Re: OpenBSD isakmpd and pf vs Cisco PIX or ASA
Hello, Is there any documentation about those tweaks for tcp performance? and what about irq thingy? On Thu, Nov 8, 2007 at 2:34 AM, Prabhu Gurumurthy <[EMAIL PROTECTED]> wrote: > Brian A Seklecki (Mobile) wrote: > > > > On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote: > > > > > On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote: > > > > > > > Have you try openbsd 4.2 ? PF have been really improved in this > > > > release. > > > > > > > > > > > pf(4) has nothing to do with isakmpd(8), except as it relates to recent > > addition of routing tags. > > > > - PIX/ASA is going to get you a default packet "ASA" forwarding based on > > interface weights - PIX/ASA is going to guarantee easily setup and > functional Hybrid-XAUTH > > VPN Road-warrior clients > > - PIX has functional object-groups/group-object inheritance > > - PIX/ASA has proprietary serial console fail-over (which is marginally > > faster than waiting for CARP) > > - PIX/ASA has some magical black-box inline transparent protocol > > "fixups" > > - PIX has a 4 hour SmartNet support contract option > > - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on) > > > > I don't know about ASA, but the 5xx PIX doesn't support IPv6 > > > > > > Otherwise they're both software-based stateful IP packet forwarding > > engines running on i386 with NAT and IPSec and 802.1q support. > > > > OpenBSD will always scale better because you can run it on the harwdare > platform of your choice. > > > > ~BAS > > > > > > > 1. VPN is computationally heavy -- is your hardware fast enough? > > > > > > 2. Try playing with queueing in PF to handle some types of traffic > > > faster than others. AFAIK, it is normal to find this kind of > > > configuration in commercial, black-box solutions, disguised as buzzy > > > slogans like "Built-in QoS Super-Routing" :-) > > > > > > Just my two cents. > > > > > > Martin > > > > > > > > > > > Are you sure PIX 515 and above does not support IPv6. By that do you mean > IPv6 routing, if that is the case, yes. But PIX 515E and ASA does support > IPv6 fine when you use 7.X and above version of image. > > In addition to your 4th point, PIX and ASA support failover using LAN, only > PIX supports serial based failover. > > To the OP: > We use ASA and OpenBSD in our production environment and we spent close to > $10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy > two dell boxes to put OpenBSD (using GigE) on them and use them as failover > i.e. pf + pfsync + sasyncd and its being fine for past 11 months. > > Where do you see OpenBSD lagging behind, if it is a transfer rate you can > tweak tcp settings using sysctl, you can upgrade to 4.2 as the other post > indicated. > > And are you willing to spend money to buy expensive gear that is the > question?
Re: hoststated with multiple virtual hosts
My scenario is this: ifconfig sis0 10.0.0.1 netmask 255.255.255.0 ifconfig carp0 10.0.0.10 netmask 255.255.255.0 vhid 1 ifconfig carp1 10.0.0.20 netmask 255.255.255.0 vhid 2 (two carp interfaces because I can't have carp with 2 or more IP addresses) ifconfig sis1 172.16.0.1 netmask 255.255.255.0 hoststated.conf: table webhosts { real port http check http "/" code 200 host 172.16.0.200 host 172.16.0.201 } service www { virtual host 10.0.0.10 port http interface carp0 virtual host 10.0.0.20 port http interface carp1 # tag every packet that goes thru the rdr rule with HOSTSTATED tag HOSTSTATED table webhosts } first question: Why can't carp have multiple addresses? second question: Why hoststated can't support tables like in pf.conf? third question: Is there another way to do this with hoststated? (I wanted to have a status check on the hosts) Thanks in advance! On 10/3/07, JosC) Costa <[EMAIL PROTECTED]> wrote: > Hello, > > Is it possible to configure hoststated.conf with IPs in a { > ip1, ip2} and virtual host ... ?
hoststated with multiple virtual hosts
Hello, Is it possible to configure hoststated.conf with IPs in a { ip1, ip2} and virtual host ... ?
