[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
_almost_ there with my first IPSec tunnel...

To: misc@openbsd.org
Subject: _almost_ there with my first IPSec tunnel...
From: "Michael R. Jinks" <mjinks@saecos.com>
Date: Wed, 03 Jan 2001 21:40:42 -0600
Organization: Saecos Corporation
Our story so far: OpenBSD at work, Linux-FreeS/WAN box at home, IPSec
newbie in the middle trying to make them talk.

With a lot of help from this list, I've now gotten to the point where
I'm seeing very similar behavior at each end of the connection: packets
start out on the protected net, cross the local router, arrive at the
public interface of the other router (properly appearing as ESP
packets), and then die, leaving no trace in log files or tcpdump.

I'm using a manually-keyed connection.  Both routers are using MD5 as
their auth setting, 3DES as the encryption method.  I've double checked,
and I do indeed have the same random string appearing as the key at each
end, and a different random string is present as the auth key at both
ends.

Neither machine complains when it initializes IPSec, or when it brings
up its connections, unless there's something in the log files that I'm
failing to recognize as a complaint.

On the OpenBSD end, my SA's appear in /kern/ipsec as I expect, and my
flows appear in netstat -nr, also as I expect, again unless I'm blind or
an idiot.

I do have ipf and ipnat configured on the OpenBSD box.  Every ipf block
rule in the list is set to log, but no log lines appear when I'm testing
IPSec, so I don't think that bad firewall rules are at fault, and in any
case the behavior at each end of the connection is so eerily similar
that I strongly suspect misconfiguration of the connection itself rather
than a system-specific goof-up at either end.

So, any clue where to look for those missing packets?  Here's some
config info for the OpenBSD side:

First off, the commands I use to set things up, keys sanitized:

ipsecadm new esp -spi 1000 -src 207.229.177.33 -dst 216.80.39.113
-forcetunnel -enc 3des -auth md5 -key [48 bytes random crap, led by a
digit] -authkey [32 random bytes]

ipsecadm new esp -spi 1001 -dst 207.229.177.33 -src 216.80.39.113
-forcetunnel -enc 3des -auth md5 -key [same 48 random bytes as above]
-authkey [same 32 random bytes as above]

flows:

ipsecadm flow -dst 216.80.39.113 -proto esp -addr 207.229.177.33
255.255.255.255 216.80.39.113 255.255.255.255 -acquire -out -src
207.229.177.33

ipsecadm flow -dst 216.80.39.113 -proto esp -addr 192.168.10.0
255.255.255.0 192.168.3.0 255.255.255.0 -acquire -out -src
207.229.177.33

ipsecadm flow -dst 216.80.39.113 -proto esp -addr 207.229.177.33
255.255.255.255 192.168.3.0 255.255.255.0 -acquire -out -src
207.229.177.33

ipsecadm flow -dst 216.80.39.113 -proto esp -addr 192.168.10.0
255.255.255.0 216.80.39.113 255.255.255.255 -acquire -out -src
207.229.177.33

ipsecadm flow -dst 207.229.177.33 -proto esp -addr 216.80.39.113
255.255.255.255 207.229.177.33 255.255.255.255 -acquire -in -src
207.229.177.33

ipsecadm flow -dst 207.229.177.33 -proto esp -addr 192.168.3.0
255.255.255.0 192.168.10.0 255.255.255.0 -acquire -in -src
207.229.177.33

ipsecadm flow -dst 207.229.177.33 -proto esp -addr 216.80.39.113
255.255.255.255 192.168.10.0 255.255.255.0 -acquire -in -src
207.229.177.33

ipsecadm flow -dst 207.229.177.33 -proto esp -addr 192.168.3.0
255.255.255.0 207.229.177.33 255.255.255.255 -acquire -in -src
207.229.177.33

Output of netstat -nr:

<snip>
Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
192.168.3/24       0     192.168.10/24      0     0    
207.229.177.33/50/acquire/in
192.168.3/24       0     207.229.177.33/32  0     0    
207.229.177.33/50/acquire/in
216.80.39.113/32   0     192.168.10/24      0     0    
207.229.177.33/50/acquire/in
216.80.39.113/32   0     207.229.177.33/32  0     0    
207.229.177.33/50/acquire/in
192.168.10/24      0     192.168.3/24       0     0    
216.80.39.113/50/acquire/out
192.168.10/24      0     216.80.39.113/32   0     0    
216.80.39.113/50/acquire/out
207.229.177.33/32  0     192.168.3/24       0     0    
216.80.39.113/50/acquire/out
207.229.177.33/32  0     216.80.39.113/32   0     0    
216.80.39.113/50/acquire/out

cat /kern/ipsec:

Hashmask: 31, policy entries: 8
SPI = 00001001, Destination = 207.229.177.33, Sproto = 50
        Established 21473 seconds ago
        Source = 216.80.39.113
        Flags (00001000) = <tunneling>
        Crypto ID: 2
        xform = <IPsec ESP>
                Encryption = <3DES>
                Authentication = <HMAC-MD5-96>
        0 flows have used this SA
        0 bytes processed by this SA
        Expirations:
                (none)

SPI = 00001000, Destination = 216.80.39.113, Sproto = 50
        Established 21473 seconds ago
        Source = 207.229.177.33
        Flags (00001000) = <tunneling>
        Crypto ID: 1
        xform = <IPsec ESP>
                Encryption = <3DES>
                Authentication = <HMAC-MD5-96>
        0 flows have used this SA
        261812 bytes processed by this SA
        Expirations:
                (none)


Any hints on diagnosing this are welcome and much appreciated.  Thanks
all for the help so far.

-m

-- 
Michael Jinks, IB // Technical Entity // Saecos Corporation
"No one speaks English and everything's broken."  -- T. Waits
"Tom Waits would have made a decent sysadmin."  -- M. Jinks
Prev by Date: copying floppy28.fs
Next by Date: Keyboard mapping (was Disklabels)
Prev by thread: Re: copying floppy28.fs
Next by thread: Keyboard mapping (was Disklabels)
Index(es):
- Date
- Thread