http://www.openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.html
try
ipsec.conf on fire:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike esp from $fire to $angie local egress \
srcid "fire.sporkton.com" dstid "angie.sporkton.com"
ipsec.conf on angie:
angie = "208.70.72.13"
fire = "10.0.0.0/24"
ike passive esp from $angie to $fire \
srcid "angie.sporkton.com" dstid "fire.sporkton.com"
HTH,
Jose.
Lord Sporkton wrote:
> 2008/5/15 Claer <[EMAIL PROTECTED]>:
>> On Thu, May 15 2008 at 09:09, Lord Sporkton wrote:
>>
>>> 2008/5/14 Lord Sporkton <[EMAIL PROTECTED]>:
>>>> 2008/5/14 scott learmonth <[EMAIL PROTECTED]>:
>>>>>> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <[EMAIL PROTECTED]>
>>>>>> wrote:
>>>>>>> I am trying to set up a ipsec link between my home network(private ip
>>>>>>> network behind dynamic public ip)
>>>>>>> and my colo server(single public static ip). I was a bit unclear on
>>>>>>> how to set up a tunnel between a static
>>>>>>> and dynamic ip
>>>>>>>
>>>>>>> interesting traffic:
>>>>>>> 208.70.72.13 -> 10.0.0.0/16
>>>>>>>
>>>>>>>
>>>>>>> My sad seems to set up ok, however afterward i get no flows and can not
>>>>>>> pass
>>>>>>> data, ive checked out logs, and ipsecctl -m, but see nothing of use.
>>>>>>>
>>>>>>> Below is data i believe relevant, if anything else is requested i will
>>>>>>> do my best to post it back in a timely fashion
>>>>>>> thank you
>>>>>>>
>>>>>>>
>>>>>>> colo server:
>>>>>>>
>>>>>>> # uname -a
>>>>>>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
>>>>>>> # cat /etc/ipsec.conf
>>>>>>>
>>>>>>> ike passive from 208.70.72.13 to 10.0.0.0/16 \
>>>>>>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>>>>>>> quick auth hmac-sha1 enc 3des \
>>>>>>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
>>>>>>> psk "password"
>>>>>>> # ipsecctl -sa
>>>>>>> FLOWS:
>>>>>>> No flows
>>>>>>>
>>>>>>> SAD:
>>>>>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>>>>>>> hmac-sha1 enc 3des-cbc
>>>>>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>>>>>>> hmac-sha1 enc 3des-cbc
>>>>>>> #
>>>>>>>
>>>>>>> ipsecctl -m output:
>>>>>>>
>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>>>>>>> address_src: 67.159.171.204
>>>>>>> address_dst: 208.70.72.13
>>>>>>> spirange: min 0x00000100 max 0xffffffff
>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>>>>>>> sa: spi 0x581ea1f0 auth none enc none
>>>>>>> state mature replay 0 flags 0
>>>>>>> address_src: 67.159.171.204
>>>>>>> address_dst: 208.70.72.13
>>>>>>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
>>>>>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 208.70.72.13
>>>>>>> address_dst: 67.159.171.204
>>>>>>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
>>>>>>> key_encrypt: bits 192:
>>>>>>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>>>>>> src_mask: 255.255.255.255
>>>>>>> dst_mask: 255.255.0.0
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction out
>>>>>>> src_flow: 208.70.72.13
>>>>>>> dst_flow: 10.0.0.0
>>>>>>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
>>>>>>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 208.70.72.13
>>>>>>> address_dst: 67.159.171.204
>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>>>>>> src_mask: 255.255.255.255
>>>>>>> dst_mask: 255.255.0.0
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction out
>>>>>>> src_flow: 208.70.72.13
>>>>>>> dst_flow: 10.0.0.0
>>>>>>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
>>>>>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 67.159.171.204
>>>>>>> address_dst: 208.70.72.13
>>>>>>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
>>>>>>> key_encrypt: bits 192:
>>>>>>> 496cd320b35638d36dd8f899b8ce76c150840092db466715
>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>>>>>> src_mask: 255.255.0.0
>>>>>>> dst_mask: 255.255.255.255
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction in
>>>>>>> src_flow: 10.0.0.0
>>>>>>> dst_flow: 208.70.72.13
>>>>>>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
>>>>>>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 67.159.171.204
