ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

2007-11-27 Thread jcr 

New thread .. after some new test..

And stiill the same ... shit !

Here is the LAn/WAn network


192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
|
---WEB---
 |
Openbsd 4.2 
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)  



Here are the conf :

netgear :

local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator  respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP

Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000


Openbsd :
ipsec.conf

ike passive esp tunnel from IP_A to IP_B \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des  psk 123456789

ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk 123456789

  i have tried passive  dynamic for ike esp .. it's the same

isakmpd.policy

KeyNote-Version: 2
Authorizer: POLICY

pf.conf

pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}

pass in  on $IP_B proto esp from $IP_A to $IP_B
pass out on $IP_B proto esp from $IP_B to $IP_A

pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound)
pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound)

pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound)
pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound)

i have a rule for nat on $IP_B


enc0 is up and running

i start my vpn with

isakmpd -dv -D 8=99


And Finally here is the Trouble , i got this on isakmpd console

151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 
0 ok

151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange 
peer-IP_A, no response from peer IP_A:500


And this on the DG834

Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will 
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will 
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached 
STATE_MAIN_I1.  No acceptable response to our first IKE message



and finally ( As wanted for those who try to help me .. thanks)

echo p on  /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap 
-vvn



tcpdump: WARNING: snaplen raised from 96 to 65536
11:40:31.600710 IP_A.500  IP_B.500: [udp sum ok] isakmp v1.0 exchange 
ID_PROT

   cookie: cb79617a4b409a8f- msgid:  len: 100
   payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
   payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 
xforms: 1

   payload: TRANSFORM len: 32
   transform: 0 ID: ISAKMP
   attribute LIFE_TYPE = SECONDS
   attribute LIFE_DURATION = 3600
   attribute ENCRYPTION_ALGORITHM = 3DES_CBC
   attribute HASH_ALGORITHM = SHA
   attribute AUTHENTICATION_METHOD = PRE_SHARED
   attribute GROUP_DESCRIPTION = MODP_1024
   payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128)
11:40:31.601712 IP_B.500  IP_A.500: [udp sum ok] isakmp v1.0 exchange 
ID_PROT

   cookie: cb79617a4b409a8f-76316a628a99ce2b msgid:  len: 180
   payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
   payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 
xforms: 1

   payload: TRANSFORM len: 32
   transform: 0 ID: ISAKMP
   attribute LIFE_TYPE = SECONDS
   attribute LIFE_DURATION = 3600
   attribute ENCRYPTION_ALGORITHM = 3DES_CBC
   attribute HASH_ALGORITHM = SHA
   attribute AUTHENTICATION_METHOD = PRE_SHARED
   attribute GROUP_DESCRIPTION = MODP_1024
   payload: VENDOR len: 20 (supports OpenBSD-4.0)
   payload: VENDOR len: 20 (supports v2 NAT-T, 
draft-ietf-ipsec-nat-t-ike-02)
   payload: VENDOR len: 20 (supports v3 NAT-T, 
draft-ietf-ipsec-nat-t-ike-03)

   payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
   payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208)



And then nothing 

it is not related to my FAI i have tried with 2 different.. it is the same


For me it is around pf.conf .. but i can't find where

jc

Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

2007-11-27 Thread Christoph Leser 
Hi,

here my 50 cent:

tcpdump looks good, obsd maschine receives first message of phase 1 exchange
and sends a suitable response.

your netgear log says, that no response to first message is received.

this means, response from isakmpd gets lost, either in local pf or in netgear
( dont know if they have some sort packet filter ) or somewhere in between .

you could distinguish there two possibilities by either

tcpdump -lenvvi pflog0 # watch out for packets to if_A that are blocked

or

tcpdump -lenvvi external if ip host if_A   ( you should see exactly one
message in and one message out )

Once we know whether the packets really leave openBSD, we can do further
analysis.



 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
 von jcr
 Gesendet: Dienstag, 27. November 2007 12:10
 An: misc@openbsd.org
 Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)


 New thread .. after some new test..

