from:"José Costa"

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

2008-04-11 Thread José Costa

Hello,

Is there any documentation about those tweaks for tcp performance? and
what about irq thingy?

On Thu, Nov 8, 2007 at 2:34 AM, Prabhu Gurumurthy <[EMAIL PROTECTED]> wrote:
> Brian A Seklecki (Mobile) wrote:
>
>
> > On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote:
> >
> > > On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote:
> > >
> > > > Have you try openbsd 4.2 ? PF have been really improved in this
> > > > release.
> > > >
> > >
> >
> > pf(4) has nothing to do with isakmpd(8), except as it relates to recent
> > addition of routing tags.
> >
> > - PIX/ASA is going to get you a default packet "ASA" forwarding based on
> > interface weights - PIX/ASA is going to guarantee easily setup and
> functional Hybrid-XAUTH
> > VPN Road-warrior clients
> > - PIX has functional object-groups/group-object inheritance
> > - PIX/ASA has proprietary serial console fail-over (which is marginally
> > faster than waiting for CARP)
> > - PIX/ASA has some magical black-box inline transparent protocol
> > "fixups"
> > - PIX has a 4 hour SmartNet support contract option
> > - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on)
> >
> > I don't know about ASA, but the 5xx PIX doesn't support IPv6
> >
> >
> > Otherwise they're both software-based stateful IP packet forwarding
> > engines running on i386 with NAT and IPSec and 802.1q support.
> >
> > OpenBSD will always scale better because you can run it on the harwdare
> platform of your choice.
> >
> > ~BAS
> >
> >
> > > 1. VPN is computationally heavy -- is your hardware fast enough?
> > >
> > > 2. Try playing with queueing in PF to handle some types of traffic
> > >   faster than others. AFAIK, it is normal to find this kind of
> > >   configuration in commercial, black-box solutions, disguised as buzzy
> > >   slogans like "Built-in QoS Super-Routing" :-)
> > >
> > > Just my two cents.
> > >
> > > Martin
> > >
> >
> >
> >
>
>  Are you sure PIX 515 and above does not support IPv6. By that do you mean
> IPv6 routing, if that is the case, yes. But PIX 515E and ASA does support
> IPv6 fine when you use 7.X and above version of image.
>
>  In addition to your 4th point, PIX and ASA support failover using LAN, only
> PIX supports serial based failover.
>
>  To the OP:
>  We use ASA and OpenBSD in our production environment and we spent close to
> $10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy
> two dell boxes to put OpenBSD (using GigE) on them and use them as failover
> i.e. pf + pfsync + sasyncd and its being fine for past 11 months.
>
>  Where do you see OpenBSD lagging behind, if it is a transfer rate you can
> tweak tcp settings using sysctl, you can upgrade to 4.2 as the other post
> indicated.
>
>  And are you willing to spend money to buy expensive gear that is the
> question?

Re: hoststated with multiple virtual hosts

2007-10-04 Thread José Costa

My scenario is this:

ifconfig sis0 10.0.0.1 netmask 255.255.255.0
ifconfig carp0 10.0.0.10 netmask 255.255.255.0 vhid 1
ifconfig carp1 10.0.0.20 netmask 255.255.255.0 vhid 2 (two carp
interfaces because I can't have carp with 2 or more IP addresses)
ifconfig sis1 172.16.0.1 netmask 255.255.255.0

hoststated.conf:

table webhosts {
real port http
check http "/" code 200
host 172.16.0.200
host 172.16.0.201
}

service www {
virtual host 10.0.0.10 port http interface carp0
virtual host 10.0.0.20 port http interface carp1

# tag every packet that goes thru the rdr rule with HOSTSTATED
tag HOSTSTATED

table webhosts
}

first question:

Why can't carp have multiple addresses?

second question:

Why hoststated can't support tables like in pf.conf?

third question:

Is there another way to do this with hoststated? (I wanted to have a
status check on the hosts)

Thanks in advance!

