Claer wrote:
On Fri, Sep 26 2008 at 45:07, Mariusz Makowski wrote:
I finally was able to setup vpn connection.
Other side was configured in wrong way and sum of all my ipsec.conf look in
this way:
-- ipsec.conf --
other_peer = "c.c.c.c_public_ip"
ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer $other_peer \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "somekey"
-- ipsec.conf --
In our environnement (we manage openbsd tunnels to cisco 3030 which is
out of our scope) we debugged a strange problem when the connection goes
down. The tunnels won't come back after a small link shutdown.
The problem was Cisco 3030 was doing DPD check and not the OpenBSD.
If it's the case for you too, you should add these lines to
/etc/isakmpd/isakmpd.conf :
--- isakmpd.conf ---
[General]
DPD-check-interval= 30
--- isakmpd.conf ---
Thanks for this.
But i have another problem, a.a.a.a_net is not configured on my network
interface, it's a just net that must be done nat on this.
I was reading a bit about doing nat on obsd and ipsec.
I've tried to do so:
-- conf --
ifconfig lo1 inet a.a.a.a_net
route add -net d.d.d.d_net a.a.a.a_host and pf.conf:
nat on lo1 from e.e.e.e_net to d.d.d.d_net -> a.a.a.a_host -- conf --
But it isn't seem to work. Packets are showing on lo1, but there are not
going threw the flow/enc0 interface.
The route will not work. Instead, you should use pf and route-to
directive.
Finally i managed to do nat in correct way, propably i was mistyped some
pf.conf configuration.
Both ways of adding route are working.
route add -net d.d.d.d_net a.a.a.a_host and pf.conf:
and
pass in quick on $int_if \
route-to (lo1 a.a.a.a_host)\
from e.e.e.e_net to d.d.d.d_net
....
But packets after nat are ignoring encap flows, and they are trying to
go out by default gateway.
-- tcpdump lo1 --
09:38:20.497416 a.a.a.a_hostb > d.d.d.d_host: icmp: echo request
09:38:20.497421 a.a.a.a_hostb d.d.d.d_host: icmp: echo request
-- tcpdump lo1 --
flows:
flow esp in from d.d.d.d_net to a.a.a.a_net peer c.c.c.c_public_ip srcid
b.b.b.b_public_ip dstid c.c.c.c_public_ip type use
flow esp out from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip srcid
b.b.b.b_public_ip dstid c.c.c.c_public_ip type require
image :):
e.e.e.e_net (em0) | a.a.a.a_net (lo1) <obsd> b.b.b.b_public_ip ---
c.c.c.c_public_ip <cisco> d.d.d.d_net
Regard,
Mariusz Makowski
Mariusz Makowski wrote:
Mariusz Makowski wrote:
Hello,
Firstly i want to mention that it's my begining with ipsec/isakmpd
tunneling.
My problem is about making connection from OpenBSD 4.3 to Cisco VPN
concentrator 3060.
Cisco concentrator is out of my range so i can't check log there and i
only wish that configuration there is done well.
Here it is my example:
a.a.a.a_net <obsd> b.b.b.b_public_ip --- c.c.c.c_public_ip <cisco>
d.d.d.d_net
What i wan't to achiev is: - comunication from a.a.a.a_net to d.d.d.d_net
What i know about cisco configuration:
- VPN concentrator 3060
- c.c.c.c_public_ip
- d.d.d.d_net
- VPN Method: IPSec
- Encryption: 3DES
- Key exchange IKE
- Pre-Shared Key: somekey
- Perfect Forward Secrecy: Yes - Group 2 (1024 bits) - Hashing: SHA-1
- Diffie-Hellman: Yes - Group 2 - Time Lifetime: 28800 seconds
- Encapsulation Mode: Tunnel
- Negotiation Mode: Main
OpenBSD:
- clean instalation of 4.3
- no pf yet
- em0: a.a.a.a_net
- em1: b.b.b.b_public_ip
After couple hours of reading stuff on internet and reading some
configuration files i achivied this configuration:
-- isakmpd.conf --
[General]
Listen-on = b.b.b.b_public_ip
[Phase 1]
c.c.c.c_public_ip = CONN
[Phase 2]
Connections = LINK
[CONN]
Phase = 1
Transport = udp
Address = c.c.c.c_public_ip
Configuration = Default-Main-Mode
Authentication = somekey
[LINK]
Phase = 2
ISAKMP-Peer = HP
Configuration = Default-Quick-Mode
Local-ID = LAN-1
Remote-ID = LAN-2
[LAN-1]
ID-Type = IPV4_ADDR_SUBNET
Network = a.a.a.a_net
Netmask = a.a.a.a_netmask
[LAN-2]
ID-Type = IPV4_ADDR_SUBNET
Network = d.d.d.d_net
Netmask = d.d.d.d_netmask
