Hi all,
I try since a few days to setting up IPsec for my wireless network. The
internet gateway has a ral(4) device :
[EMAIL PROTECTED]: ~ $ ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:18:f8:a5:f3:34
description: WLAN Link
groups: wlan
media: IEEE802.11 autoselect hostap (autoselect mode 11b hostap)
status: active
ieee80211: nwid NUFNUFNUF chan 11 bssid 00:18:f8:a5:f3:34 100dBm
inet6 fe80::218:f8ff:fea5:f334%ral0 prefixlen 64 scopeid 0x4
inet 192.168.4.1 netmask 0xffffff00 broadcast 192.168.4.255
In /etc/ipsec.conf I have :
ike from any to 192.168.4.10 psk "test"
I start isakmpd and I load rules with ipsecctl :
[EMAIL PROTECTED]: ~ $ sudo isakmpd -K
[EMAIL PROTECTED] : ~ $ sudo ipsecctl -vf /etc/ipsec.conf
C set [Phase 1]:192.168.4.10=peer-192.168.4.10 force
C set [peer-192.168.4.10]:Phase=1 force
C set [peer-192.168.4.10]:Address=192.168.4.10 force
C set [peer-192.168.4.10]:Authentication=test force
C set [peer-192.168.4.10]:Configuration=mm-192.168.4.10 force
C set [mm-192.168.4.10]:EXCHANGE_TYPE=ID_PROT force
C add [mm-192.168.4.10]:Transforms=AES-SHA force
C set [IPsec-0.0.0.0/0-192.168.4.10]:Phase=2 force
C set [IPsec-0.0.0.0/0-192.168.4.10]:ISAKMP-peer=peer-192.168.4.10 force
C set [IPsec-0.0.0.0 /0-192.168.4.10]:Configuration=qm-0.0.0.0/0-
192.168.4.10 force
C set [IPsec-0.0.0.0/0-192.168.4.10]:Local-ID=lid-0.0.0.0 /0 force
C set [IPsec-0.0.0.0/0-192.168.4.10]:Remote-ID=rid-192.168.4.10 force
C set [qm-0.0.0.0/0-192.168.4.10]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-0.0.0.0/0-192.168.4.10]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [lid-0.0.0.0/0]:Network= 0.0.0.0 force
C set [lid-0.0.0.0/0]:Netmask=0.0.0.0 force
C set [rid-192.168.4.10]:ID-type=IPV4_ADDR force
C set [rid-192.168.4.10]:Address=192.168.4.10 force
C add [Phase 2]:Connections=IPsec-0.0.0.0/0-192.168.4.10
On the other side, my laptop has an iwi device. IPsec is configured that way
:
ike from any to any peer 192.168.4.1 psk "test"
I start IPsec the same way than the gateway :
[EMAIL PROTECTED]: ~ $ sudo isakmpd -K
[EMAIL PROTECTED]: ~ $ sudo ipsecctl -vf /etc/pf.conf
C set [Phase 1]: 192.168.4.1=peer-192.168.4.1 force
C set [peer-192.168.4.1]:Phase=1 force
C set [peer-192.168.4.1]:Address=192.168.4.1 force
C set [peer-192.168.4.1]:Authentication=test force
C set [peer-192.168.4.1]:Configuration=mm-192.168.4.1 force
C set [mm-192.168.4.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-192.168.4.1]:Transforms=AES-SHA force
C set [IPsec-0.0.0.0/0- 0.0.0.0/0]:Phase=2 <http://0.0.0.0/0%5D:Phase=2>force
C set
[IPsec-0.0.0.0/0-0.0.0.0/0]:ISAKMP-peer=peer-192.168.4.1<http://0.0.0.0/0%5D:ISAKMP-peer=peer-192.168.4.1>force
C set [IPsec-0.0.0.0/0-
0.0.0.0/0]:Configuration=qm-0.0.0.0/0-0.0.0.0/0<http://0.0.0.0/0%5D:Configuration=qm-0.0.0.0/0-0.0.0.0/0>force
C set
[IPsec-0.0.0.0/0-0.0.0.0/0]:Local-ID=lid-0.0.0.0/0<http://0.0.0.0/0%5D:Local-ID=lid-0.0.0.0/0>force
C set [IPsec-0.0.0.0/0-
0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0<http://0.0.0.0/0%5D:Remote-ID=rid-0.0.0.0/0>force
