[FUG-BR] IPSEC e ISAKMP
Bom dia. Estou erguendo uma VPN com Ipsec usando ISAKMP. O Cenário é: FreeBSD(ISAKMP) - CheckPoint O que foi definido: Fase1: Cripto AES256 Hash: sha1 Fase2 Cripto: AES128 Hash: md5 Chave=123456 Rede1= 192.168.254.0 Rede2= 192.168.210.0 Peer Freebsd=100.1.1.1 Peer CheckPoint=100.1.1.2 Analisando os pacotes com tcpdump o checkpoint me manda o seguinte: -- 12:04:07.792500 00:19:e0:73:9b:0a 00:00:5e:00:01:0b, ethertype IPv4 (0x0800), length 174: (tos 0x0, ttl 60, id 61431, offset 0, flags [DF], proto: UDP (17), length: 160) 100.1.1.2.500 100.1.1.1.500: [udp sum ok] isakmp 1.0 msgid cookie -: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180 (vid: len=40 f4ed19e0c114eb516faaac0ee37daf2807b4381f0001138d48da54a21820) -- E o FreeBSD retorna: -- 11:57:35.663230 00:60:97:0c:5d:10 00:00:5e:00:01:0a, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 47232, offset 0, flags [none], proto: UDP (17), length: 68) 100.1.1.1.500 100.1.1.2..500: [udp sum ok] isakmp 1.0 msgid cookie -: phase 1 I inf: (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN) -- No Debug do ISAKMP eu tenho apenas o seguinte: -- 115703.724192 Default dropped message from 100.1.1.2 port 500 due to notification type NO_PROPOSAL_CHOSEN -- O que tem de errado?? Vejam as minhas configurações: -- # cat isakmpd.conf Retransmits=5 Exchange-max-time= 120 Listen-on= 100.1.1.1 [Phase 1] 100.1.1.2= ISAKMP-peer-checkpoint [ISAKMP-peer-checkpoint] Phase= 1 Transport= udp Local-address= 100.1.1.1 Address=100.1.1.2 Configuration= Conf-fase1 Authentication= 123456 [Phase 2] Connections=VPN-freebsd-checkpoint [VPN-freebsd-checkpoint] Phase= 2 ISAKMP-peer=ISAKMP-peer-checkpoint Configuration= Conf-fase2 Local-ID= rede-freebsd-192.168.254.0/255.255.255.0 Remote-ID= rede-checkpoint-192.168.210.0/255.255.255.0 [rede-freebsd-192.168.254.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=192.168.254.0 Netmask=255.255.255.0 [rede-checkpoint-192.168.210.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=192.168.210.0 Netmask=255.255.255.0 [Conf-fase1] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= CRIPTO-FASE1 [Conf-fase2] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-MD5-PFS-SUITE [CRIPTO-FASE1] ENCRYPTION_ALGORITHM= AES HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRESHARED GROUP_DESCRIPTION= modp1024 Life= TEMPO [TEMPO] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,79200:93600 -- -- Matheus Cucoloto System Admin. Net Admin. - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] IPSEC e ISAKMP
On Wed, 2008-09-24 at 12:24 -0300, Matheus Cucoloto wrote: Bom dia. Estou erguendo uma VPN com Ipsec usando ISAKMP. O Cenário é: FreeBSD(ISAKMP) - CheckPoint O que foi definido: Fase1: Cripto AES256 Hash: sha1 Fase2 Cripto: AES128 Hash: md5 Chave=123456 Rede1= 192.168.254.0 Rede2= 192.168.210.0 Peer Freebsd=100.1.1.1 Peer CheckPoint=100.1.1.2 Analisando os pacotes com tcpdump o checkpoint me manda o seguinte: -- 12:04:07.792500 00:19:e0:73:9b:0a 00:00:5e:00:01:0b, ethertype IPv4 (0x0800), length 174: (tos 0x0, ttl 60, id 61431, offset 0, flags [DF], proto: UDP (17), length: 160) 100.1.1.2.500 100.1.1.1.500: [udp sum ok] isakmp 1.0 msgid cookie -: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180 (vid: len=40 f4ed19e0c114eb516faaac0ee37daf2807b4381f0001138d48da54a21820) -- E o FreeBSD retorna: -- 11:57:35.663230 00:60:97:0c:5d:10 00:00:5e:00:01:0a, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 47232, offset 0, flags [none], proto: UDP (17), length: 68) 100.1.1.1.500 100.1.1.2..500: [udp sum ok] isakmp 1.0 msgid cookie -: phase 1 I inf: (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN) -- No Debug do ISAKMP eu tenho apenas o seguinte: -- 115703.724192 Default dropped message from 100.1.1.2 port 500 due to notification type NO_PROPOSAL_CHOSEN -- O que tem de errado?? Vejam as minhas configurações: -- # cat isakmpd.conf Retransmits=5 Exchange-max-time= 120 Listen-on= 100.1.1.1 [Phase 1] 100.1.1.2= ISAKMP-peer-checkpoint [ISAKMP-peer-checkpoint] Phase= 1 Transport= udp Local-address= 100.1.1.1 Address=100.1.1.2 Configuration= Conf-fase1 Authentication= 123456 [Phase 2] Connections=VPN-freebsd-checkpoint [VPN-freebsd-checkpoint] Phase= 2 ISAKMP-peer=ISAKMP-peer-checkpoint Configuration= Conf-fase2 Local-ID= rede-freebsd-192.168.254.0/255.255.255.0 Remote-ID= rede-checkpoint-192.168.210.0/255.255.255.0 [rede-freebsd-192.168.254.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=192.168.254.0 Netmask=255.255.255.0 [rede-checkpoint-192.168.210.