Re: IPSec
Oh, and the tunnel is only activated when ISA network tries to access OBSD network. In the other way doesn't work. On 9/5/07, JosC) Costa <[EMAIL PROTECTED]> wrote: > I think that the patch works but I can't ping from the 10.0.0.0/24 > network to 10.0.1.0/24. > > I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50 > (loopback1) and 10.0.0.254 (inside if). > > From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to > 10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254. > > I can't ping from 172.26.10.82 and from the 10.0.0.1 machine. > > # ifconfig > lo0: flags=8049 mtu 33224 > groups: lo > inet 127.0.0.1 netmask 0xff00 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > pcn0: flags=8a43 mtu 1500 > lladdr 00:0c:29:f0:70:e0 > groups: egress > media: Ethernet autoselect (autoselect) > inet 172.26.10.82 netmask 0xff00 broadcast 172.26.10.255 > inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1 > pcn1: flags=8843 mtu 1500 > lladdr 00:0c:29:f0:70:ea > media: Ethernet autoselect (autoselect) > inet 10.0.0.254 netmask 0xff00 broadcast 10.0.0.255 > inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2 > pflog0: flags=141 mtu 33224 > enc0: flags=141 mtu 1536 > lo1: flags=8049 mtu 33224 > groups: lo > inet 10.0.0.50 netmask 0xff00 > > -- > > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ > # > # See pf.conf(5) and /usr/share/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > ext_if="pcn0" > int_if="pcn1" > > #table persist > > set skip on { lo $int_if enc0 } > > #scrub in > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > nat on $ext_if from ! ($ext_if) -> ($ext_if:0) > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > #no rdr on $ext_if proto tcp from to any port smtp > #rdr pass on $ext_if proto tcp from any to any port smtp \ > # -> 127.0.0.1 port spamd > > #anchor "ftp-proxy/*" > > # Default Deny Rule > block in > #pass out > > #pass quick on $int_if no state > #antispoof quick for { lo $int_if } > > # OpenSSH Access > pass in on $ext_if proto tcp to ($ext_if) port ssh > > # SMTP Access > #pass in log on $ext_if proto tcp to ($ext_if) port smtp > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp > > # Lan Access > pass on $int_if all > > # IPSec Tunnel to ISA Server > pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if) > pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500 > pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if) > pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83 > > # Outbound Access > pass out keep state > > --- > > # cat /etc/ipsec.conf > # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ > # > # See ipsec.conf(5) for syntax and examples. > > # Set up two tunnels using automatic keying with isakmpd(8): > # > # First between the networks 10.1.1.0/24 and 10.1.2.0/24, > # second between the machines 192.168.3.1 and 192.168.3.2. > # Use FQDNs as IDs. > > #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ > # srcid me.mylan.net dstid the.others.net > #ike esp from 192.168.3.1 to 192.168.3.2 \ > # srcid me.mylan.net dstid the.others.net > > # Set up a tunnel using static keying: > # > # The first rule sets up the flow; the second sets up the SA. As default > # transforms, ipsecctl(8) will use hmac-sha2-256 for authentication > # and aes for encryption. hmac-sha2-256 uses a 256-bit key; aes > # a 128-bit key. > > #flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2 > #esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \ > # authkey > 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 > \ > # enckey > 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d > > ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des group modp1024 \ > psk teste tag teste > > > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > Hi, > > > > could you try the attached diff, please? > > > > Index: message.c > > === > > RCS file: /cvs/src/sbin/isakmpd/message.c,v > > retrieving revision 1.126 > > diff -u -p -r1.126 message.c > > --- message.c 2 Jun 2007 01:29:11 - 1.126 > > +++ message.c 3 Sep 2007 22:30:46 - > > @@ -927,6 +927,7 @@ message_validate_notify(struct message * > > if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_
Re: IPSec
