Re: ipsec.conf question
On Mon, May 05 2008 at 20:14, Prabhu Gurumurthy wrote: All, I have a question regarding ipsec.conf. Example: IPsec peers: 3.3.3.3, 3.3.3.2 Interesting traffic: 1.1.1.1 - 192.168.100.2 2.2.2.2 - 192.168.100.0/24 Main/Quick mode crypto/groups being: aes, sha1 and group2 PSK being test123 How can I define the above concisely? I can, for example, do the following: ike esp from 1.1.1.1 to 192.168.100.2 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 ike esp from 2.2.2.2 to 192.168.100.0/24 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 Is there any way to shorten it? since most of it seem to be redundant except for the interesting traffic part. You can simply use macro as in pf.conf. For example : LAN_priv = 192.168.100.0/24 Our_PSK = test123 IPSEC_peers = local 3.3.3.3 peer 3.3.3.2 IPSEC_crypto = main auth hmac-sha1 enc aes group modp1024 quick auth hmac-sha1 enc aes group modp1024 ike esp from $IP_pub_1 to $IP_priv $IPSEC_peers $IPSEC_crypto \ psk $Our_PSK ike esp from $IP_pub_2 to $LAN_priv $IPSEC_peers $IPSEC_crypto \ psk $Our_PSK With 4.3-current you can use includes. Sample from man page : Additional configuration files can be included with the include keyword, for example: include /etc/macros.conf Claer
ipsec.conf question
All, I have a question regarding ipsec.conf. Example: IPsec peers: 3.3.3.3, 3.3.3.2 Interesting traffic: 1.1.1.1 - 192.168.100.2 2.2.2.2 - 192.168.100.0/24 Main/Quick mode crypto/groups being: aes, sha1 and group2 PSK being test123 How can I define the above concisely? I can, for example, do the following: ike esp from 1.1.1.1 to 192.168.100.2 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 ike esp from 2.2.2.2 to 192.168.100.0/24 \ local 3.3.3.3 peer 3.3.3.2\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk test123 Is there any way to shorten it? since most of it seem to be redundant except for the interesting traffic part. FWIW, I am running 4.3-current: OpenBSD pgurumur-vm-openbsd.xxx.com 4.3 GENERIC#732 i386 Thanks Prabhu -
ipsec.conf question
I've got some basic tuneling working using ipsec, and I'm trying to make it a bit more robuts. Here's what works: Machine A: ike esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37 ike esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37 ike esp from XX.92.176.33 to XX.92.176.37 Machine B: ike esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33 ike esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33 ike esp from XX.92.176.37 to XX.92.176.33 Now both machines are in active mode, which seems a bit of an issue, and machine B has a dynamic IP (with fixed name), so I changed these to: Machine A: ike passive esp from 192.168.1.0/24 to 192.168.9.0/24 peer XX.92.176.37 ike passive esp from XX.92.176.33 to 192.168.9.0/24 peer XX.92.176.37 ike passive esp from XX.92.176.33 to XX.92.176.37 Machine B: ike dynamic esp from 192.168.9.0/24 to 192.168.1.0/24 peer XX.92.176.33 ike dynamic esp from 192.168.9.0/24 to 192.168.8.0/24 peer XX.92.176.33 ike dynamic esp from XX.92.176.37 to XX.92.176.33 But now machine A can't ping the interface to the internal net on B B CAN ping the internal interface on A Can anyone explain what mistake I'm making here, please? -- Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: ipsec.conf question
hi, you have a main misunderstanding here because you're mixing up the identities with the flows. On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: i am using -current as of 24.02.2006 and made a realese for my other machines. i tried the ipsec tutorial which was posted on undeadly.org. i have to go with one gateway which has a dynamic ip because it is an adsl-connection which is disconnected after 24 hours. when i try to fire up the command ipsecctl -f /etc/ipsec.conf i get a syntax error for each line where i put in the fqdn of the remote host (which is dstid). i read the manpage of ipsec.conf(5) where it says srcid fqdn This optional parameter defines a FQDN that will be used by isakmpd(8) as the identity of the local peer. dstid fqdn Similar to srcid, this optional parameter defines a FQDN to be used by the remote peer. and from src to dst peer remote This rule applies for packets with source address src and desti- nation address dst. All addresses are specified in CIDR nota- tion. The keyword any will match any address (i.e. 0.0.0.0/0). The peer parameter specifies the address of the remote endpoint of this particular flow. For host-to-host connections where dst is identical to remote, the peer specification can be left out. the flows are used to determine which traffic should be encrypted and the peer is the address of your vpn gateway. all addresses are specified in CIDR notation. the identity is an additional parameter which is used a simple authentication string on the remote side, i.e. if you specify a srcid blablahblahblahblah with RSA signatures (default in ipsecctl) the remote side will lookup the client's RSA public key in /etc/isakmpd/pubkeys/fqdn/blablahblahblahblah. i tried this and get a syntax error. my /etc/ipsec.conf looks like this: # cat /etc/ipsec.co ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ^ this makes no sense ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 dstid full-qualified.domain.name ike passive esp from XXX.XXX.XX.XXX/25 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to dstid full-qualified.domain.name dito the output is the following: # ipsecctl -nf /etc/ipsec.conf /etc/ipsec.conf: 1: syntax error /etc/ipsec.conf: 2: syntax error /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded on the other machine the config is similar and the error-message too (everywhere, i put a fqdn as srcid). /etc/ipsec.conf: ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer XXX.XXX.XXX.XX ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.XXX/25 peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to 192.168.83.0/24 peer \ XXX.XXX.XXX.XX ^ this is wrong ike esp from any to 192.168.83.0/24 peer XXX.XXX.XXX.XX srcid fully-qualified.domain.name ike esp from srcid fully-qualified.domain.name to XXX.XXX.XX.XXX/25 \ peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to XXX.XXX.XXX.XX dito output: # ipsecctl -f /etc/ipsec.conf /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error /etc/ipsec.conf: 5: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded can anyone point my in the correct direction, plz? thx a lot marc dmesg: OpenBSD 3.9-beta (GENERIC) #1: Wed Mar 8 10:23:11 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 535318528 (522772K) avail mem = 481447936 (470164K) using 4278 buffers containing 26869760 bytes (26240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x13d2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x5400 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x02: rng active, 398Kb/sec vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x02: aperture at 0xf800, size 0x400 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0
Re: ipsec.conf question
thx for your answer. Reyk Floeter schrieb: hi, you have a main misunderstanding here because you're mixing up the identities with the flows. On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: i am using -current as of 24.02.2006 and made a realese for my other machines. i tried the ipsec tutorial which was posted on undeadly.org. i have to go with one gateway which has a dynamic ip because it is an adsl-connection which is disconnected after 24 hours. when i try to fire up the command ipsecctl -f /etc/ipsec.conf i get a syntax error for each line where i put in the fqdn of the remote host (which is dstid). i read the manpage of ipsec.conf(5) where it says srcid fqdn This optional parameter defines a FQDN that will be used by isakmpd(8) as the identity of the local peer. dstid fqdn Similar to srcid, this optional parameter defines a FQDN to be used by the remote peer. and from src to dst peer remote This rule applies for packets with source address src and desti- nation address dst. All addresses are specified in CIDR nota- tion. The keyword any will match any address (i.e. 0.0.0.0/0). The peer parameter specifies the address of the remote endpoint of this particular flow. For host-to-host connections where dst is identical to remote, the peer specification can be left out. the flows are used to determine which traffic should be encrypted and the peer is the address of your vpn gateway. all addresses are specified in CIDR notation. the identity is an additional parameter which is used a simple authentication string on the remote side, i.e. if you specify a srcid blablahblahblahblah with RSA signatures (default in ipsecctl) the remote side will lookup the client's RSA public key in /etc/isakmpd/pubkeys/fqdn/blablahblahblahblah. i tried this and get a syntax error. my /etc/ipsec.conf looks like this: # cat /etc/ipsec.co ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ^ this makes no sense ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 dstid full-qualified.domain.name okay, understanding this. in this coloumn i have internal adresses and ipsecctl needs a peer for this. but the peer is on a consumer adsl-line and therefore i need a fqdn for this because of the disconnection after 24h. is there any possibility to get this working? or do i have to use any as the peer and just only set the dstid? ike passive esp from XXX.XXX.XX.XXX/25 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to dstid full-qualified.domain.name dito the output is the following: # ipsecctl -nf /etc/ipsec.conf /etc/ipsec.conf: 1: syntax error /etc/ipsec.conf: 2: syntax error /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded on the other machine the config is similar and the error-message too (everywhere, i put a fqdn as srcid). /etc/ipsec.conf: ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer XXX.XXX.XXX.XX ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.XXX/25 peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to 192.168.83.0/24 peer \ XXX.XXX.XXX.XX ^ this is wrong ike esp from any to 192.168.83.0/24 peer XXX.XXX.XXX.XX srcid fully-qualified.domain.name ike esp from srcid fully-qualified.domain.name to XXX.XXX.XX.XXX/25 \ peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to XXX.XXX.XXX.XX dito output: # ipsecctl -f /etc/ipsec.conf /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error /etc/ipsec.conf: 5: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded can anyone point my in the correct direction, plz? thx a lot marc dmesg: OpenBSD 3.9-beta (GENERIC) #1: Wed Mar 8 10:23:11 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 535318528 (522772K) avail mem = 481447936 (470164K) using 4278 buffers containing 26869760 bytes (26240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x13d2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x5400 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration
Re: ipsec.conf question (dynamic and bypass example)
btw., On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: i am using -current as of 24.02.2006 and made a realese for my other machines. i tried the ipsec tutorial which was posted on undeadly.org. i have to go with one gateway which has a dynamic ip because it is an adsl-connection which is disconnected after 24 hours. when i try to fire last week i commited two useful extensions to ipsecctl. - ike dynamic esp When active or dynamic is specified, negotiation will be started at once. The dynamic mode will additionally enable Dead Peer Detection (DPD) and use the local hostname as the identity of the local peer, if not specifed by the srcid parameter. dynamic mode should be used for hosts with dynamic IP addresses like road warriors or dialup hosts. The DPD option forces the dialup hosts to reconnect after a few seconds if they loose the IKE connection (i.e. in case of a provider-forced reconnect and a new IPv4 address). - bypass / deny flows bypass flow is used to specify a flow for which security processing will be bypassed: matching packets will not be processed by any other flows and handled in normal operation. A deny flow is used to drop any matching packets. The bypass flows are useful for VPN-subnets, see the examples below. This is a simplified example of a real-world scenario (sorry, I like ASCII art...): [ A-DSL ]---() ( Internet )-[ VPN-Gateway ] [ A-DSL ]---() | (Laptops)---+ \_/ VPN 172.16.0.0/16 1.) There are several A-DSL hosts with dynamic IPv4 addresses. 2.) The VPN-Gateway is an internet host with a fixed IPv4 address. 3.) The Laptops are using OpenSSH layer 3 VPN tunneling over TCP (works everywhere...) Configuration examples ([VPN-GATEWAY] is the IPv4 address of the gateway): 1.) Configuration and setup on the A-DSL Host firsthost.my.domain - Initial configuration (you could use keynote and isakmpd.conf, but it is not required) # rm /etc/isakmpd/isakmpd.* # scp [VPN-GATEWAY]:/etc/isakmpd/private/local.pub /etc/isakmpd/pubkeys/ipv4/[VPN-GATEWAY] # scp /etc/isakmpd/private/local.pub [VPN-GATEWAY]:/etc/isakmpd/pubkeys/fqdn/$(hostname) - The internal interface is attached to the local /24 network, set a route to the /16 VPN # cat /etc/hostname.xl0 inet 172.16.10.1 255.255.255.0 172.16.10.255 !route add 172.16.0.0/16 -iface 172.16.10.1 - ipsec configuration (that's all!) # cat /etc/ipsec.conf flow from 172.16.10.0/24 to 172.23.10.0/24 type bypass ike dynamic esp from 172.16.10.0/24 to 172.16.0.0/16 peer [VPN-GATEWAY] - Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...) - Start isakmpd # isakmpd -K ipsecctl -f /etc/ipsec.conf 2.) Configuration on the VPN-Gateway - Initial configuration... # rm /etc/isakmpd/isakmpd.* - ipsec configuration # cat /etc/ipsec.conf ike passive esp from 172.16.10.0/24 to [VPN-GATEWAY] dstid firsthost.my.domain ike passive esp from 172.16.11.0/24 to [VPN-GATEWAY] dstid secondhost.my.domain ike passive esp from 172.16.12.0/24 to [VPN-GATEWAY] dstid thirdhost.my.domain - Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...) - Start isakmpd # isakmpd -K ipsecctl -f /etc/ipsec.conf 3.) The laptops are using /30 subnets in the 172.16.0.0/16 range and they're reachable via the VPN. Have a look at ssh_config(5) or the src/usr.bin/ssh/README.tun file for details. SSH-VPN can be used almost everywhere (even with HTTP-proxies and CONNECT, that's a benefit of TCP over UDP or ESP) and it's the ideal solution for mobile users with temporary connections. and it just works... :) Currently, all the ipsec-hosts are running OpenBSD (what else?) and the Laptops are running OpenBSD, Linux and MacOS X 10.4. reyk -- /* .vantronix|secure systems - (research development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */
Re: ipsec.conf question (dynamic and bypass example)
On Fri, Mar 10, 2006 at 03:53:15PM +0100, Reyk Floeter wrote: 3.) The laptops are using /30 subnets in the 172.16.0.0/16 range and they're reachable via the VPN. Have a look at ssh_config(5) or the src/usr.bin/ssh/README.tun file for details. SSH-VPN can be used almost everywhere (even with HTTP-proxies and CONNECT, that's a benefit of TCP over UDP or ESP) and it's the ideal solution for mobile users with temporary connections. Ah, and I forgot to mention the section SSH-BASED VIRTUAL PRIVATE NETWORKS in the ssh(1) manual page! reyk -- /* .vantronix|secure systems - (research development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */