[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
End-to-End IPsec Tunnels
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: End-to-End IPsec Tunnels
- From: eric <eric-list-openbsd-misc_(_at_)_catastrophe_(_dot_)_net>
- Date: Tue, 19 Apr 2005 18:12:12 -0500
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
- Organization: Catastrophe.Net <http://www.catastrophe.net/>
I'm trying to get some end-to-end ipsec tunnels working using isakmpd(8).
Basically, this is just for sending syslogd(8) traffic over an encrypted
channel, for securing tftp, etc.
Using the examples in /usr/share/ipsec/isakmpd, I've taken singlehost-east
and singlehost-west and customized them with my local addresses. What I'm
curious to know is how to setup the ipsec tunnel from East to West (and vice
versa) to encrypt all traffic between those end-points.
I've tried the following configurations, but they didn't seem to work. Also,
traffic between East and West isn't encrypted after both isakmpd(8) daemons
start. There's no entries for "encap" doing a `netstat -rnf encap` and
tcpdump(8) shows me that traffic is not going through IPsec (though I am
seeing quite a bit of NAT-T keep-alives, even though I'm not using NAT).
The hosts are.....
east = 172.19.81.181
west = 172.19.81.180
I realize I can use ipsecadm(8), but I'm hoping to use isakmpd instead in
order to use key authentication.
Thanks in advance. If there's not enough information, please let me know
what else is needed.
Output of `isakmpd -d -D A=10` on East
[snip startup messages]
180653.663813 Misc 10 monitor_init: privileges dropped for child process
180653.849566 Timr 10 timer_add_event: event connection_checker(0x3c1eacf0) added last, expiration in 0s
180653.853535 Timr 10 timer_handle_expirations: event connection_checker(0x3c1eacf0)
180653.853912 Timr 10 timer_add_event: event connection_checker(0x3c1eacf0) added last, expiration in 60s
180653.854289 Timr 10 timer_add_event: event exchange_free_aux(0x3c067800) added last, expiration in 120s
180653.854754 Exch 10 exchange_establish_p1: 0x3c067800 ISAKMP-peer-west Default-main-mode policy initiator phase 1 doi 1 exchange 2 step 0
180653.854944 Exch 10 exchange_establish_p1: icookie 50b5ea5b5a1ebf03 rcookie 0000000000000000
180653.855076 Exch 10 exchange_establish_p1: msgid 00000000
180653.855611 Timr 10 timer_add_event: event message_send_expire(0x3c06b480) added before connection_checker(0x3c1eacf0), expiration in 7s
180653.859292 Timr 10 timer_remove_event: removing event message_send_expire(0x3c06b480)
180653.859971 Exch 10 nat_t_check_vendor_payload: NAT-T capable peer detected
180653.860191 Exch 10 dpd_check_vendor_payload: DPD capable peer detected
180653.860527 Exch 10 exchange_run: unexpected payload VENDOR
180653.881200 Timr 10 timer_add_event: event message_send_expire(0x3c06b480)
added before connection_checker(0x3c1eacf0), expiration in 7s
180653.903039 Timr 10 timer_remove_event: removing event message_send_expire(0x3c06b480)
180653.903801 Exch 10 nat_t_exchange_check_nat_d: NAT detected, we're behind it
180653.927435 Cryp 10 crypto_encrypt: before encryption:
180653.927699 Cryp 10 0800000c 01000000 8cc051b4 0b000018 720e7c4c 9689314e 50373974 8498ab51
180653.927864 Cryp 10 d7573854 0000001c 00000001 01106002 50b5ea5b 5a1ebf03 1cac134b a15cfb74
180653.928131 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange
180653.928411 Timr 10 timer_add_event: event message_send_expire(0x3c06b580) added before connection_checker(0x3c1eacf0), expiration in 7s
180653.928131 Mesg 10 virtual_send_message: enabling NAT-T encapsulation for this exchange
180653.928411 Timr 10 timer_add_event: event message_send_expire(0x3c06b580) added before connection_checker(0x3c1eacf0), expiration in 7s
180700.941654 Timr 10 timer_handle_expirations: event message_send_expire(0x3c06b580)
180700.942048 Timr 10 timer_add_event: event message_send_expire(0x3c06b580) added before connection_checker(0x3c1eacf0), expiration in 9s
180709.951657 Timr 10 timer_handle_expirations: event message_send_expire(0x3c06b580)
180709.952051 Timr 10 timer_add_event: event message_send_expire(0x3c06b580) added before connection_checker(0x3c1eacf0), expiration in 11s
180720.960150 Timr 10 timer_handle_expirations: event message_send_expire(0x3c06b580)
180720.961140 Default transport_send_messages: giving up on message 0x3c06b580, exchange ISAKMP-peer-west
180720.961679 Default transport_send_messages: either this message did not reach the other peer
180720.961843 Default transport_send_messages: or the responsemessage did not reach us back
#; east:/etc/isakmpd/isakmpd.conf
[General]
Listen-on= 172.19.81.181
Shared-SADB= Defined
Policy-File= /etc/isakmpd/isakmpd.policy
[Phase 1]
172.19.81.180= ISAKMP-peer-east
Default= ISAKMP-peer-east-aggressive
[Phase 2]
Connections= IPsec-west-east
[ISAKMP-peer-east]
Phase= 1
Transport= udp
Local-address= 172.19.81.181
Address= 172.19.81.180
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[ISAKMP-peer-east-aggressive]
Phase= 1
Transport= udp
Local-address= 172.19.81.181
Address= 172.19.81.180
Configuration= Default-aggressive-mode
Authentication= mekmitasdigoat
[IPsec-west-east]
Phase= 2
ISAKMP-peer= ISAKMP-peer-east
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR
Address= 172.19.81.181
[Net-east]
ID-type= IPV4_ADDR
Address= 172.19.81.180
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA-RSA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
#eof
On west....
#; west:/etc/isakmpd/isakmpd.conf
[General]
Listen-on= 172.19.81.180
Shared-SADB= Defined
Policy-File= /etc/isakmpd/isakmpd.policy
[Phase 1]
172.19.81.181= ISAKMP-peer-west
Default= ISAKMP-peer-west-aggressive
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Local-address= 172.19.81.180
Address= 172.19.81.181
Configuration= Default-main-mode
Authentication= mekmitasdigoat
[ISAKMP-peer-west-aggressive]
Phase= 1
Transport= udp
Local-address= 172.19.81.180
Address= 172.19.81.181
Configuration= Default-aggressive-mode
Authentication= mekmitasdigoat
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR
Address= 172.19.81.181
[Net-east]
ID-type= IPV4_ADDR
Address= 172.19.81.180
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA-RSA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
#eof
And on both hosts...
#; {east,west}:/etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Visit your host, monkey.org