I think that the patch works but I can't ping from the 10.0.0.0/24 network to 10.0.1.0/24. I can ping from ISA to 10.0.0.1 (another VM connected), to 10.0.0.50 (loopback1) and 10.0.0.254 (inside if). >From OBSD, I can ping from 10.0.0.254 (ping -I 10.0.0.254) to 10.0.1.254 and (ping -I 10.0.0.50) 10.0.0.50 to 10.0.1.254. I can't ping from 172.26.10.82 and from the 10.0.0.1 machine. # ifconfig lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 pcn0: flags=8a43 mtu 1500 lladdr 00:0c:29:f0:70:e0 groups: egress media: Ethernet autoselect (autoselect) inet 172.26.10.82 netmask 0xff00 broadcast 172.26.10.255 inet6 fe80::20c:29ff:fef0:70e0%pcn0 prefixlen 64 scopeid 0x1 pcn1: flags=8843 mtu 1500 lladdr 00:0c:29:f0:70:ea media: Ethernet autoselect (autoselect) inet 10.0.0.254 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::20c:29ff:fef0:70ea%pcn1 prefixlen 64 scopeid 0x2 pflog0: flags=141 mtu 33224 enc0: flags=141 mtu 1536 lo1: flags=8049 mtu 33224 groups: lo inet 10.0.0.50 netmask 0xff00 -- # cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. ext_if="pcn0" int_if="pcn1" #table persist set skip on { lo $int_if enc0 } #scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" nat on $ext_if from ! ($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #no rdr on $ext_if proto tcp from to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd #anchor "ftp-proxy/*" # Default Deny Rule block in #pass out #pass quick on $int_if no state #antispoof quick for { lo $int_if } # OpenSSH Access pass in on $ext_if proto tcp to ($ext_if) port ssh # SMTP Access #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp # Lan Access pass on $int_if all # IPSec Tunnel to ISA Server pass in quick on $ext_if proto icmp from 172.26.10.83 to ($ext_if) pass in quick on $ext_if proto udp from 172.26.10.83 to ($ext_if) port 500 pass in quick on $ext_if proto esp from 172.26.10.83 to ($ext_if) pass out quick on $ext_if proto esp from ($ext_if) to 172.26.10.83 # Outbound Access pass out keep state --- # cat /etc/ipsec.conf # $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $ # # See ipsec.conf(5) for syntax and examples. # Set up two tunnels using automatic keying with isakmpd(8): # # First between the networks 10.1.1.0/24 and 10.1.2.0/24, # second between the machines 192.168.3.1 and 192.168.3.2. # Use FQDNs as IDs. #ike esp from 10.1.1.0/24 to 10.1.2.0/24 peer 192.168.3.2 \ # srcid me.mylan.net dstid the.others.net #ike esp from 192.168.3.1 to 192.168.3.2 \ # srcid me.mylan.net dstid the.others.net # Set up a tunnel using static keying: # # The first rule sets up the flow; the second sets up the SA. As default # transforms, ipsecctl(8) will use hmac-sha2-256 for authentication # and aes for encryption. hmac-sha2-256 uses a 256-bit key; aes # a 128-bit key. #flow esp from 192.168.7.0/24 to 192.168.8.0/24 peer 192.168.3.2 #esp from 192.168.3.1 to 192.168.3.2 spi 0xabd9da39:0xc9dbb83d \ # authkey 0x54f79f479a32814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e8:0x7f48ee352c626cdc2a731b9d90bd63e29db2a9c683044b70b2f4441521b622d6 \ # enckey 0xb341aa065c3850edd6a61e150d6a5fd3:0xf7795f6bdd697a43a4d28dcf1b79062d ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk teste tag teste On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > could you try the attached diff, please? > > Index: message.c > === > RCS file: /cvs/src/sbin/isakmpd/message.c,v > retrieving revision 1.126 > diff -u -p -r1.126 message.c > --- message.c 2 Jun 2007 01:29:11 - 1.126 > +++ message.c 3 Sep 2007 22:30:46 - > @@ -927,6 +927,7 @@ message_validate_notify(struct message * > if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE || > (type >= ISAKMP_NOTIFY_RESERVED_MIN && > type < ISAKMP_NOTIFY_PRIVATE_MIN) || > + type == ISAKMP_NOTIFY_STATUS_CONNECTED || > (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN && > type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) || > (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN &&
Re: IPSec
Attached. On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > could you please run isakmpd with the "-L" (see isakmpd(8)) flag and could > you provide we the generated pcap file? > > On Mon, Sep 03, 2007 at 04:17:22PM +0100, JosC) Costa wrote: > > Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0 > > to 10.0.0.255. > > > > FLOWS: > > flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid > > obsd1.my.domain dstid 172.26.10.83/32 type use > > flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid > > obsd1.my.domain dstid 172.26.10.83/32 type require > > > > SAD: > > esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth > > hmac-sha1 enc 3des-cbc > > esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth > > hmac-sha1 enc 3des-cbc > > > > BUT there's another error: > > > > Sep 3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed > > Sep 3 16:12:08 obsd1 isakmpd[16423]: dropped message from > > 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED > > > > > > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote: > > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > > > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > > > > KEY_EXCH payload without a group desc. attribute > > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > > > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > > > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > > > > peer proposed invalid phase 2 IDs: initiator id ac1a0a53: > > > > 172.26.10.83, responder id 0a80/ff80: > > > > 10.0.0.128/255.255.255.128 > > > > > > isakmpd tells you, that the peer sent the wront phase 2 ID. > > > > > > Here, you