On 10/3/07, JosC) Costa <[EMAIL PROTECTED]> wrote:
> Hello,
>
> Is it possible to configure hoststated.conf with IPs in a  {
> ip1, ip2} and virtual host  ... ?

hoststated with multiple virtual hosts

2007-10-03 Thread José Costa

Hello,

Is it possible to configure hoststated.conf with IPs in a  {
ip1, ip2} and virtual host  ... ?

Re: IPSec

2007-09-05 Thread José Costa

Oh, and the tunnel is only activated when ISA network tries to access
OBSD network. In the other way doesn't work.

On 9/5/07, JosC) Costa <[EMAIL PROTECTED]> wrote:
> I think that the patch works but I can't ping from the 10.0.0.0/24
> network to 10.0.1.0/24.
>
> I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50
> (loopback1) and 10.0.0.254 (inside if).
>
> From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to
> 10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254.
>
> I can't ping from 172.26.10.82 and from the 10.0.0.1 machine.
>
> # ifconfig
> lo0: flags=8049 mtu 33224
> groups: lo
> inet 127.0.0.1 netmask 0xff00
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> pcn0: flags=8a43 mtu 1500
> lladdr 00:0c:29:f0:70:e0
> groups: egress
> media: Ethernet autoselect (autoselect)
> inet 172.26.10.82 netmask 0xff00 broadcast 172.26.10.255
> inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1
> pcn1: flags=8843 mtu 1500
> lladdr 00:0c:29:f0:70:ea
> media: Ethernet autoselect (autoselect)
> inet 10.0.0.254 netmask 0xff00 broadcast 10.0.0.255
> inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2
> pflog0: flags=141 mtu 33224
> enc0: flags=141 mtu 1536
> lo1: flags=8049 mtu 33224
> groups: lo
> inet 10.0.0.50 netmask 0xff00
>
> --
>
> # cat /etc/pf.conf
> #   $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="pcn0"
> int_if="pcn1"
>
> #table  persist
>
> set skip on { lo $int_if enc0 }
>
> #scrub in
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> nat on $ext_if from ! ($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #no rdr on $ext_if proto tcp from  to any port smtp
> #rdr pass on $ext_if proto tcp from any to any port smtp \
> #   -> 127.0.0.1 port spamd
>
> #anchor "ftp-proxy/*"
>
> # Default Deny Rule
> block in
> #pass out
>
> #pass quick on $int_if no state
> #antispoof quick for { lo $int_if }
>
> # OpenSSH Access
> pass in on $ext_if proto tcp to ($ext_if) port ssh
>
> # SMTP Access
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> # Lan Access
> pass on $int_if all
>
> # IPSec Tunnel to ISA Server
> pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if)
> pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500
> pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if)
> pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83
>
> # Outbound Access
> pass out keep state
>
> ---
>
> # cat /etc/ipsec.conf
> #   $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
> #
> # See ipsec.conf(5) for syntax and examples.
>
> # Set up two tunnels using automatic keying with isakmpd(8):
> #
> # First between the networks 10.1.1.0/24 and 10.1.2.0/24,
> # second between the machines 192.168.3.1 and 192.168.3.2.
> # Use FQDNs as IDs.
>
> #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
> #   srcid me.mylan.net dstid the.others.net
> #ike esp from 192.168.3.1 to 192.168.3.2 \
> #   srcid me.mylan.net dstid the.others.net
>
> # Set up a tunnel using static keying:
> #
> # The first rule sets up the flow; the second sets up the SA.  As default
> # transforms, ipsecctl(8) will use hmac-sha2-256 for authentication
> # and aes for encryption.  hmac-sha2-256 uses a 256-bit key; aes
> # a 128-bit key.
>
> #flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2
> #esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \
> #   authkey
> 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
> \
> #   enckey 
> 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d
>
> ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des group modp1024 \
> psk teste tag teste
>
>
> On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> > Hi,
> >
> > could you try the attached diff, please?
> >
> > Index: message.c
> > ===
> > RCS file: /cvs/src/sbin/isakmpd/message.c,v
> > retrieving revision 1.126
> > diff -u -p -r1.126 message.c
> > --- message.c   2 Jun 2007 01:29:11 -   1.126
> > +++ message.c   3 Sep 2007 22:30:46 -
> > @@ -927,6 +927,7 @@ message_validate_notify(struct message *
> > if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_

Re: IPSec

2007-09-05 Thread José Costa

I think that the patch works but I can't ping from the 10.0.0.0/24
network to 10.0.1.0/24.