>>>>>>> address_dst: 208.70.72.13
>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>>>>>> src_mask: 255.255.0.0
>>>>>>> dst_mask: 255.255.255.255
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction in
>>>>>>> src_flow: 10.0.0.0
>>>>>>> dst_flow: 208.70.72.13
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Home firewall:
>>>>>>>
>>>>>>> # uname -a
>>>>>>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
>>>>>>> # cat /etc/ipsec.conf
>>>>>>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \
>>>>>>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>>>>>>> quick auth hmac-sha1 enc 3des \
>>>>>>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \
>>>>>>> psk "password"
>>>>>>> # ipsecctl -sa
>>>>>>> FLOWS:
>>>>>>> No flows
>>>>>>>
>>>>>>> SAD:
>>>>>>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>>>>>>> hmac-sha1 enc 3des-cbc
>>>>>>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>>>>>>> hmac-sha1 enc 3des-cbc
>>>>>>> #
>>>>>>>
>>>>>>>
>>>>>>> ipsecctl -m output:
>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>>>>>>> address_src: 208.70.72.13
>>>>>>> address_dst: 67.159.171.204
>>>>>>> spirange: min 0x00000100 max 0xffffffff
>>>>>>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>>>>>>> sa: spi 0xeac5bef2 auth none enc none
>>>>>>> state mature replay 0 flags 0
>>>>>>> address_src: 208.70.72.13
>>>>>>> address_dst: 67.159.171.204
>>>>>>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351
>>>>>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 67.159.171.204
>>>>>>> address_dst: 208.70.72.13
>>>>>>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308
>>>>>>> key_encrypt: bits 192:
>>>>>>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57
>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>>>>>> src_mask: 255.255.0.0
>>>>>>> dst_mask: 255.255.255.255
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction out
>>>>>>> src_flow: 10.0.0.0
>>>>>>> dst_flow: 208.70.72.13
>>>>>>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
>>>>>>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 67.159.171.204
>>>>>>> address_dst: 208.70.72.13
>>>>>>> identity_src: type fqdn id 0: fire.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: angie.sporkton.com
>>>>>>> src_mask: 255.255.0.0
>>>>>>> dst_mask: 255.255.255.255
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction out
>>>>>>> src_flow: 10.0.0.0
>>>>>>> dst_flow: 208.70.72.13
>>>>>>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
>>>>>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 208.70.72.13
>>>>>>> address_dst: 67.159.171.204
>>>>>>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
>>>>>>> key_encrypt: bits 192:
>>>>>>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>>>>>> src_mask: 255.255.255.255
>>>>>>> dst_mask: 255.255.0.0
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction in
>>>>>>> src_flow: 208.70.72.13
>>>>>>> dst_flow: 10.0.0.0
>>>>>>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
>>>>>>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>>>>>>> state mature replay 16 flags 4
>>>>>>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>>>>>>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>>>>>>> address_src: 208.70.72.13
>>>>>>> address_dst: 67.159.171.204
>>>>>>> identity_src: type fqdn id 0: angie.sporkton.com
>>>>>>> identity_dst: type fqdn id 0: fire.sporkton.com
>>>>>>> src_mask: 255.255.255.255
>>>>>>> dst_mask: 255.255.0.0
>>>>>>> protocol: proto 0 flags 0
>>>>>>> flow_type: type unknown direction in
>>>>>>> src_flow: 208.70.72.13
>>>>>>> dst_flow: 10.0.0.0
>>>>>> I would recommend taking a look at if you haven't already:
>>>>>> http://www.securityfocus.com/infocus/1859
>>>>>>
>>>>>> Jonathan
>>>>>>
>>>>>>
>>>>> http://www.securityfocus.com/infocus/1859
>>>>> is the article that started it all for me using ipsec and OpenBSD. It's
>>>>> not exactly geared for one end being dynamic ip though.
>>>>>
>>>>> I don't have much experience with dynamic addresses, but if my
>>>>> understanding is correct, the best would be as below.
