Ipsec freebsd openbsd failure

kasse · #1 **(View Single Post)** 29th December 2008

Hello, I wanted to try and secure my wireless connection on my openbsd laptop via ipsec tunnel to my freebsd desktop. But I seem to get nowhere. So I tried to set up a more simple transport between the two to see if I could figure out what is wrong. But I still get the same errors. I have also tried between them as freebsd freebsd also no success. So here are the configs. I have disabled all the pf in this initial tests just to make sure that they are not the cause.

I want to try a ipsec transport from freebsd 192.168.0.100 to openbsd 192.168.0.103.

On freebsd I have compiled the kernel with ipsec and installed ipsec-tools.
Here is the racoon.conf

Code:

path include "/usr/local/etc/racoon";
path certificates "/usr/local/etc/racoon/certs";

padding 
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer   
{
        counter         5;
        interval        20 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen  
{
        isakmp          192.168.0.100 [500];
}

remote  192.168.0.102 [500]
{
        exchange_mode   main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   asn1dn;
        certificate_type        x509 "192.168.0.100.crt" "192.168.0.100.key";
        peers_certfile  x509 "192.168.0.103.crt";
        
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
        initial_contact on;
        generate_policy off;

                        proposal {
                                encryption_algorithm    blowfish;
                                hash_algorithm          sha1;
                                authentication_method   rsasig;        
                                lifetime time           30 sec;
                                dh_group                modp1024;
                        }
}

sainfo  (address 192.168.0.100 any address 192.168.0.103 any)    
{                               
        pfs_group       modp1024;
        lifetime        time    36000 sec;
        encryption_algorithm    blowfish;
        authentication_algorithm hmac_sha256;
        compression_algorithm   deflate;
}

here is the setkey.conf for freebsd

Code:

flush;
spdflush;
spdadd 192.168.0.100 192.168.0.103 any -P out ipsec esp/transport//use;
spdadd 192.168.0.103 192.168.0.100 any -P in ipsec esp/transport//use;

here is the ipsec.conf for openbsd

Code:

main auth hmac-sha1 enc blowfish group modp1024
quick auth hmac-sha2-256 enc blowfish group modp1024
ike esp transport from 192.168.0.103 to 192.168.0.100 peer 192.168.0.100 
ike esp transport from 192.168.0.100 to 192.168.0.103 peer 192.168.0.100

As in http://="http://www.bsdguides.org/gu...ity/ipsec_vpn"
I do
isakmpd -Kdv and then when I try ipsecctl -f /etc/ipsec.conf
I get

Code:

/etc/ipsec.conf: 1: syntax error
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.103-to-192.168.0.100]:Phase=2 force
C set [from-192.168.0.103-to-192.168.0.100]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Configuration=phase2-from-192.168.0.103-to-192.168.0.100 force
C set [from-192.168.0.103-to-192.168.0.100]:Local-ID=from-192.168.0.103 force
C set [from-192.168.0.103-to-192.168.0.100]:Remote-ID=to-192.168.0.100 force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.103-to-192.168.0.100]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.103]:ID-type=IPV4_ADDR force
C set [from-192.168.0.103]:Address=192.168.0.103 force
C set [to-192.168.0.100]:ID-type=IPV4_ADDR force
C set [to-192.168.0.100]:Address=192.168.0.100 force
C add [Phase 2]:Connections=from-192.168.0.103-to-192.168.0.100
C set [Phase 1]:192.168.0.100=peer-192.168.0.100 force
C set [peer-192.168.0.100]:Phase=1 force
C set [peer-192.168.0.100]:Address=192.168.0.100 force
C set [peer-192.168.0.100]:Configuration=phase1-peer-192.168.0.100 force
C set [phase1-peer-192.168.0.100]:EXCHANGE_TYPE=ID_PROT force
C add [phase1-peer-192.168.0.100]:Transforms=AES-SHA-RSA_SIG force
C set [from-192.168.0.100-to-192.168.0.103]:Phase=2 force
C set [from-192.168.0.100-to-192.168.0.103]:ISAKMP-peer=peer-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Configuration=phase2-from-192.168.0.100-to-192.168.0.103 force
C set [from-192.168.0.100-to-192.168.0.103]:Local-ID=from-192.168.0.100 force
C set [from-192.168.0.100-to-192.168.0.103]:Remote-ID=to-192.168.0.103 force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:EXCHANGE_TYPE=QUICK_MODE force
C set [phase2-from-192.168.0.100-to-192.168.0.103]:Suites=QM-ESP-TRP-AES-SHA2-256-PFS-SUITE force
C set [from-192.168.0.100]:ID-type=IPV4_ADDR force
C set [from-192.168.0.100]:Address=192.168.0.100 force
C set [to-192.168.0.103]:ID-type=IPV4_ADDR force
C set [to-192.168.0.103]:Address=192.168.0.103 force
C add [Phase 2]:Connections=from-192.168.0.100-to-192.168.0.103
ipsecctl: Syntax error in config file: ipsec rules not loaded

