[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD2.8 bridge and isakmpd probs

To: misc@openbsd.org
Subject: OBSD2.8 bridge and isakmpd probs
From: Paul <pjdesign@yifan.net>
Date: Sat, 2 Dec 2000 15:09:20 +1100

Hi All,

I'm having trouble trying to implement a "bump in the wire"  ipsec 
gateway configuration as outlined in Keromytis and Wright's paper 
"Transparent Network Security Policy Enforcement".
I have a feeling this is probably due to my failure to grasp some 
fundamental step in the setup.

I have set up bridge0 with the following interfaces dc2 dc3 and enc1 
using hostname/bridgename.if files and am using the isakmpd config 
and policy files appended below.

My problem is that I don't seem to be getting any ipsec packets come 
thru on enc0 and running isakmpd -d -DA=99 doesn't show any 
indication of connection attempts (using mac pgpnet 7.0).  I have 
monitored the outside interface of the bridge using tcpdump -i dc2 
udp and can see packets arriving on that interface.

20:01:39.141799 sss.ttt.uuu.vvv. 16442 > aaa.bbb.ccc.ddd.isakmp: 
isakmp v1.0 exchange ID_PROT
         cookie: 2300a4381652e218->0000000000000000 msgid: 00000000 len: 88

Having read the ipsec bridge section of brconfig(8) it would seem as 
thought I need to associate an SA with the enc1, altho i can't see 
how that should be done in a bridge configuration. I had assumed that 
this would be handled by isakmpd but that doesn't seem to be the case.

The machine is running OpenBSD 2.8 stable from cvs'd source 
downloaded 1dec00 .au time and compiled with all necessary kernel 
options. I have rebuilt userland using the procedure documented in 
release(8)

if someone can shed some light i'd be grateful...

cheers
Paul


/etc/sysctl.conf - relevant options
   net.inet.ip.forwarding=1
   net.inet.esp.enable=1
   net.inet.ip.encdebug=1

/etc/isakmpd/isakmpd.conf
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[Phase 1]
Default=                PGPNet_Config

[Phase 2]
Default=                PGPNet_OpenBSD

[PGPNet_Config]
Phase=                  1
Transport=              udp
Local-Address=          aaa.bbb.ccc.ddd
Address=                0.0.0.0
Configuration=          Default-main-mode
Authentication=         test

[PGPNet_OpenBSD]
Phase=                  2
#ISAKMPD-peer=          PGPNet_Config
Configuration=          Default-quick-mode
Local-ID=               Net_YourNet
Remote-ID=              Net_PGPClient

[Net_YourNet]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[Net_PGPClient]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE

[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

/etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees:  "passphrase:test"
Conditions: app_domain == "IPsec policy" &&
             esp_present == "yes" &&
             esp_enc_alg != "null" -> "true";

Follow-Ups:
- Re: OBSD2.8 bridge and isakmpd probs
  - From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>

Prev by Date: Re: courier-imap fest
Next by Date: loopback filesystem
Prev by thread: Re: Fdisk/disklabel issue with install
Next by thread: Re: OBSD2.8 bridge and isakmpd probs
Index(es):
- Date
- Thread