http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html
try ipsec.conf on fire: angie = "208.70.72.13" fire = "10.0.0.0/24" ike esp from $fire to $angie local egress \ srcid "fire.sporkton.com" dstid "angie.sporkton.com" ipsec.conf on angie: angie = "208.70.72.13" fire = "10.0.0.0/24" ike passive esp from $angie to $fire \ srcid "angie.sporkton.com" dstid "fire.sporkton.com" HTH, Jose. Lord Sporkton wrote: > 2008/5/15 Claer <[EMAIL PROTECTED]>: >> On Thu, May 15 2008 at 09:09, Lord Sporkton wrote: >> >>> 2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>: >>>> 2008/5/14 scott learmonth <[EMAIL PROTECTED]>: >>>>>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]> >>>>>> wrote: >>>>>>> I am trying to set up a ipsec link between my home network(private ip >>>>>>> network behind dynamic public ip) >>>>>>> and my colo server(single public static ip). I was a bit unclear on >>>>>>> how to set up a tunnel between a static >>>>>>> and dynamic ip >>>>>>> >>>>>>> interesting traffic: >>>>>>> 208.70.72.13 -> 10.0.0.0/16 >>>>>>> >>>>>>> >>>>>>> My sad seems to set up ok, however afterward i get no flows and can not >>>>>>> pass >>>>>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use. >>>>>>> >>>>>>> Below is data i believe relevant, if anything else is requested i will >>>>>>> do my best to post it back in a timely fashion >>>>>>> thank you >>>>>>> >>>>>>> >>>>>>> colo server: >>>>>>> >>>>>>> # uname -a >>>>>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386 >>>>>>> # cat /etc/ipsec.conf >>>>>>> >>>>>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \ >>>>>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ >>>>>>> quick auth hmac-sha1 enc 3des \ >>>>>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \ >>>>>>> psk "password" >>>>>>> # ipsecctl -sa >>>>>>> FLOWS: >>>>>>> No flows >>>>>>> >>>>>>> SAD: >>>>>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth >>>>>>> hmac-sha1 enc 3des-cbc >>>>>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth >>>>>>> hmac-sha1 enc 3des-cbc >>>>>>> # >>>>>>> >>>>>>> ipsecctl -m output: >>>>>>> >>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 >>>>>>> address_src: 67.159.171.204 >>>>>>> address_dst: 208.70.72.13 >>>>>>> spirange: min 0x00000100 max 0xffffffff >>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557 >>>>>>> sa: spi 0x581ea1f0 auth none enc none >>>>>>> state mature replay 0 flags 0 >>>>>>> address_src: 67.159.171.204 >>>>>>> address_dst: 208.70.72.13 >>>>>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557 >>>>>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 208.70.72.13 >>>>>>> address_dst: 67.159.171.204 >>>>>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859 >>>>>>> key_encrypt: bits 192: >>>>>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014 >>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>> src_mask: 255.255.255.255 >>>>>>> dst_mask: 255.255.0.0 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction out >>>>>>> src_flow: 208.70.72.13 >>>>>>> dst_flow: 10.0.0.0 >>>>>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557 >>>>>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 208.70.72.13 >>>>>>> address_dst: 67.159.171.204 >>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>> src_mask: 255.255.255.255 >>>>>>> dst_mask: 255.255.0.0 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction out >>>>>>> src_flow: 208.70.72.13 >>>>>>> dst_flow: 10.0.0.0 >>>>>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557 >>>>>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 67.159.171.204 >>>>>>> address_dst: 208.70.72.13 >>>>>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5 >>>>>>> key_encrypt: bits 192: >>>>>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715 >>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>> src_mask: 255.255.0.0 >>>>>>> dst_mask: 255.255.255.255 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction in >>>>>>> src_flow: 10.0.0.0 >>>>>>> dst_flow: 208.70.72.13 >>>>>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557 >>>>>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 67.159.171.204 >>>>>>> address_dst: 208.70.72.13 >>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>> src_mask: 255.255.0.0 >>>>>>> dst_mask: 255.255.255.255 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction in >>>>>>> src_flow: 10.0.0.0 >>>>>>> dst_flow: 208.70.72.13 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Home firewall: >>>>>>> >>>>>>> # uname -a >>>>>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386 >>>>>>> # cat /etc/ipsec.conf >>>>>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \ >>>>>>> aggressive auth hmac-sha1 enc 3des group modp1024 \ >>>>>>> quick auth hmac-sha1 enc 3des \ >>>>>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \ >>>>>>> psk "password" >>>>>>> # ipsecctl -sa >>>>>>> FLOWS: >>>>>>> No flows >>>>>>> >>>>>>> SAD: >>>>>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth >>>>>>> hmac-sha1 enc 3des-cbc >>>>>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth >>>>>>> hmac-sha1 enc 3des-cbc >>>>>>> # >>>>>>> >>>>>>> >>>>>>> ipsecctl -m output: >>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 >>>>>>> address_src: 208.70.72.13 >>>>>>> address_dst: 67.159.171.204 >>>>>>> spirange: min 0x00000100 max 0xffffffff >>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351 >>>>>>> sa: spi 0xeac5bef2 auth none enc none >>>>>>> state mature replay 0 flags 0 >>>>>>> address_src: 208.70.72.13 >>>>>>> address_dst: 67.159.171.204 >>>>>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351 >>>>>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 67.159.171.204 >>>>>>> address_dst: 208.70.72.13 >>>>>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308 >>>>>>> key_encrypt: bits 192: >>>>>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57 >>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>> src_mask: 255.255.0.0 >>>>>>> dst_mask: 255.255.255.255 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction out >>>>>>> src_flow: 10.0.0.0 >>>>>>> dst_flow: 208.70.72.13 >>>>>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351 >>>>>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 67.159.171.204 >>>>>>> address_dst: 208.70.72.13 >>>>>>> identity_src: type fqdn id 0: fire.sporkton.com >>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com >>>>>>> src_mask: 255.255.0.0 >>>>>>> dst_mask: 255.255.255.255 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction out >>>>>>> src_flow: 10.0.0.0 >>>>>>> dst_flow: 208.70.72.13 >>>>>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351 >>>>>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 208.70.72.13 >>>>>>> address_dst: 67.159.171.204 >>>>>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac >>>>>>> key_encrypt: bits 192: >>>>>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe >>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>> src_mask: 255.255.255.255 >>>>>>> dst_mask: 255.255.0.0 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction in >>>>>>> src_flow: 208.70.72.13 >>>>>>> dst_flow: 10.0.0.0 >>>>>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351 >>>>>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc >>>>>>> state mature replay 16 flags 4 >>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0 >>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0 >>>>>>> address_src: 208.70.72.13 >>>>>>> address_dst: 67.159.171.204 >>>>>>> identity_src: type fqdn id 0: angie.sporkton.com >>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com >>>>>>> src_mask: 255.255.255.255 >>>>>>> dst_mask: 255.255.0.0 >>>>>>> protocol: proto 0 flags 0 >>>>>>> flow_type: type unknown direction in >>>>>>> src_flow: 208.70.72.13 >>>>>>> dst_flow: 10.0.0.0 >>>>>> I would recommend taking a look at if you haven't already: >>>>>> http://www.securityfocus.com/infocus/1859 >>>>>> >>>>>> Jonathan >>>>>> >>>>>> >>>>> http://www.securityfocus.com/infocus/1859 >>>>> is the article that started it all for me using ipsec and OpenBSD. It's >>>>> not exactly geared for one end being dynamic