 And stiill the same ... shit !

 Here is the LAn/WAn network


 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
  |
  ---WEB---
   |
  Openbsd 4.2
 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)


 Here are the conf :

 netgear :

 local lan : 192.168.0.0/24
 remote lan : 10.7.22.0/24
 IKE :
 direction : initiator  respond
 mode : main
 diffie-Hellman : Groupe 2 (1024)
 local id : IP wan
 remote id: IP

 Params
 Crypto algo : 3DES
 Algo auth : SHA-1
 pre shared key : 123456789
 SA life time : 36000


 Openbsd :
 ipsec.conf

 ike passive esp tunnel from IP_A to IP_B \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des  psk 123456789

 ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des psk 123456789

i have tried passive  dynamic for ike esp .. it's the same

 isakmpd.policy

 KeyNote-Version: 2
 Authorizer: POLICY

 pf.conf

 pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
 pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}

 pass in  on $IP_B proto esp from $IP_A to $IP_B
 pass out on $IP_B proto esp from $IP_B to $IP_A

 pass in on enc0 proto ipencap from $IP_A to $IP_B keep state
 (if-bound)
 pass out on enc0 proto ipencap from $IP_B to $IP_A keep state
 (if-bound)

 pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep
 state (if-bound)
 pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep
 state (if-bound)

 i have a rule for nat on $IP_B


 enc0 is up and running

 i start my vpn with

 isakmpd -dv -D 8=99


 And Finally here is the Trouble , i got this on isakmpd console

 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto
 1 proposal
 0 ok
 151330.400933 Negt 20 ike_phase_1_validate_prop: success
 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
 151357.435134 Default transport_send_messages: giving up on exchange
 peer-IP_A, no response from peer IP_A:500

 And this on the DG834

 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
 Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
 wait 20s for response
 Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
 wait 40s for response
 Fri, 2007-11-23 14:14:40 - [idle] max number of
 retransmissions reached
 STATE_MAIN_I1.  No acceptable response to our first IKE message


 and finally ( As wanted for those who try to help me .. thanks)

 echo p on  /var/run/isakmpd.fif and tcpdump -r
 /var/run/isakmpd.pcap
 -vvn


 tcpdump: WARNING: snaplen raised from 96 to 65536
 11:40:31.600710 IP_A.500  IP_B.500: [udp sum ok] isakmp v1.0
 exchange
 ID_PROT
 cookie: cb79617a4b409a8f- msgid:
  len: 100
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
 payload: PROPOSAL len: 40 proposal: 0 proto:
 ISAKMP spisz: 0
 xforms: 1
 payload: TRANSFORM len: 32
 transform: 0 ID: ISAKMP
 attribute LIFE_TYPE = SECONDS
 attribute LIFE_DURATION = 3600
 attribute ENCRYPTION_ALGORITHM = 3DES_CBC
 attribute HASH_ALGORITHM = SHA
 attribute AUTHENTICATION_METHOD = PRE_SHARED
 attribute GROUP_DESCRIPTION = MODP_1024
 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0]
 (id 1, len 128)
 11:40:31.601712 IP_B.500  IP_A.500: [udp sum ok] isakmp v1.0
 exchange
 ID_PROT
 cookie: cb79617a4b409a8f-76316a628a99ce2b msgid:
  len: 180
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
 payload: PROPOSAL len: 40 proposal: 0 proto:
 ISAKMP spisz: 0
 xforms: 1
 payload: TRANSFORM len: 32

Re: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)

2007-11-27 Thread Christoph Leser 
I forgot to ask:

what are the NAT statements in your pf.conf, that you mention. the ipsec
packets should not be NAT'ed inyour configuration ( although ipsec can go
through NAT in general ).

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag
 von jcr
 Gesendet: Dienstag, 27. November 2007 12:10
 An: misc@openbsd.org
 Betreff: ipsec vpn netgear DG834 : openbsd 4.2 (new thread)


 New thread .. after some new test..