tell ISA to propose these IDs, but... > > > > > > > Remote Network 'OBSD1' IP Subnets: > > > > Subnet: 10.0.0.1/255.255.255.255 > > > > Subnet: 10.0.0.2/255.255.255.254 > > > > Subnet: 10.0.0.4/255.255.255.252 > > > > Subnet: 10.0.0.8/255.255.255.248 > > > > Subnet: 10.0.0.16/255.255.255.240 > > > > Subnet: 10.0.0.32/255.255.255.224 > > > > Subnet: 10.0.0.64/255.255.255.192 > > > > Subnet: 10.0.0.128/255.255.255.128 > > > > > > here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed > > > by the peer: > > > > > > --- /etc/ipsec.conf --- > > > > > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > > > main auth hmac-sha1 enc 3des group modp1024 \ > > > quick auth hmac-sha1 enc 3des \ > > > psk teste tag teste > > > > > > > > > To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24 tcpdump: WARNING: snaplen raised from 96 to 65536 17:12:40.500794 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 292 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x17b3274e payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0 [ttl 0] (id 1, len 320) 17:12:40.510601 172.26.10.82.500 > 172.26.10.83.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 45e904f3a6260510->116cb8bcab6a79b2 msgid: 518e3038 len: 292 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xeb318a59 payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0 [ttl 0] (id 1, len 320) 17:12:40.530390 172.26.10.83.500 > 172.26.10.82.500: [udp sum ok] isakmp
Re: IPSec
Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 -> 10.0.0.0 to 10.0.0.255. FLOWS: flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type use flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type require SAD: esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth hmac-sha1 enc 3des-cbc esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth hmac-sha1 enc 3des-cbc BUT there's another error: Sep 3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed Sep 3 16:12:08 obsd1 isakmpd[16423]: dropped message from 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote: > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > > KEY_EXCH payload without a group desc. attribute > > Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from > > 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN > > Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: > > peer proposed invalid phase 2 IDs: initiator id ac1a0a53: > > 172.26.10.83, responder id 0a80/ff80: > > 10.0.0.128/255.255.255.128 > > isakmpd tells you, that the peer sent the wront phase 2 ID. > > Here, you tell ISA to propose these IDs, but... > > > Remote Network 'OBSD1' IP Subnets: > > Subnet: 10.0.0.1/255.255.255.255 > > Subnet: 10.0.0.2/255.255.255.254 > > Subnet: 10.0.0.4/255.255.255.252 > > Subnet: 10.0.0.8/255.255.255.248 > > Subnet: 10.0.0.16/255.255.255.240 > > Subnet: 10.0.0.32/255.255.255.224 > > Subnet: 10.0.0.64/255.255.255.192 > > Subnet: 10.0.0.128/255.255.255.128 > > here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed > by the peer: > > --- /etc/ipsec.conf --- > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > psk teste tag teste > > > To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24
Re: IPSec
Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id ac1a0a53: 172.26.10.83, responder id 0a80/ff80: 10.0.0.128/255.255.255.128 Same thing: btw, ISA Server 2006 gives me this: -- LOCAL Local Tunnel Endpoint: 172.26.10.83 Remote Tunnel Endpoint: 172.26.10.82 To allow HTTP proxy or NAT traffic to the remote site, the remote site configuration must contain the local site tunnel end-point IP address. IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication Method: Pre-shared secret (teste) Security Association Lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: SHA1 Perfect Forward Secrecy: ON Diffie-Hellman group: Group 2 (1024 bit) Time Rekeying: ON Security Association Lifetime: 3600 seconds Kbyte Rekeying: OFF Remote Network 'OBSD1' IP Subnets: Subnet: 10.0.0.1/255.255.255.255 Subnet: 10.0.0.2/255.255.255.254 Subnet: 10.0.0.4/255.255.255.252 Subnet: 10.0.0.8/255.255.255.248 Subnet: 10.0.0.16/255.255.255.240 Subnet: 10.0.0.32/255.255.255.224 Subnet: 10.0.0.64/255.255.255.192 Subnet: 10.0.0.128/255.255.255.128 Local Network 'Internal' IP Subnets: Subnet: 10.0.1.0/255.255.255.0 Routable Local IP Addresses: Subnet: 10.0.1.0/255.255.255.0 -- REMOTE -- Local Tunnel Endpoint: 172.26.10.82 Remote Tunnel Endpoint: 172.26.10.83 IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication Method: Pre-shared secret (teste) Security Association Lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: SHA1 Perfect Forward Secrecy: ON Diffie-Hellman group: Group 2 (1024 bit) Time Rekeying: ON Security Association Lifetime: 3600 seconds Kbyte Rekeying: OFF Site-to-Site Network IP Subnets: Subnet: 10.0.1.0/255.255.255.0 I've defined only the Class C of 10.0.0.1 to 10.0.0.255 and there's a lot of subnets! Maybe that's the issue? On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > On Mon, Sep 03, 2007 at 02:45:46PM +0100, JosC) Costa wrote: > > 3des, sha1, PFS disabled. > > ok, then enable pfs, use modp1024
