.sporkton.com > >>>> identity_dst: type fqdn id 0: fire.sporkton.com > >>>> src_mask: 255.255.255.255 > >>>> dst_mask: 255.255.0.0 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction out > >>>> src_flow: 208.70.72.13 > >>>> dst_flow: 10.0.0.0 > >>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 > >>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 208.70.72.13 > >>>> address_dst: 67.159.171.204 > >>>> identity_src: type fqdn id 0: angie.sporkton.com > >>>> identity_dst: type fqdn id 0: fire.sporkton.com > >>>> src_mask: 255.255.255.255 > >>>> dst_mask: 255.255.0.0 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction out > >>>> src_flow: 208.70.72.13 > >>>> dst_flow: 10.0.0.0 > >>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 > >>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 67.159.171.204 > >>>> address_dst: 208.70.72.13 > >>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 > >>>> key_encrypt: bits 192: > >>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715 > >>>> identity_src: type fqdn id 0: fire.sporkton.com > >>>> identity_dst: type fqdn id 0: angie.sporkton.com > >>>> src_mask: 255.255.0.0 > >>>> dst_mask: 255.255.255.255 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction in > >>>> src_flow: 10.0.0.0 > >>>> dst_flow: 208.70.72.13 > >>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 > >>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 67.159.171.204 > >>>> address_dst: 208.70.72.13 > >>>> identity_src: type fqdn id 0: fire.sporkton.com > >>>> identity_dst: type fqdn id 0: angie.sporkton.com > >>>> src_mask: 255.255.0.0 > >>>> dst_mask: 255.255.255.255 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction in > >>>> src_flow: 10.0.0.0 > >>>> dst_flow: 208.70.72.13 > >>>> > >>>> > >>>> > >>>> Home firewall: > >>>> > >>>> # uname -a > >>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 > >>>> # cat /etc/ipsec.conf > >>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ > >>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ > >>>> quick auth hmac-sha1 enc 3des \ > >>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \ > >>>> psk "password" > >>>> # ipsecctl -sa > >>>> FLOWS: > >>>> No flows > >>>> > >>>> SAD: > >>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth > >>>> hmac-sha1 enc 3des-cbc > >>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth > >>>> hmac-sha1 enc 3des-cbc > >>>> # > >>>> > >>>> > >>>> ipsecctl -m output: > >>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 > >>>> address_src: 208.70.72.13 > >>>> address_dst: 67.159.171.204 > >>>> spirange: min 0x00000100 max 0xffffffff > >>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 > >>>> sa: spi 0xeac5bef2 auth none enc none > >>>> state mature replay 0 flags 0 > >>>> address_src: 208.70.72.13 > >>>> address_dst: 67.159.171.204 > >>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351 > >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 67.159.171.204 > >>>> address_dst: 208.70.72.13 > >>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308 > >>>> key_encrypt: bits 192: > >>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57 > >>>> identity_src: type fqdn id 0: fire.sporkton.com > >>>> identity_dst: type fqdn id 0: angie.sporkton.com > >>>> src_mask: 255.255.0.0 > >>>> dst_mask: 255.255.255.255 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction out > >>>> src_flow: 10.0.0.0 > >>>> dst_flow: 208.70.72.13 > >>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351 > >>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 67.159.171.204 > >>>> address_dst: 208.70.72.13 > >>>> identity_src: type fqdn id 0: fire.sporkton.com > >>>> identity_dst: type fqdn id 0: angie.sporkton.com > >>>> src_mask: 255.255.0.0 > >>>> dst_mask: 255.255.255.255 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction out > >>>> src_flow: 10.0.0.0 > >>>> dst_flow: 208.70.72.13 > >>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351 > >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 208.70.72.13 > >>>> address_dst: 67.159.171.204 > >>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac > >>>> key_encrypt: bits 192: > >>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe > >>>> identity_src: type fqdn id 0: angie.sporkton.com > >>>> identity_dst: type fqdn id 0: fire.sporkton.com > >>>> src_mask: 255.255.255.255 > >>>> dst_mask: 255.255.0.0 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction in > >>>> src_flow: 208.70.72.13 > >>>> dst_flow: 10.0.0.0 > >>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351 > >>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc > >>>> state mature replay 16 flags 4 > >>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 > >>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 > >>>> address_src: 208.70.72.13 > >>>> address_dst: 67.159.171.204 > >>>> identity_src: type fqdn id 0: angie.sporkton.com > >>>> identity_dst: type fqdn id 0: fire.sporkton.com > >>>> src_mask: 255.255.255.255 > >>>> dst_mask: 255.255.0.0 > >>>> protocol: proto 0 flags 0 > >>>> flow_type: type unknown direction in > >>>> src_flow: 208.70.72.13 > >>>> dst_flow: 10.0.0.0 > >>> > >>> I would recommend taking a look at if you haven't already: > >>> http://www.securityfocus.com/infocus/1859 > >>> > >>> Jonathan > >>> > >>> > >> > >> http://www.securityfocus.com/infocus/1859 > >> is the article that started it all for me using ipsec and OpenBSD. It's > >> not exactly geared for one end being dynamic ip though. > >> > >> I don't have much experience with dynamic addresses, but if my > >> understanding is correct, the best would be as below. > >> > >> Let me know if it works, I'm curious, since I've also never done ipsec > >> between a static and dynamic device without an internal subnet on both > >> hosts: > >> > >> > >> colo /etc/ipsec.conf: > >> > >> ike passive from 208.70.72.13 to 10.0.0.0/16 > >> > >> home /etc/ipsec.conf: > >> > >> ike dynamic from 10.0.0.0/16 to 208.70.72.13 > >> > >> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to > >> amaze me in it's simplicity compared to other options) > >> > >> Make sure your pf on both ends is allowing negotiation (which it seems to > >> be). Also, unless you need to apply pf rules to your encrypted traffic, > >> make sure you've got enc0 in your "set skip on" interfaces. > >> > >> I'd suggest using pubkeys as in isakmpd(8) which should be: > >> > >> copy /etc/isakmpd/local.pub from colo to > >> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine > >> > >> copy /etc/isakmpd/local.pub from home to > >> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo > >> > >> That would be better than psk if you can get it working, imho. > >> > >> Cheers > >> > >> > >> > > > > i have switched to using pubkeys via fqdn as im using fqdn in both > > dstid and srcid, that is now working. and quite nicely if i do say so > > myself > > > > i have appropriate nonat on the dynamic side as well > > angie="208.70.72.13" > > table <private> const { 10/8, 172.16/12, 192.168/16 } > > no nat on $ext_if from <private> to $angie > > > > > > the pf is set up to allow all udp 500 traffic on both sides. > > pass in on $ext_if inet proto udp from any to $ext_if port isakmp > > > > enc0 was not on my skip list however it is now, and still no change > > set skip on {enc0, lo0} > > > > from the man page sample: > > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ > > # srcid me.mylan.net dstid the.others.net > > #ike esp from 192.168.3.1 to 192.168.3.2 \ > > # srcid me.mylan.net dstid the.others.net > > > > # Set up a tunnel using static keying: > > # > > # The first rule sets up the flow; the second sets up the SA. > > > > it seems to imply that 2 rules are needed for any one connection, one > > rule that specifies interesting traffic and one that defines > > termination points. I will try this. > > > > > > -- > > -Lawrence > > > > Im not exactly sure how to tell the second rule, as the home endpoint > is dynamic, i cant set that one to a ip since it will change, and if i > set it to a fqdn i get errors for mismatched types, however i think it > just looks up the name anyone doesnt it?
Do you have a rule to allow esp traffic ? If you don't have one, here is what you should add in your pf ruleset : pass in on $ext_if inet proto 50 from any to $ext_if Claer