 And stiill the same ... shit !

 Here is the LAn/WAn network


 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
  |
  ---WEB---
   |
  Openbsd 4.2
 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)


 Here are the conf :

 netgear :

 local lan : 192.168.0.0/24
 remote lan : 10.7.22.0/24
 IKE :
 direction : initiator  respond
 mode : main
 diffie-Hellman : Groupe 2 (1024)
 local id : IP wan
 remote id: IP

 Params
 Crypto algo : 3DES
 Algo auth : SHA-1
 pre shared key : 123456789
 SA life time : 36000


 Openbsd :
 ipsec.conf

 ike passive esp tunnel from IP_A to IP_B \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des  psk 123456789

 ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc 3des psk 123456789

i have tried passive  dynamic for ike esp .. it's the same

 isakmpd.policy

 KeyNote-Version: 2
 Authorizer: POLICY

 pf.conf

 pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
 pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}

 pass in  on $IP_B proto esp from $IP_A to $IP_B
 pass out on $IP_B proto esp from $IP_B to $IP_A

 pass in on enc0 proto ipencap from $IP_A to $IP_B keep state
 (if-bound)
 pass out on enc0 proto ipencap from $IP_B to $IP_A keep state
 (if-bound)

 pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep
 state (if-bound)
 pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep
 state (if-bound)

 i have a rule for nat on $IP_B


 enc0 is up and running

 i start my vpn with

 isakmpd -dv -D 8=99


 And Finally here is the Trouble , i got this on isakmpd console

 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto
 1 proposal
 0 ok
 151330.400933 Negt 20 ike_phase_1_validate_prop: success
 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
 151357.435134 Default transport_send_messages: giving up on exchange
 peer-IP_A, no response from peer IP_A:500

 And this on the DG834

 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
 Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
 wait 20s for response
 Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
 wait 40s for response
 Fri, 2007-11-23 14:14:40 - [idle] max number of
 retransmissions reached
 STATE_MAIN_I1.  No acceptable response to our first IKE message


 and finally ( As wanted for those who try to help me .. thanks)

 echo p on  /var/run/isakmpd.fif and tcpdump -r
 /var/run/isakmpd.pcap
 -vvn


 tcpdump: WARNING: snaplen raised from 96 to 65536
 11:40:31.600710 IP_A.500  IP_B.500: [udp sum ok] isakmp v1.0
 exchange
 ID_PROT
 cookie: cb79617a4b409a8f- msgid:
  len: 100
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
 payload: PROPOSAL len: 40 proposal: 0 proto:
 ISAKMP spisz: 0
 xforms: 1
 payload: TRANSFORM len: 32
 transform: 0 ID: ISAKMP
 attribute LIFE_TYPE = SECONDS
 attribute LIFE_DURATION = 3600
 attribute ENCRYPTION_ALGORITHM = 3DES_CBC
 attribute HASH_ALGORITHM = SHA
 attribute AUTHENTICATION_METHOD = PRE_SHARED
 attribute GROUP_DESCRIPTION = MODP_1024
 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0]
 (id 1, len 128)
 11:40:31.601712 IP_B.500  IP_A.500: [udp sum ok] isakmp v1.0
 exchange
 ID_PROT
 cookie: cb79617a4b409a8f-76316a628a99ce2b msgid:
  len: 180
 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
 payload: PROPOSAL len: 40 proposal: 0 proto:
 ISAKMP spisz: 0
 xforms: 1
 payload: TRANSFORM len: 32
 transform: 0 ID: ISAKMP
 attribute LIFE_TYPE = SECONDS
 attribute LIFE_DURATION = 3600
 attribute ENCRYPTION_ALGORITHM = 3DES_CBC
 attribute HASH_ALGORITHM = SHA
 attribute AUTHENTICATION_METHOD = PRE_SHARED
 attribute GROUP_DESCRIPTION = MODP_1024
 payload: VENDOR len: 20 (supports OpenBSD-4.0)
 payload: VENDOR len: 20 (supports