>>>>>
>>>>> Let me know if it works, I'm curious, since I've also never done ipsec
>>>>> between a static and dynamic device without an internal subnet on both
>>>>> hosts:
>>>>>
>>>>>
>>>>> colo /etc/ipsec.conf:
>>>>>
>>>>> ike passive from 208.70.72.13 to 10.0.0.0/16
>>>>>
>>>>> home /etc/ipsec.conf:
>>>>>
>>>>> ike dynamic from 10.0.0.0/16 to 208.70.72.13
>>>>>
>>>>> (it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to
>>>>> amaze me in it's simplicity compared to other options)
>>>>>
>>>>> Make sure your pf on both ends is allowing negotiation (which it seems to
>>>>> be). Also, unless you need to apply pf rules to your encrypted traffic,
>>>>> make sure you've got enc0 in your "set skip on" interfaces.
>>>>>
>>>>> I'd suggest using pubkeys as in isakmpd(8) which should be:
>>>>>
>>>>> copy /etc/isakmpd/local.pub from colo to
>>>>> /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine
>>>>>
>>>>> copy /etc/isakmpd/local.pub from home to
>>>>> /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
>>>>>
>>>>> That would be better than psk if you can get it working, imho.
>>>>>
>>>>> Cheers
>>>>>
>>>>>
>>>>>
>>>> i have switched to using pubkeys via fqdn as im using fqdn in both
>>>> dstid and srcid, that is now working. and quite nicely if i do say so
>>>> myself
>>>>
>>>> i have appropriate nonat on the dynamic side as well
>>>> angie="208.70.72.13"
>>>> table <private> const { 10/8, 172.16/12, 192.168/16 }
>>>> no nat on $ext_if from <private> to $angie
>>>>
>>>>
>>>> the pf is set up to allow all udp 500 traffic on both sides.
>>>> pass in on $ext_if inet proto udp from any to $ext_if port isakmp
>>>>
>>>> enc0 was not on my skip list however it is now, and still no change
>>>> set skip on {enc0, lo0}
>>>>
>>>> from the man page sample:
>>>> #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
>>>> # srcid me.mylan.net dstid the.others.net
>>>> #ike esp from 192.168.3.1 to 192.168.3.2 \
>>>> # srcid me.mylan.net dstid the.others.net
>>>>
>>>> # Set up a tunnel using static keying:
>>>> #
>>>> # The first rule sets up the flow; the second sets up the SA.
>>>>
>>>> it seems to imply that 2 rules are needed for any one connection, one
>>>> rule that specifies interesting traffic and one that defines
>>>> termination points. I will try this.
>>>>
>>>>
>>>> --
>>>> -Lawrence
>>>>
>>> Im not exactly sure how to tell the second rule, as the home endpoint
>>> is dynamic, i cant set that one to a ip since it will change, and if i
>>> set it to a fqdn i get errors for mismatched types, however i think it
>>> just looks up the name anyone doesnt it?
>> Do you have a rule to allow esp traffic ? If you don't have one, here is
>> what you should add in your pf ruleset :
>>
>> pass in on $ext_if inet proto 50 from any to $ext_if
>>
>>
>> Claer
>>
>>
>
> Yes I have modified my pf as well as ipsec.conf, below are the new
> configs, still no worky, ive been experimenting with different ways
> but nothing really passes traffic, im concerned that perhaps its not
> my ipsec.conf thats messed up but something else im missing that is
> preventing it from passing traffic, so far as i can tell the entire sa
> comes up
>
> both routers now have:
> pass in on $ext_if inet proto udp from any to $ext_if port isakmp
> pass in on $ext_if inet proto esp from any to $ext_if
>
> the fire router has
> no nat on $ext_if from <private> to $angie
>
>
> ipsec.conf on fire:
> angie = "208.70.72.13"
> fire = "10.0.0.0/24"
>
> ike active esp tunnel from $fire to $angie peer $angie \
> aggressive auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des \
> srcid "fire.sporkton.com" dstid "angie.sporkton.com"
>
>
>
> ipsec.conf on angie:
> angie = "208.70.72.13"
> fire = "10.0.0.0/24"
>
> ike passive esp tunnel from $angie to $fire \
> aggressive auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des \
> srcid "angie.sporkton.com" dstid "fire.sporkton.com"
>
>
> thank you
