On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote: > I finally was able to setup vpn connection. > Other side was configured in wrong way and sum of all my ipsec.conf look in > this way: > > -- ipsec.conf -- > other_peer = "c.c.c.c_public_ip" > > > ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk "somekey" > -- ipsec.conf -- In our environnement (we manage openbsd tunnels to cisco 3030 which is out of our scope) we debugged a strange problem when the connection goes down. The tunnels won't come back after a small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD. If it's the case for you too, you should add these lines to /etc/isakmpd/isakmpd.conf : --- isakmpd.conf --- [General] DPD-check-interval= 30 --- isakmpd.conf --- > But i have another problem, a.a.a.a_net is not configured on my network > interface, it's a just net that must be done nat on this. > I was reading a bit about doing nat on obsd and ipsec. > I've tried to do so: > > -- conf -- > ifconfig lo1 inet a.a.a.a_net > route add -net d.d.d.d_net a.a.a.a_host and pf.conf: > nat on lo1 from e.e.e.e_net to d.d.d.d_net -> a.a.a.a_host -- conf -- > > But it isn't seem to work. Packets are showing on lo1, but there are not > going threw the flow/enc0 interface. The route will not work. Instead, you should use pf and route-to directive. > -- tcpdump lo1 -- > 09:38:20.497416 a.a.a.a_hostb > d.d.d.d_host: icmp: echo request > 09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request > -- tcpdump lo1 -- > > flows: > flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid > b.b.b.b_public_ip dstid c.c.c.c_public_ip type use > flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid > b.b.b.b_public_ip dstid c.c.c.c_public_ip type require > > image :): > e.e.e.e_net (em0) | a.a.a.a_net (lo1) <obsd> b.b.b.b_public_ip --- > c.c.c.c_public_ip <cisco> d.d.d.d_net > > Regard, > Mariusz Makowski > > > Mariusz Makowski wrote: >> Mariusz Makowski wrote: >>> Hello, >>> >>> Firstly i want to mention that it's my begining with ipsec/isakmpd >>> tunneling. >>> >>> My problem is about making connection from OpenBSD 4.3 to Cisco VPN >>> concentrator 3060. >>> Cisco concentrator is out of my range so i can't check log there and i >>> only wish that configuration there is done well. >>> >>> Here it is my example: >>> >>> a.a.a.a_net <obsd> b.b.b.b_public_ip --- c.c.c.c_public_ip <cisco> >>> d.d.d.d_net >>> >>> What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net >>> >>> What i know about cisco configuration: >>> - VPN concentrator 3060 >>> - c.c.c.c_public_ip >>> - d.d.d.d_net >>> - VPN Method: IPSec >>> - Encryption: 3DES >>> - Key exchange IKE >>> - Pre-Shared Key: somekey >>> - Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1 >>> - Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds >>> - Encapsulation Mode: Tunnel >>> - Negotiation Mode: Main >>> >>> OpenBSD: >>> - clean instalation of 4.3 >>> - no pf yet >>> - em0: a.a.a.a_net >>> - em1: b.b.b.b_public_ip >>> >>> After couple hours of reading stuff on internet and reading some >>> configuration files i achivied this configuration: >>> >>> -- isakmpd.conf -- >>> [General] >>> Listen-on = b.b.b.b_public_ip >>> >>> [Phase 1] >>> c.c.c.c_public_ip = CONN >>> >>> [Phase 2] >>> Connections = LINK >>> >>> [CONN] >>> Phase = 1 >>> Transport = udp >>> Address = c.c.c.c_public_ip >>> Configuration = Default-Main-Mode >>> Authentication = somekey >>> >>> [LINK] >>> Phase = 2 >>> ISAKMP-Peer = HP >>> Configuration = Default-Quick-Mode >>> Local-ID = LAN-1 >>> Remote-ID = LAN-2 >>> >>> [LAN-1] >>> ID-Type = IPV4_ADDR_SUBNET >>> Network = a.a.a.a_net >>> Netmask = a.a.a.a_netmask >>> >>> [LAN-2] >>> ID-Type = IPV4_ADDR_SUBNET >>> Network = d.d.d.d_net >>> Netmask = d.d.d.d_netmask >>> >>> [Default-Main-Mode] >>> DOI = IPSEC >>> Exchange_Type = ID_PROT >>> Transforms = 3DES-SHA >>> >>> [Default-Quick-Mode] >>> DOI = IPSEC >>> Exchange_Type = QUICK_MODE >>> Suites = QM-ESP-3DES-SHA-SUITE >>> >>> [3DES-SHA] >>> ENCRYPTION_ALGORITHM = 3DES_CBC >>> HASH_ALGORITHM = SHA >>> AUTHENTICATION_METHOD = PRE_SHARED >>> GROUP_DESCRIPTION = MODP_1024 >>> Life = LIFE_3600_SECS >>> >>> [QM-ESP-3DES-SHA-SUITE] >>> Protocols = QM-ESP-3DES-SHA >>> >>> [QM-ESP-3DES-SHA-PFS-SUITE] >>> Protocols = QM-ESP-3DES-SHA-PFS >>> >>> [QM-ESP-3DES-SHA] >>> PROTOCOL_ID = IPSEC_ESP >>> Transforms = QM-ESP-3DES-SHA-XF >>> >>> [QM-ESP-3DES-SHA-PFS] >>> PROTOCOL_ID = IPSEC_ESP >>> Transforms = QM-ESP-3DES-SHA-PFS-XF >>> >>> [QM-ESP-3DES-SHA-TRP] >>> PROTOCOL_ID = IPSEC_ESP >>> Transforms = QM-ESP-3DES-SHA-TRP-XF >>> >>> [QM-ESP-3DES-SHA-XF] >>> TRANSFORM_ID = 3DES >>> ENCAPSULATION_MODE = TUNNEL >>> AUTHENTICATION_ALGORITHM = HMAC_SHA >>> Life = LIFE_28800_SECS >>> >>> [QM-ESP-3DES-SHA-PFS-XF] >>> TRANSFORM_ID = 3DES >>> ENCAPSULATION_MODE = TUNNEL >>> AUTHENTICATION_ALGORITHM = HMAC_SHA >>> GROUP_DESCRIPTION = MODP_1024 >>> Life = LIFE_28800_SECS >>> >>> [QM-ESP-3DES-SHA-TRP-XF] >>> TRANSFORM_ID = 3DES >>> ENCAPSULATION_MODE = TRANSPORT >>> AUTHENTICATION_ALGORITHM = HMAC_SHA >>> Life = LIFE_28800_SECS >>> >>> [LIFE_3600_SECS] >>> LIFE_TYPE = SECONDS >>> LIFE_DURATION = 3600,1800:7200 >>> >>> [LIFE_28800_SECS] >>> LIFE_TYPE = SECONDS >>> LIFE_DURATION = 28800 >>> -- isakmpd.conf -- >>> >>> After this i am able to get threw first phase. >>> But i am unable to get the second. >>> >>> Here it is my debug: >>> >>> -- isakmpd -d -DA=10 -- >>> 164003.690124 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 0 [priv] >>> 164003.690315 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 1 [priv] >>> 164003.690379 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 2 [priv] >>> 164003.690437 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 3 [priv] >>> 164003.690493 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 4 [priv] >>> 164003.690554 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 5 [priv] >>> 164003.690610 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 6 [priv] >>> 164003.690670 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 7 [priv] >>> 164003.690726 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 8 [priv] >>> 164003.690787 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 9 [priv] >>> 164003.690844 Default log_debug_cmd: log level changed from 0 to 10 for >>> class 10 [priv] >>> 164003.691747 Misc 10 monitor_init: privileges dropped for child process >>> 164003.839514 Timr 10 timer_add_event: event >>> connection_checker(0x8848bdf0) added last, expiration in 0s >>> 164003.841346 Timr 10 timer_handle_expirations: event >>> connection_checker(0x8848bdf0) >>> 164003.841426 Timr 10 timer_add_event: event >>> connection_checker(0x8848bdf0) added last, expiration in 60s >>> 164003.841595 Timr 10 timer_add_event: event >>> exchange_free_aux(0x85b87500) added last, expiration in 120s >>> 164003.841694 Exch 10 exchange_establish_p1: 0x85b87500 HP >>> Default-Main-Mode policy initiator phase 1 doi 1 exchange 2 step 0 >>> 164003.841759 Exch 10 exchange_establish_p1: icookie 89c5123a508af611 >>> rcookie 0000000000000000 >>> 164003.841824 Exch 10 exchange_establish_p1: msgid 00000000 >>> 164003.842106 Timr 10 timer_add_event: event >>> message_send_expire(0x82fcc380) added before >>> connection_checker(0x8848bdf0), expiration in 7s >>> 164003.915645 Timr 10 timer_remove_event: removing event >>> message_send_expire(0x82fcc380) >>> 164003.915747 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer >>> detected >>> 164003.915881 Exch 10 exchange_handle_leftover_payloads: unexpected >>> payload VENDOR >>> 164003.927145 Timr 10 timer_add_event: event >>> message_send_expire(0x82fcc380) added before >>> connection_checker(0x8848bdf0), expiration in 7s >>> 164004.016036 Timr 10 timer_remove_event: removing event >>> message_send_expire(0x82fcc380) >>> 164004.028960 Exch 10 exchange_handle_leftover_payloads: unexpected >>> payload VENDOR >>> 164004.029187 Timr 10 timer_add_event: event >>> message_send_expire(0x82fcc500) added before >>> connection_checker(0x8848bdf0), expiration in 7s >>> 164004.201816 Timr 10 timer_remove_event: removing event >>> message_send_expire(0x82fcc500) >>> 164004.201919 Default ipsec_validate_id_information: dubious ID >>> information accepted >>> 164004.201986 Exch 10 dpd_check_vendor_payload: DPD