[Default-Main-Mode]
DOI = IPSEC
Exchange_Type = ID_PROT
Transforms = 3DES-SHA
[Default-Quick-Mode]
DOI = IPSEC
Exchange_Type = QUICK_MODE
Suites = QM-ESP-3DES-SHA-SUITE
[3DES-SHA]
ENCRYPTION_ALGORITHM = 3DES_CBC
HASH_ALGORITHM = SHA
AUTHENTICATION_METHOD = PRE_SHARED
GROUP_DESCRIPTION = MODP_1024
Life = LIFE_3600_SECS
[QM-ESP-3DES-SHA-SUITE]
Protocols = QM-ESP-3DES-SHA
[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols = QM-ESP-3DES-SHA-PFS
[QM-ESP-3DES-SHA]
PROTOCOL_ID = IPSEC_ESP
Transforms = QM-ESP-3DES-SHA-XF
[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID = IPSEC_ESP
Transforms = QM-ESP-3DES-SHA-PFS-XF
[QM-ESP-3DES-SHA-TRP]
PROTOCOL_ID = IPSEC_ESP
Transforms = QM-ESP-3DES-SHA-TRP-XF
[QM-ESP-3DES-SHA-XF]
TRANSFORM_ID = 3DES
ENCAPSULATION_MODE = TUNNEL
AUTHENTICATION_ALGORITHM = HMAC_SHA
Life = LIFE_28800_SECS
[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID = 3DES
ENCAPSULATION_MODE = TUNNEL
AUTHENTICATION_ALGORITHM = HMAC_SHA
GROUP_DESCRIPTION = MODP_1024
Life = LIFE_28800_SECS
[QM-ESP-3DES-SHA-TRP-XF]
TRANSFORM_ID = 3DES
ENCAPSULATION_MODE = TRANSPORT
AUTHENTICATION_ALGORITHM = HMAC_SHA
Life = LIFE_28800_SECS
[LIFE_3600_SECS]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,1800:7200
[LIFE_28800_SECS]
LIFE_TYPE = SECONDS
LIFE_DURATION = 28800
-- isakmpd.conf --
After this i am able to get threw first phase.
But i am unable to get the second.
Here it is my debug:
-- isakmpd -d -DA=10 --
164003.690124 Default log_debug_cmd: log level changed from 0 to 10 for
class 0 [priv]
164003.690315 Default log_debug_cmd: log level changed from 0 to 10 for
class 1 [priv]
164003.690379 Default log_debug_cmd: log level changed from 0 to 10 for
class 2 [priv]
164003.690437 Default log_debug_cmd: log level changed from 0 to 10 for
class 3 [priv]
164003.690493 Default log_debug_cmd: log level changed from 0 to 10 for
class 4 [priv]
164003.690554 Default log_debug_cmd: log level changed from 0 to 10 for
class 5 [priv]
164003.690610 Default log_debug_cmd: log level changed from 0 to 10 for
class 6 [priv]
164003.690670 Default log_debug_cmd: log level changed from 0 to 10 for
class 7 [priv]
164003.690726 Default log_debug_cmd: log level changed from 0 to 10 for
class 8 [priv]
164003.690787 Default log_debug_cmd: log level changed from 0 to 10 for
class 9 [priv]
164003.690844 Default log_debug_cmd: log level changed from 0 to 10 for
class 10 [priv]
164003.691747 Misc 10 monitor_init: privileges dropped for child process
164003.839514 Timr 10 timer_add_event: event
connection_checker(0x8848bdf0) added last, expiration in 0s
164003.841346 Timr 10 timer_handle_expirations: event
connection_checker(0x8848bdf0)
164003.841426 Timr 10 timer_add_event: event
connection_checker(0x8848bdf0) added last, expiration in 60s
164003.841595 Timr 10 timer_add_event: event
exchange_free_aux(0x85b87500) added last, expiration in 120s
164003.841694 Exch 10 exchange_establish_p1: 0x85b87500 HP
Default-Main-Mode policy initiator phase 1 doi 1 exchange 2 step 0
164003.841759 Exch 10 exchange_establish_p1: icookie 89c5123a508af611
rcookie 0000000000000000
164003.841824 Exch 10 exchange_establish_p1: msgid 00000000
164003.842106 Timr 10 timer_add_event: event
message_send_expire(0x82fcc380) added before
connection_checker(0x8848bdf0), expiration in 7s
164003.915645 Timr 10 timer_remove_event: removing event
message_send_expire(0x82fcc380)
164003.915747 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer
detected
164003.915881 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
164003.927145 Timr 10 timer_add_event: event
message_send_expire(0x82fcc380) added before
connection_checker(0x8848bdf0), expiration in 7s
164004.016036 Timr 10 timer_remove_event: removing event
message_send_expire(0x82fcc380)
164004.028960 Exch 10 exchange_handle_leftover_payloads: unexpected
payload VENDOR
164004.029187 Timr 10 timer_add_event: event
message_send_expire(0x82fcc500) added before
connection_checker(0x8848bdf0), expiration in 7s