I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50
(loopback1) and 10.0.0.254 (inside if).

>From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to
10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254.

I can't ping from 172.26.10.82 and from the 10.0.0.1 machine.

# ifconfig
lo0: flags=8049 mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
pcn0: flags=8a43 mtu 1500
lladdr 00:0c:29:f0:70:e0
groups: egress
media: Ethernet autoselect (autoselect)
inet 172.26.10.82 netmask 0xff00 broadcast 172.26.10.255
inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1
pcn1: flags=8843 mtu 1500
lladdr 00:0c:29:f0:70:ea
media: Ethernet autoselect (autoselect)
inet 10.0.0.254 netmask 0xff00 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2
pflog0: flags=141 mtu 33224
enc0: flags=141 mtu 1536
lo1: flags=8049 mtu 33224
groups: lo
inet 10.0.0.50 netmask 0xff00

--

# cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pcn0"
int_if="pcn1"

#table  persist

set skip on { lo $int_if enc0 }

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
nat on $ext_if from ! ($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from  to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#   -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"

# Default Deny Rule
block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

# OpenSSH Access
pass in on $ext_if proto tcp to ($ext_if) port ssh

# SMTP Access
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp

# Lan Access
pass on $int_if all

# IPSec Tunnel to ISA Server
pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if)
pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500
pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if)
pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83

# Outbound Access
pass out keep state

---

# cat /etc/ipsec.conf
#   $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#
# See ipsec.conf(5) for syntax and examples.

# Set up two tunnels using automatic keying with isakmpd(8):
#
# First between the networks 10.1.1.0/24 and 10.1.2.0/24,
# second between the machines 192.168.3.1 and 192.168.3.2.
# Use FQDNs as IDs.

#ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \
#   srcid me.mylan.net dstid the.others.net
#ike esp from 192.168.3.1 to 192.168.3.2 \
#   srcid me.mylan.net dstid the.others.net

# Set up a tunnel using static keying:
#
# The first rule sets up the flow; the second sets up the SA.  As default
# transforms, ipsecctl(8) will use hmac-sha2-256 for authentication
# and aes for encryption.  hmac-sha2-256 uses a 256-bit key; aes
# a 128-bit key.

#flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2
#esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \
#   authkey
0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6
\
#   enckey 
0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d

ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk teste tag teste


On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> could you try the attached diff, please?
>
> Index: message.c
> ===
> RCS file: /cvs/src/sbin/isakmpd/message.c,v
> retrieving revision 1.126
> diff -u -p -r1.126 message.c
> --- message.c   2 Jun 2007 01:29:11 -   1.126
> +++ message.c   3 Sep 2007 22:30:46 -
> @@ -927,6 +927,7 @@ message_validate_notify(struct message *
> if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE ||
> (type >= ISAKMP_NOTIFY_RESERVED_MIN &&
> type < ISAKMP_NOTIFY_PRIVATE_MIN) ||
> +   type == ISAKMP_NOTIFY_STATUS_CONNECTED ||
> (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN &&
> type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) ||
> (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN &&

Re: IPSec

2007-09-03 Thread José Costa

Attached.