C set
[qm-0.0.0.0/0-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE<http://0.0.0.0/0%5D:EXCHANGE_TYPE=QUICK_MODE>force
C set [qm-0.0.0.0/0-
0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE<http://0.0.0.0/0%5D:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE>force
C set [lid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [lid-0.0.0.0/0]:Network=0.0.0.0 force
C set [lid-0.0.0.0/0]:Netmask= 0.0.0.0 force
C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
C set [rid-0.0.0.0/0]:Netmask= 0.0.0.0 force
C add [Phase 2]:Connections=IPsec-0.0.0.0/0-0.0.0.0/0
C set [Phase 1]:192.168.4.1=peer-192.168.4.1 force
C set [peer-192.168.4.1]:Phase=1 force
C set [peer-192.168.4.1 ]:Address=192.168.4.1 force
C set [peer-192.168.4.1]:Authentication=test force
C set [peer-192.168.4.1]:Configuration=mm-192.168.4.1 force
C set [mm-192.168.4.1]:EXCHANGE_TYPE=ID_PROT force
C add [mm-192.168.4.1]:Transforms=AES-SHA force
C set [IPsec-::/0-::/0]:Phase=2 force
C set [IPsec-::/0-::/0]:ISAKMP-peer=peer-192.168.4.1 force
C set [IPsec-::/0-::/0]:Configuration=qm-::/0-::/0 force
C set [IPsec-::/0-::/0]:Local-ID=lid-::/0 force
C set [IPsec-::/0-::/0]:Remote-ID=rid-::/0 force
C set [qm-::/0-::/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-::/0-::/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
C set [lid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [lid-::/0]:Network=:: force
C set [lid-::/0]:Netmask=:: force
C set [rid-::/0]:ID-type=IPV6_ADDR_SUBNET force
C set [rid-::/0]:Network=:: force
C set [rid-::/0]:Netmask=:: force
C add [Phase 2]:Connections=IPsec-::/0-::/0
[EMAIL PROTECTED]: ~ $ sudo ipsecctl -sa
FLOWS:
flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.1 srcid
192.168.4.10/32 dstid 192.168.4.1/32 type use
flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.1 srcid
192.168.4.10/32 dstid 192.168.4.1/32 type require
SAD:
esp tunnel from 192.168.4.10 to 192.168.4.1 spi 0x2ade7f1b auth
hmac-sha2-256 enc aes
esp tunnel from 192.168.4.1 to 192.168.4.10 spi 0x4476f5e3 auth
hmac-sha2-256 enc aes
On the gateway, I have :
[EMAIL PROTECTED]: ~ $ sudo ipsecctl -sa
FLOWS:
flow esp in from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.10 srcid
192.168.4.1/32 dstid 192.168.4.10/32 type use
flow esp out from 0.0.0.0/0 to 0.0.0.0/0 peer 192.168.4.10 srcid
192.168.4.1/32 dstid 192.168.4.10/32 type require
SAD:
esp tunnel from 192.168.4.10 to 192.168.4.1 spi 0x085bb93f auth
hmac-sha2-256 enc aes
esp tunnel from 192.168.4.1 to 192.168.4.10 spi 0x62cbaa80 auth
hmac-sha2-256 enc aes
When the client has associate with the gateway, no trafic except IPsec pass
through de gateway. It seems correct, since the flow on the gateway is from
0.0.0.0/0 to 0.0.0.0/0. But I don't understand why the rule 'ike from any
to 192.168.4.10 psk "test"' on the gateway is resulting in "from 0.0.0.0/0to
0.0.0.0/0" in IPsec flows.
Am I doing something wrong ?
Mattieu
--
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."