ip though. >>>>> >>>>> I don't have much experience with dynamic addresses, but if my >>>>> understanding is correct, the best would be as below. >>>>> >>>>> Let me know if it works, I'm curious, since I've also never done ipsec >>>>> between a static and dynamic device without an internal subnet on both >>>>> hosts: >>>>> >>>>> >>>>> colo /etc/ipsec.conf: >>>>> >>>>> ike passive from 208.70.72.13 to 10.0.0.0/16 >>>>> >>>>> home /etc/ipsec.conf: >>>>> >>>>> ike dynamic from 10.0.0.0/16 to 208.70.72.13 >>>>> >>>>> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to >>>>> amaze me in it's simplicity compared to other options) >>>>> >>>>> Make sure your pf on both ends is allowing negotiation (which it seems to >>>>> be). Also, unless you need to apply pf rules to your encrypted traffic, >>>>> make sure you've got enc0 in your "set skip on" interfaces. >>>>> >>>>> I'd suggest using pubkeys as in isakmpd(8) which should be: >>>>> >>>>> copy /etc/isakmpd/local.pub from colo to >>>>> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine >>>>> >>>>> copy /etc/isakmpd/local.pub from home to >>>>> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo >>>>> >>>>> That would be better than psk if you can get it working, imho. >>>>> >>>>> Cheers >>>>> >>>>> >>>>> >>>> i have switched to using pubkeys via fqdn as im using fqdn in both >>>> dstid and srcid, that is now working. and quite nicely if i do say so >>>> myself >>>> >>>> i have appropriate nonat on the dynamic side as well >>>> angie="208.70.72.13" >>>> table <private> const { 10/8, 172.16/12, 192.168/16 } >>>> no nat on $ext_if from <private> to $angie >>>> >>>> >>>> the pf is set up to allow all udp 500 traffic on both sides. >>>> pass in on $ext_if inet proto udp from any to $ext_if port isakmp >>>> >>>> enc0 was not on my skip list however it is now, and still no change >>>> set skip on {enc0, lo0} >>>> >>>> from the man page sample: >>>> #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ >>>> # srcid me.mylan.net dstid the.others.net >>>> #ike esp from 192.168.3.1 to 192.168.3.2 \ >>>> # srcid me.mylan.net dstid the.others.net >>>> >>>> # Set up a tunnel using static keying: >>>> # >>>> # The first rule sets up the flow; the second sets up the SA. >>>> >>>> it seems to imply that 2 rules are needed for any one connection, one >>>> rule that specifies interesting traffic and one that defines >>>> termination points. I will try this. >>>> >>>> >>>> -- >>>> -Lawrence >>>> >>> Im not exactly sure how to tell the second rule, as the home endpoint >>> is dynamic, i cant set that one to a ip since it will change, and if i >>> set it to a fqdn i get errors for mismatched types, however i think it >>> just looks up the name anyone doesnt it? >> Do you have a rule to allow esp traffic ? If you don't have one, here is >> what you should add in your pf ruleset : >> >> pass in on $ext_if inet proto 50 from any to $ext_if >> >> >> Claer >> >> > > Yes I have modified my pf as well as ipsec.conf, below are the new > configs, still no worky, ive been experimenting with different ways > but nothing really passes traffic, im concerned that perhaps its not > my ipsec.conf thats messed up but something else im missing that is > preventing it from passing traffic, so far as i can tell the entire sa > comes up > > both routers now have: > pass in on $ext_if inet proto udp from any to $ext_if port isakmp > pass in on $ext_if inet proto esp from any to $ext_if > > the fire router has > no nat on $ext_if from <private> to $angie > > > ipsec.conf on fire: > angie = "208.70.72.13" > fire = "10.0.0.0/24" > > ike active esp tunnel from $fire to $angie peer $angie \ > aggressive auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > srcid "fire.sporkton.com" dstid "angie.sporkton.com" > > > > ipsec.conf on angie: > angie = "208.70.72.13" > fire = "10.0.0.0/24" > > ike passive esp tunnel from $angie to $fire \ > aggressive auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > srcid "angie.sporkton.com" dstid "fire.sporkton.com" > > > thank you