capable peer detected >>> 164004.202091 Exch 10 exchange_finalize: 0x85b87500 HP Default-Main-Mode >>> policy initiator phase 1 doi 1 exchange 2 step 5 >>> 164004.202156 Exch 10 exchange_finalize: icookie 89c5123a508af611 rcookie >>> 18b62c758e254f26 >>> 164004.202212 Exch 10 exchange_finalize: msgid 00000000 >>> 164004.202307 Exch 10 exchange_finalize: phase 1 done: initiator id >>> 53ee0ef5: b.b.b.b_public_ip, responder id 0fcba9e1: c.c.c.c_public_ip, >>> src: b.b.b.b_public_ip dst: c.c.c.c_public_ip >>> 164004.202380 Timr 10 timer_add_event: event sa_soft_expire(0x85b87900) >>> added last, expiration in 3124s >>> 164004.202443 Timr 10 timer_add_event: event sa_hard_expire(0x85b87900) >>> added last, expiration in 3600s >>> 164004.202536 Timr 10 timer_add_event: event >>> exchange_free_aux(0x85b87c00) added before sa_soft_expire(0x85b87900), >>> expiration in 120s >>> 164004.202609 Exch 10 exchange_establish_p2: 0x85b87c00 LINK >>> Default-Quick-Mode policy initiator phase 2 doi 1 exchange 32 step 0 >>> 164004.202670 Exch 10 exchange_establish_p2: icookie 89c5123a508af611 >>> rcookie 18b62c758e254f26 >>> 164004.202736 Exch 10 exchange_establish_p2: msgid 92fba8ce sa_list >>> 164004.203164 Timr 10 timer_remove_event: removing event >>> exchange_free_aux(0x85b87500) >>> 164004.203278 Timr 10 timer_add_event: event >>> message_send_expire(0x82fcc680) added before >>> connection_checker(0x8848bdf0), expiration in 7s >>> 164004.288093 Timr 10 timer_add_event: event >>> exchange_free_aux(0x85b87500) added before sa_soft_expire(0x85b87900), >>> expiration in 120s >>> 164004.288162 Exch 10 exchange_setup_p2: 0x85b87500 <unnamed> <no policy> >>> policy responder phase 2 doi 1 exchange 5 step 0 >>> 164004.288222 Exch 10 exchange_setup_p2: icookie 89c5123a508af611 rcookie >>> 18b62c758e254f26 >>> 164004.288278 Exch 10 exchange_setup_p2: msgid f4674a28 sa_list >>> 164004.288347 Timr 10 timer_remove_event: removing event >>> sa_hard_expire(0x85b87900) >>> 164004.288406 Timr 10 timer_remove_event: removing event >>> sa_soft_expire(0x85b87900) >>> 164004.288475 Exch 10 exchange_finalize: 0x85b87500 <unnamed> <no policy> >>> policy responder phase 2 doi 1 exchange 5 step 0 >>> 164004.288535 Exch 10 exchange_finalize: icookie 89c5123a508af611 rcookie >>> 18b62c758e254f26 >>> 164004.288596 Exch 10 exchange_finalize: msgid f4674a28 sa_list >>> 164004.288654 Timr 10 timer_remove_event: removing event >>> exchange_free_aux(0x85b87500) >>> 164011.216819 Timr 10 timer_handle_expirations: event >>> message_send_expire(0x82fcc680) >>> 164011.217085 Timr 10 timer_add_event: event >>> message_send_expire(0x82fcc680) added before >>> connection_checker(0x8848bdf0), expiration in 9s >>> 164020.226826 Timr 10 timer_handle_expirations: event >>> message_send_expire(0x82fcc680) >>> 164020.227092 Timr 10 timer_add_event: event >>> message_send_expire(0x82fcc680) added before >>> connection_checker(0x8848bdf0), expiration in 11s >>> 164031.236823 Timr 10 timer_handle_expirations: event >>> message_send_expire(0x82fcc680) >>> 164031.237085 Default transport_send_messages: giving up on exchange >>> LINK, no response from peer c.c.c.c_public_ip:500 >>> -- isakmpd -d -DA=10 -- >>> >>> I am really bad in understanding this logs. >>> >>> We can see is that: >>> xchange_finalize: phase 1 done: initiator id 53ee0ef5: b.b.b.b_public_ip, >>> responder id 0fcba9e1: c.c.c.c_public_ip, src: b.b.b.b_public_ip dst: >>> c.c.c.c_public_ip >>> But still nothing about second phase. >>> >>> Thanks for any help. >>> Mariusz Makowski >>> >>> >> I just tried other configuration with ipsecctl with same result. >> I will check other site then. I will keep You up to date, if anyone is >> interested. >> -- /etc/ipsec.conf -- >> ike esp tunnel from b.b.b.b_public_ip to c.c.c.c_public_ip \ >> main auth hmac-sha1 enc 3des group modp1024 \ >> quick auth hmac-sha1 enc 3des group modp1024 \ >> psk "somekey" >> ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip \ >> main auth hmac-sha1 enc 3des group modp1024 \ >> quick auth hmac-sha1 enc 3des group modp1024 \ >> psk "somekey" >> -- /etc/ipsec.conf -- >> Regards, >> Mariusz Makowski