[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
VPN and OpenBSD 2.9
Hi,
I am having problems getting a VPN up and running. Both of my
gateways (TIGER and BUDDY) are regular fresh installs of OpenBSD 2.9
from a CD, networking is setup and works fine. Both gateways have
permanent connections to the internet with static ip's. The only other
thing touched before attempting trying to setup a VPN was turning off
sendmail from starting up on boot. Both firewalls pass everything through.
As usuall, I have exhausted my search on Google, re-read the FAQ who
knows how many times, and gone back as far as my newsgroup archieves
go, with no success. So I thought I would try my question here.
I did come across something similar.
http://www.monkey.org/openbsd/archive/misc/0008/msg00521.html
It mentions something about not having installed the RSA enabled ssl
package/library? After looking through the packages and the ports, it seems to
me that all the right stuff is now a part of the default 2.9 install.
If it helps, this is my connection:
LANA--192.168.1.5[TIGER]w.x.y.z--[NET]--a.b.c.d[BUDDY]192.168.100.1--LANB
LANA = 192.168.1.0, LANB = 192.168.100.0
/etc/sysctl.conf now has:
net.inet.ip.forwarding=1
net.inet.esp.enable=1
net.inet.ah.enable=0
/etc/isakmpd/isakmpd.conf and /etc/isakpmd/isakmpd.policy are displayed
at the end. Both files are copied word for word from the FAQ
(http://www.openbsd.org/faq/faq13.html) section 13.8 and both files have
the access permissions of read and write only for root.
i use the command on both machines:
isakmpd -d -DA=8
When this commans is run I get the errors on both machines:
034344.528387 Mesg 00 ipsec_validate_id_information: proto 0 port 0 type 1
034356.497711 Mesg 00 ipsec_validate_id_information: proto 0 port 0 type 1
034356.498913 Default initiator_send_HASH_SA_NONCE: differing group descriptions in a proposal
034356.499075 Default exchange_run: doi->initiator (0x12c800) failed
The "tcpdump" of the initial communications as heard from the external nic
on gatewayA is:
03:43:41.516719 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 37f79feef8e277c7->0000000000000000 msgid: 00000000 len: 80
03:43:41.563481 buddy.monarch.net > vpn.alltest.ca: icmp: buddy.monarch.net
udp port isakmp unreachable
03:43:43.579719 buddy.monarch.net.isakmp > vpn.alltest.ca.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 863b6220ee3b3a97->0000000000000000 msgid: 00000000 len: 80
03:43:43.581171 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 863b6220ee3b3a97->bee5d5e013ccbc3c msgid: 00000000 len: 80
03:43:43.977328 buddy.monarch.net.isakmp > vpn.alltest.ca.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 863b6220ee3b3a97->bee5d5e013ccbc3c msgid: 00000000 len: 180
03:43:44.081903 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 863b6220ee3b3a97->bee5d5e013ccbc3c msgid: 00000000 len: 180
03:43:44.527798 buddy.monarch.net.isakmp > vpn.alltest.ca.isakmp: isakmp
v1.0 exchange ID_PROT encrypted
cookie: 863b6220ee3b3a97->bee5d5e013ccbc3c msgid: 00000000 len: 92
03:43:44.529283 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT encrypted
cookie: 863b6220ee3b3a97->bee5d5e013ccbc3c msgid: 00000000 len: 92
03:43:48.520341 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 37f79feef8e277c7->0000000000000000 msgid: 00000000 len: 80
03:43:55.608829 buddy.monarch.net.isakmp > vpn.alltest.ca.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 37f79feef8e277c7->b51e4d116ba7cd1c msgid: 00000000 len: 80
03:43:55.722122 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 37f79feef8e277c7->b51e4d116ba7cd1c msgid: 00000000 len: 180
03:43:56.120219 buddy.monarch.net.isakmp > vpn.alltest.ca.isakmp: isakmp
v1.0 exchange ID_PROT
cookie: 37f79feef8e277c7->b51e4d116ba7cd1c msgid: 00000000 len: 180
03:43:56.246474 vpn.alltest.ca.isakmp > buddy.monarch.net.isakmp: isakmp
v1.0 exchange ID_PROT encrypted
cookie: 37f79feef8e277c7->b51e4d116ba7cd1c msgid: 00000000 len: 68
03:43:56.497254 buddy.monarch.net.isakmp > vpn.alltest.ca.isakmp: isakmp
v1.0 exchange ID_PROT encrypted
cookie: 37f79feef8e277c7->b51e4d116ba7cd1c msgid: 00000000 len: 68
When i ping from one machine on LANB to a machine on LANA, and listen
in using tcpdump on GatewayA, i don't get anything.
/etc/isakmpd/isakmpd.policy on both gateways is:
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:whywontthiswork"
Conditions: app_domain == "IPSec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
(i have tried commenting different combinations of lines out in isakmpd.policy, still no go)
/etc/isakmpd/isakmpd.conf on gatewayA looks like:
[General]
Retransmits= 5
Exchange-max-time= 120
Policy-File= /etc/isakmpd/isakmpd.policy
Listen-on= w.x.y.z
[Phase 1]
a.b.c.d= BUDDY
[Phase 2]
Connections= TIGER-BUDDY
[BUDDY]
Phase= 1
Transport= udp
Local-address= w.x.y.z
Address= a.b.c.d
Configuration= Default-main-mode
Authentication= whywontthiswork
[TIGER-BUDDY]
Phase= 2
ISAKMP-peer= BUDDY
Configuration= Default-quick-mode
Local-ID= Net-A
Remote-ID= Net-B
[Net-B]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask= 255.255.255.0
[Net-A]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE
Thanks in advance for any information, any hints or suggestions or any
comments.
Mark