Re: IPSec
3des, sha1, PFS disabled. On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > which transforms are configured on the ISA server for phase 2? > > On Mon, Sep 03, 2007 at 02:21:24PM +0100, JosC) Costa wrote: > > How can I solve this? Any docs about it? Debugging? > > > > On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote: > > > > > > > > Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 > > > > port 500 due to notification type NO_PROPOSAL_CHOSEN > > > > Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: > > > > KEY_EXCH payload without a group desc. attribute > > > > Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 > > > > port 500 due to notification type NO_PROPOSAL_CHOSEN > > > > Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: > > > > KEY_EXCH payload without a group desc. attribute > > > > > > isakmpd does not like the transforms for phase 2 proposed by the other > > > peer. It seems, that phase 2 has no group description. > > > > > > > > > > > --- /etc/ipsec.conf --- > > > > > > > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > > > > main auth hmac-sha1 enc 3des group modp1024 \ > > > > quick auth hmac-sha1 enc 3des \ > > > > psk teste tag teste > > > > > > > > In the ISA Server is configured correctly for the Phase-1 and Phase-2 > > > > encriptions and auths. > > > > > > > > Any help here? > > > > > > > > > > > > On 8/31/07, Jeff Quast <[EMAIL PROTECTED]> wrote: > > > > > I tried to learn with HOWTO's, I didnt have the internet at home at > > > > > the time. I printed out maybe 50 pages of various HOWTO's. > > > > > > > > > > When I got home, I found none of them were up to date with the current > > > > > (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I > > > > > ended up learning how to do ipsec with just the manuals. > > > > > > > > > > You'd be amazed how easy it went. > > > > > > > > > > On 8/31/07, JosC) Costa <[EMAIL PROTECTED]> wrote: > > > > > > Hello, > > > > > > > > > > > > Anyone knows a really good IPSec howto besides the man pages?
Re: IPSec
How can I solve this? Any docs about it? Debugging? On 9/3/07, Hans-Joerg Hoexer <[EMAIL PROTECTED]> wrote: > Hi, > > On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote: > > > > Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 > > port 500 due to notification type NO_PROPOSAL_CHOSEN > > Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: > > KEY_EXCH payload without a group desc. attribute > > Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 > > port 500 due to notification type NO_PROPOSAL_CHOSEN > > Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: > > KEY_EXCH payload without a group desc. attribute > > isakmpd does not like the transforms for phase 2 proposed by the other > peer. It seems, that phase 2 has no group description. > > > > > --- /etc/ipsec.conf --- > > > > ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ > > main auth hmac-sha1 enc 3des group modp1024 \ > > quick auth hmac-sha1 enc 3des \ > > psk teste tag teste > > > > In the ISA Server is configured correctly for the Phase-1 and Phase-2 > > encriptions and auths. > > > > Any help here? > > > > > > On 8/31/07, Jeff Quast <[EMAIL PROTECTED]> wrote: > > > I tried to learn with HOWTO's, I didnt have the internet at home at > > > the time. I printed out maybe 50 pages of various HOWTO's. > > > > > > When I got home, I found none of them were up to date with the current > > > (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I > > > ended up learning how to do ipsec with just the manuals. > > > > > > You'd be amazed how easy it went. > > > > > > On 8/31/07, JosC) Costa <[EMAIL PROTECTED]> wrote: > > > > Hello, > > > > > > > > Anyone knows a really good IPSec howto besides the man pages?
Re: IPSec
Hello, Yeah, i bet it works beautifully with OBSD tunnels but I'm trying to create a tunnel between OBSD and ISA Server 2006 on VMWare Server. Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste In the ISA Server is configured correctly for the Phase-1 and Phase-2 encriptions and auths. Any help here? On 8/31/07, Jeff Quast <[EMAIL PROTECTED]> wrote: > I tried to learn with HOWTO's, I didnt have the internet at home at > the time. I printed out maybe 50 pages of various HOWTO's. > > When I got home, I found none of them were up to date with the current > (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I > ended up learning how to do ipsec with just the manuals. > > You'd be amazed how easy it went. > > On 8/31/07, JosC) Costa <[EMAIL PROTECTED]> wrote: > > Hello, > > > > Anyone knows a really good IPSec howto besides the man pages?
IPSec
Hello, Anyone knows a really good IPSec howto besides the man pages?