164004.201816 Timr 10 timer_remove_event: removing event
message_send_expire(0x82fcc500)
164004.201919 Default ipsec_validate_id_information: dubious ID
information accepted
164004.201986 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
164004.202091 Exch 10 exchange_finalize: 0x85b87500 HP Default-Main-Mode
policy initiator phase 1 doi 1 exchange 2 step 5
164004.202156 Exch 10 exchange_finalize: icookie 89c5123a508af611 rcookie
18b62c758e254f26
164004.202212 Exch 10 exchange_finalize: msgid 00000000
164004.202307 Exch 10 exchange_finalize: phase 1 done: initiator id
53ee0ef5: b.b.b.b_public_ip, responder id 0fcba9e1: c.c.c.c_public_ip,
src: b.b.b.b_public_ip dst: c.c.c.c_public_ip
164004.202380 Timr 10 timer_add_event: event sa_soft_expire(0x85b87900)
added last, expiration in 3124s
164004.202443 Timr 10 timer_add_event: event sa_hard_expire(0x85b87900)
added last, expiration in 3600s
164004.202536 Timr 10 timer_add_event: event
exchange_free_aux(0x85b87c00) added before sa_soft_expire(0x85b87900),
expiration in 120s
164004.202609 Exch 10 exchange_establish_p2: 0x85b87c00 LINK
Default-Quick-Mode policy initiator phase 2 doi 1 exchange 32 step 0
164004.202670 Exch 10 exchange_establish_p2: icookie 89c5123a508af611
rcookie 18b62c758e254f26
164004.202736 Exch 10 exchange_establish_p2: msgid 92fba8ce sa_list
164004.203164 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x85b87500)
164004.203278 Timr 10 timer_add_event: event
message_send_expire(0x82fcc680) added before
connection_checker(0x8848bdf0), expiration in 7s
164004.288093 Timr 10 timer_add_event: event
exchange_free_aux(0x85b87500) added before sa_soft_expire(0x85b87900),
expiration in 120s
164004.288162 Exch 10 exchange_setup_p2: 0x85b87500 <unnamed> <no policy>
policy responder phase 2 doi 1 exchange 5 step 0
164004.288222 Exch 10 exchange_setup_p2: icookie 89c5123a508af611 rcookie
18b62c758e254f26
164004.288278 Exch 10 exchange_setup_p2: msgid f4674a28 sa_list
164004.288347 Timr 10 timer_remove_event: removing event
sa_hard_expire(0x85b87900)
164004.288406 Timr 10 timer_remove_event: removing event
sa_soft_expire(0x85b87900)
164004.288475 Exch 10 exchange_finalize: 0x85b87500 <unnamed> <no policy>
policy responder phase 2 doi 1 exchange 5 step 0
164004.288535 Exch 10 exchange_finalize: icookie 89c5123a508af611 rcookie
18b62c758e254f26
164004.288596 Exch 10 exchange_finalize: msgid f4674a28 sa_list
164004.288654 Timr 10 timer_remove_event: removing event
exchange_free_aux(0x85b87500)
164011.216819 Timr 10 timer_handle_expirations: event
message_send_expire(0x82fcc680)
164011.217085 Timr 10 timer_add_event: event
message_send_expire(0x82fcc680) added before
connection_checker(0x8848bdf0), expiration in 9s
164020.226826 Timr 10 timer_handle_expirations: event
message_send_expire(0x82fcc680)
164020.227092 Timr 10 timer_add_event: event
message_send_expire(0x82fcc680) added before
connection_checker(0x8848bdf0), expiration in 11s
164031.236823 Timr 10 timer_handle_expirations: event
message_send_expire(0x82fcc680)
164031.237085 Default transport_send_messages: giving up on exchange
LINK, no response from peer c.c.c.c_public_ip:500
-- isakmpd -d -DA=10 --
I am really bad in understanding this logs.
We can see is that:
xchange_finalize: phase 1 done: initiator id 53ee0ef5: b.b.b.b_public_ip,
responder id 0fcba9e1: c.c.c.c_public_ip, src: b.b.b.b_public_ip dst:
c.c.c.c_public_ip
But still nothing about second phase.
Thanks for any help.
Mariusz Makowski
I just tried other configuration with ipsecctl with same result.
I will check other site then. I will keep You up to date, if anyone is
interested.
-- /etc/ipsec.conf --
ike esp tunnel from b.b.b.b_public_ip to c.c.c.c_public_ip \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "somekey"
ike esp tunnel from a.a.a.a_net to d.d.d.d_net peer c.c.c.c_public_ip \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "somekey"
-- /etc/ipsec.conf --
Regards,
Mariusz Makowski