On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> could you please run isakmpd with the "-L" (see isakmpd(8)) flag and could
> you provide we the generated pcap file?
>
> On Mon, Sep 03, 2007 at 04:17:22PM +0100, JosC) Costa wrote:
> > Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0
> > to 10.0.0.255.
> >
> > FLOWS:
> > flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid
> > obsd1.my.domain dstid 172.26.10.83/32 type use
> > flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid
> > obsd1.my.domain dstid 172.26.10.83/32 type require
> >
> > SAD:
> > esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth
> > hmac-sha1 enc 3des-cbc
> > esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth
> > hmac-sha1 enc 3des-cbc
> >
> > BUT there's another error:
> >
> > Sep  3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed
> > Sep  3 16:12:08 obsd1 isakmpd[16423]: dropped message from
> > 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED
> >
> >
> > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote:
> > > > Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > > > Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > > > KEY_EXCH payload without a group desc. attribute
> > > > Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > > > Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > > > peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
> > > > 172.26.10.83, responder id 0a80/ff80:
> > > > 10.0.0.128/255.255.255.128
> > >
> > > isakmpd tells you, that the peer sent the wront phase 2 ID.
> > >
> > > Here, you tell ISA to propose these IDs, but...
> > >
> > > > Remote Network 'OBSD1' IP Subnets:
> > > > Subnet: 10.0.0.1/255.255.255.255
> > > > Subnet: 10.0.0.2/255.255.255.254
> > > > Subnet: 10.0.0.4/255.255.255.252
> > > > Subnet: 10.0.0.8/255.255.255.248
> > > > Subnet: 10.0.0.16/255.255.255.240
> > > > Subnet: 10.0.0.32/255.255.255.224
> > > > Subnet: 10.0.0.64/255.255.255.192
> > > > Subnet: 10.0.0.128/255.255.255.128
> > >
> > > here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed
> > > by the peer:
> > >
> > > --- /etc/ipsec.conf ---
> > >
> > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> > > main auth hmac-sha1 enc 3des group modp1024 \
> > > quick auth hmac-sha1 enc 3des \
> > > psk teste tag teste
> > >
> > >
> > > To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24
tcpdump: WARNING: snaplen raised from 96 to 65536

17:12:40.500794 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0 
exchange QUICK_MODE

cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 292

payload: HASH len: 24

payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY

payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 
xforms: 1 SPI: 0x17b3274e

payload: TRANSFORM len: 32

transform: 1 ID: 3DES

attribute LIFE_TYPE = SECONDS

attribute LIFE_DURATION = 0e10

attribute ENCAPSULATION_MODE = TUNNEL

attribute AUTHENTICATION_ALGORITHM = HMAC_SHA

attribute GROUP_DESCRIPTION = 2

payload: KEY_EXCH len: 132

payload: NONCE len: 24

payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83

payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0 
[ttl 0] (id 1, len 320)

17:12:40.510601 172.26.10.82.500 > 172.26.10.83.500: [udp sum ok] isakmp v1.0 
exchange QUICK_MODE

cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 292

payload: HASH len: 24

payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY

payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 
xforms: 1 SPI: 0xeb318a59

payload: TRANSFORM len: 32

transform: 1 ID: 3DES

attribute LIFE_TYPE = SECONDS

attribute LIFE_DURATION = 0e10

attribute ENCAPSULATION_MODE = TUNNEL

attribute AUTHENTICATION_ALGORITHM = HMAC_SHA

attribute GROUP_DESCRIPTION = 2

payload: NONCE len: 24

payload: KEY_EXCH len: 132

payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83

payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0 
[ttl 0] (id 1, len 320)

17:12:40.530390 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp

Re: IPSec

2007-09-03 Thread José Costa

Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0
to 10.0.0.255.

FLOWS:
flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid
obsd1.my.domain dstid 172.26.10.83/32 type use
flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid
obsd1.my.domain dstid 172.26.10.83/32 type require

SAD:
esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth
hmac-sha1 enc 3des-cbc
esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth
hmac-sha1 enc 3des-cbc

BUT there's another error:

Sep  3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed
Sep  3 16:12:08 obsd1 isakmpd[16423]: dropped message from
172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED