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=192.168.210.0 Netmask=255.255.255.0 [Conf-fase1] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= CRIPTO-FASE1 [Conf-fase2] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-MD5-PFS-SUITE [CRIPTO-FASE1] ENCRYPTION_ALGORITHM= AES HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRESHARED GROUP_DESCRIPTION= modp1024 Life= TEMPO [TEMPO] LIFE_TYPE= SECONDS LIFE_DURATION= 86400,79200:93600 -- -- Matheus Cucoloto System Admin. Net Admin. - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd Matheus, Voce tem que usar o mesmo esquema de criptografia em ambos os lados, bem como a psk. A mensagem NO_PROPOSAL_CHOSEN esta informando que as propostas de criptografia ou informacoes de rede configuradas em uma das pontas nao conferem. Informe, se possivel, as configuracoes do VPN1 e compare os timers, eles tambem influenciam no start da VPN. []s Sergio Lima - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] IPSEC e ISAKMP
Alterei um monte, mudei as cripto e outras configuracoes agora aparentemente a fase 1 passa mas depois começa a pipocar de novo, veja o log o isakmpd: 144852.295219 Default isakmpd: phase 1 done: initiator id c8b45402: 100.1.1.2, responder id c9378c04: 100.1.1.1, src: 100.1.1.1 dst: 100.1.1.2 144852.430833 Default isakmpd: quick mode done: src: 100.1.1.1 dst: 100.1.1.2 144852.535963 Default message_parse_payloads: reserved field non-zero: ff 144852.535988 Default dropped message from 100.1.1.2 port 500 due to notification type PAYLOAD_MALFORMED 144852.650157 Default message_parse_payloads: reserved field non-zero: ff 144852.650181 Default dropped message from 100.1.1.2 port 500 due to notification type PAYLOAD_MALFORMED Alguma dica? OBS: Valeu Sergio Segue a minha conf nova: [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 100.1.1.1 [Phase 1] 100.1.1.1= local-remote [local-remote] Phase= 1 Transport= udp Local-address= 100.1.1.1 Address=100.1.1.2 Configuration= Default-main-mode Authentication= 123456 [Phase 2] Connections=VPN-local-remote-10.9.2.0/255.255.255.0 [VPN-local-remote-10.9.2.0/255.255.255.0] Phase= 2 ISAKMP-peer=local-remote Configuration= Default-quick-mode Local-ID= network-192.168.254.0/255.255.255.0 Remote-ID= network-10.9.2.0/255.255.255.0 [network-192.168.254.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=192.168.254.0 Netmask=255.255.255.0 [network-10.9.2.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=10.9.2.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-GRP2-SUITE -- Matheus Cucoloto System Admin. Net Admin. - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] IPSEC e ISAKMP
On Wed, 2008-09-24 at 15:01 -0300, Matheus Cucoloto wrote: Alterei um monte, mudei as cripto e outras configuracoes agora aparentemente a fase 1 passa mas depois começa a pipocar de novo, veja o log o isakmpd: 144852.295219 Default isakmpd: phase 1 done: initiator id c8b45402: 100.1.1.2, responder id c9378c04: 100.1.1.1, src: 100.1.1.1 dst: 100.1.1.2 144852.430833 Default isakmpd: quick mode done: src: 100.1.1.1 dst: 100.1.1.2 144852.535963 Default message_parse_payloads: reserved field non-zero: ff 144852.535988 Default dropped message from 100.1.1.2 port 500 due to notification type PAYLOAD_MALFORMED 144852.650157 Default message_parse_payloads: reserved field non-zero: ff 144852.650181 Default dropped message from 100.1.1.2 port 500 due to notification type PAYLOAD_MALFORMED Alguma dica? OBS: Valeu Sergio Segue a minha conf nova: [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 100.1.1.1 [Phase 1] 100.1.1.1= local-remote [local-remote] Phase= 1 Transport= udp Local-address= 100.1.1.1 Address=100.1.1.2 Configuration= Default-main-mode Authentication= 123456 [Phase 2] Connections=VPN-local-remote-10.9.2.0/255.255.255.0 [VPN-local-remote-10.9.2.0/255.255.255.0] Phase= 2 ISAKMP-peer=local-remote Configuration= Default-quick-mode Local-ID= network-192.168.254.0/255.255.255.0 Remote-ID= network-10.9.2.0/255.255.255.0 [network-192.168.254.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=192.168.254.0 Netmask=255.255.255.0 [network-10.9.2.0/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=10.9.2.0 Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-GRP2-SUITE Matheus, Experiencia propria, sempre que fui negociar circuitos IPSec com gateways checkpoint, tive problemas principalmente com chaves AES e com os timers configurados. Eu recomendo, se nao houver problemas, que voce utilize SHA2-3DES e confira todos os timers (keylifetime, ike lifetime, etc). Outro problema constante que as vezes tenho que contornar, sao relativos ao IKE. Vou montar um lab aqui e te passo o resultado. []s Sergio Lima - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