I cannot understand really what the error is

On the freebsd I run setkey -f /usr/local/etc/racoon/setkey.conf and
/usr/local/sbin/racoon -F -f /usr/local/etc/racoon/racoon.conf but when I look for loaded spd
with setkey -DP I get none. Also I get this same failure when I try freebsd to freebsd

J65nko · #2 **(View Single Post)** 30th December 2008

I tried you ipsec.conf on a 4.2 machine. I get the same syntax error. Only by removing the first two offending lines the two 'ike' rules load fine.

I am not an IPSEC expert. I once set up transport mode between OpenBSD boxes. When watching the traffic with OpenBSD's tcpdump I saw a lot of negotiation stuff.

Maybe you just should try it without those first two rules

kasse · #3 **(View Single Post)** 30th December 2008

Thanks!
I commented out those lines specifying the phase 1,2 crypto settings and set the freebsd to enc to aes. Now instead I get errors that there are no
configurations.
Now I have spd on freebsd

Code:

192.168.0.103[any] 192.168.0.100[any] any
	in ipsec
	esp/transport//use
	spid=3 seq=1 pid=2467
	refcnt=1
192.168.0.100[any] 192.168.0.103[any] any
	out ipsec
	esp/transport//use
	spid=2 seq=0 pid=2467
	refcnt=1

but no SA connections:
On freebsd

Code:

Foreground mode.
2008-12-30 12:07:41: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
2008-12-30 12:07:41: INFO: @(#)This product linked OpenSSL 0.9.8i 15 Sep 2008 (http://www.openssl.org/)
2008-12-30 12:07:41: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf"
2008-12-30 12:07:41: INFO: Resize address pool from 0 to 255
2008-12-30 12:07:41: INFO: 192.168.0.100[500] used as isakmp port (fd=6)
2008-12-30 12:09:10: ERROR: couldn't find configuration.
2008-12-30 12:09:17: ERROR: couldn't find configuration.
2008-12-30 12:09:26: ERROR: couldn't find configuration.
2008-12-30 12:09:37: ERROR: couldn't find configuration.
2008-12-30 12:09:37: ERROR: no configuration found for 192.168.0.103.
2008-12-30 12:09:37: ERROR: failed to begin ipsec sa negotication.

and on openbsd

Code:

120610.144329 Default transport_send_messages: giving up on exchange peer-192.168.0.100, no response from peer 192.168.0.100:500

here is tcpdump port 500 for freebsd

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
12:47:10.453595 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:47:17.468224 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:47:26.478179 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:47:37.488083 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident
12:49:10.471921 IP 192.168.0.103.isakmp > Dell.isakmp: isakmp: phase 1 I ident

and for openbsd

Code:

tcpdump: listening on acx0, link-type EN10MB
12:47:43.468574 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184
12:47:50.483722 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184
12:47:59.493502 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184
12:48:10.503219 192.168.0.103.isakmp > 192.168.0.100.isakmp: isakmp v1.0 exchange ID_PROT
        cookie: d3aee8f49e31661e->0000000000000000 msgid: 00000000 len: 184

J65nko · #4 **(View Single Post)** 31st December 2008

You have to use tcpdump with the -vv flag to see what is going on.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Securing wifi networks with ipsec/ssh and openbsd	Oko	OpenBSD Security	4	16th April 2009 07:32 AM
openBSD IPSEC gateway w/WINDOWS XP roadwarrior	s2scott	OpenBSD Security	7	13th January 2009 10:01 AM
ipsec with client nat	sicute	OpenBSD General	0	30th October 2008 04:39 PM
IPsec on openbsd	hitete	OpenBSD Installation and Upgrading	1	12th July 2008 01:57 AM
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0)	NathanPardoe	FreeBSD General	9	21st May 2008 12:00 AM