On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote:
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > KEY_EXCH payload without a group desc. attribute
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
> > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
> > Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
> > peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
> > 172.26.10.83, responder id 0a80/ff80:
> > 10.0.0.128/255.255.255.128
>
> isakmpd tells you, that the peer sent the wront phase 2 ID.
>
> Here, you tell ISA to propose these IDs, but...
>
> > Remote Network 'OBSD1' IP Subnets:
> > Subnet: 10.0.0.1/255.255.255.255
> > Subnet: 10.0.0.2/255.255.255.254
> > Subnet: 10.0.0.4/255.255.255.252
> > Subnet: 10.0.0.8/255.255.255.248
> > Subnet: 10.0.0.16/255.255.255.240
> > Subnet: 10.0.0.32/255.255.255.224
> > Subnet: 10.0.0.64/255.255.255.192
> > Subnet: 10.0.0.128/255.255.255.128
>
> here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed
> by the peer:
>
> --- /etc/ipsec.conf ---
>
> ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> main auth hmac-sha1 enc 3des group modp1024 \
> quick auth hmac-sha1 enc 3des \
> psk teste tag teste
>
>
> To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24

Re: IPSec

2007-09-03 Thread José Costa

Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
KEY_EXCH payload without a group desc. attribute
Sep  3 15:05:16 obsd1 isakmpd[25239]: dropped message from
172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN
Sep  3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE:
peer proposed invalid phase 2 IDs: initiator id ac1a0a53:
172.26.10.83, responder id 0a80/ff80:
10.0.0.128/255.255.255.128


Same thing:

btw, ISA Server 2006 gives me this:

-- LOCAL 

Local Tunnel Endpoint: 172.26.10.83
Remote Tunnel Endpoint: 172.26.10.82

To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (teste)
Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds

Kbyte Rekeying: OFF

Remote Network 'OBSD1' IP Subnets:
Subnet: 10.0.0.1/255.255.255.255
Subnet: 10.0.0.2/255.255.255.254
Subnet: 10.0.0.4/255.255.255.252
Subnet: 10.0.0.8/255.255.255.248
Subnet: 10.0.0.16/255.255.255.240
Subnet: 10.0.0.32/255.255.255.224
Subnet: 10.0.0.64/255.255.255.192
Subnet: 10.0.0.128/255.255.255.128

Local Network 'Internal' IP Subnets:
Subnet: 10.0.1.0/255.255.255.0

Routable Local IP Addresses:
Subnet: 10.0.1.0/255.255.255.0

-- REMOTE --

Local Tunnel Endpoint: 172.26.10.82
Remote Tunnel Endpoint: 172.26.10.83

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (teste)
Security Association Lifetime: 28800 seconds


IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds

Kbyte Rekeying: OFF

Site-to-Site Network IP Subnets:
Subnet: 10.0.1.0/255.255.255.0


I've defined only the Class C of 10.0.0.1 to 10.0.0.255 and there's a
lot of subnets! Maybe that's the issue?

On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> On Mon, Sep 03, 2007 at 02:45:46PM +0100, JosC) Costa wrote:
> > 3des, sha1, PFS disabled.
>
> ok, then enable pfs, use modp1024

Re: IPSec

2007-09-03 Thread José Costa

3des, sha1, PFS disabled.

On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> which transforms are configured on the ISA server for phase 2?
>
> On Mon, Sep 03, 2007 at 02:21:24PM +0100, JosC) Costa wrote:
> > How can I solve this? Any docs about it? Debugging?
> >
> > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote:
> > > >
> > > > Sep  3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83
> > > > port 500 due to notification type NO_PROPOSAL_CHOSEN
> > > > Sep  3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE:
> > > > KEY_EXCH payload without a group desc. attribute
> > > > Sep  3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83
> > > > port 500 due to notification type NO_PROPOSAL_CHOSEN
> > > > Sep  3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE:
> > > > KEY_EXCH payload without a group desc. attribute
> > >
> > > isakmpd does not like the transforms for phase 2 proposed by the other
> > > peer.  It seems, that phase 2 has no group description.
> > >
> > > >
> > > > --- /etc/ipsec.conf ---
> > > >
> > > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> > > > main auth hmac-sha1 enc 3des group modp1024 \
> > > > quick auth hmac-sha1 enc 3des \
> > > > psk teste tag teste
> > > >
> > > > In the ISA Server is configured correctly for the Phase-1 and Phase-2
> > > > encriptions and auths.
> > > >
> > > > Any help here?
> > > >
> > > >
> > > > On 8/31/07, Jeff Quast <[EMAIL PROTECTED]> wrote:
> > > > > I tried to learn with HOWTO's, I didnt have the internet at home at
> > > > > the time. I printed out maybe 50 pages of various HOWTO's.
> > > > >
> > > > > When I got home, I found none of them were up to date with the current
> > > > > (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I
> > > > > ended up learning how to do ipsec with just the manuals.
> > > > >
> > > > > You'd be amazed how easy it went.
> > > > >
> > > > > On 8/31/07, JosC) Costa <[EMAIL PROTECTED]> wrote:
> > > > > > Hello,
> > > > > >
> > > > > > Anyone knows a really good IPSec howto besides the man pages?

Re: IPSec

2007-09-03 Thread José Costa

How can I solve this? Any docs about it? Debugging?

On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote:
> Hi,
>
> On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote:
> >
> > Sep  3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83
> > port 500 due to notification type NO_PROPOSAL_CHOSEN
> > Sep  3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE:
> > KEY_EXCH payload without a group desc. attribute
> > Sep  3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83
> > port 500 due to notification type NO_PROPOSAL_CHOSEN
> > Sep  3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE:
> > KEY_EXCH payload without a group desc. attribute
>
> isakmpd does not like the transforms for phase 2 proposed by the other
> peer.  It seems, that phase 2 has no group description.
>
> >
> > --- /etc/ipsec.conf ---
> >
> > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
> > main auth hmac-sha1 enc 3des group modp1024 \
> > quick auth hmac-sha1 enc 3des \
> > psk teste tag teste
> >
> > In the ISA Server is configured correctly for the Phase-1 and Phase-2
> > encriptions and auths.
> >
> > Any help here?
> >
> >
> > On 8/31/07, Jeff Quast <[EMAIL PROTECTED]> wrote:
> > > I tried to learn with HOWTO's, I didnt have the internet at home at
> > > the time. I printed out maybe 50 pages of various HOWTO's.
> > >
> > > When I got home, I found none of them were up to date with the current
> > > (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I
> > > ended up learning how to do ipsec with just the manuals.
> > >
> > > You'd be amazed how easy it went.
> > >
> > > On 8/31/07, JosC) Costa <[EMAIL PROTECTED]> wrote:
> > > > Hello,
> > > >
> > > > Anyone knows a really good IPSec howto besides the man pages?

Re: IPSec

2007-09-03 Thread José Costa

Hello,

Yeah, i bet it works beautifully with OBSD tunnels but I'm trying to
create a tunnel between OBSD and ISA Server 2006 on VMWare Server.

Sep  3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83
port 500 due to notification type NO_PROPOSAL_CHOSEN
Sep  3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE:
KEY_EXCH payload without a group desc. attribute
Sep  3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83
port 500 due to notification type NO_PROPOSAL_CHOSEN
Sep  3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE:
KEY_EXCH payload without a group desc. attribute

--- /etc/ipsec.conf ---

ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des \
psk teste tag teste

In the ISA Server is configured correctly for the Phase-1 and Phase-2
encriptions and auths.

Any help here?

On 8/31/07, Jeff Quast <[EMAIL PROTECTED]> wrote:
> I tried to learn with HOWTO's, I didnt have the internet at home at
> the time. I printed out maybe 50 pages of various HOWTO's.
>
> When I got home, I found none of them were up to date with the current
> (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I
> ended up learning how to do ipsec with just the manuals.
>
> You'd be amazed how easy it went.
>
> On 8/31/07, JosC) Costa <[EMAIL PROTECTED]> wrote:
> > Hello,
> >
> > Anyone knows a really good IPSec howto besides the man pages?

IPSec

2007-08-31 Thread José Costa

Hello,

Anyone knows a really good IPSec howto besides the man pages?

Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA

Re: hoststated with multiple virtual hosts

hoststated with multiple virtual hosts

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

Re: IPSec

IPSec

12 matches

Site Navigation

Mail list logo

Footer information