[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISAKMPD guru’s help requested
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: ISAKMPD guru’s help requested
- From: Whyzzi <whyzzi_(_at_)_gmail_(_dot_)_com>
- Date: Thu, 28 Apr 2005 12:01:58 -0600
- Reply-to: Whyzzi <whyzzi_(_at_)_gmail_(_dot_)_com>
Okay, I've got a problem. Of course this involves Microsoft products
so I guess I shouldn't be too surprised (all because politics and
dollars). What does this have to do with OpenBSD you ask? The VPN
configuration in question runs all on OpenBSD (no Cisco or Nortel,
just more x86 pcs running OpenBSD).
I created a simple IPSec VPN using automatic keying part of ISAKMPD on
OpenBSD between 1 + 3 ( 2 configured by me, 2 configured by a peer of
mine at another library) gateways. The main gateway firewalls a
172.16.8.0/24 private subnet of a few Microsoft SQL server 2003 (with
all the latest patches of course) Dell boxes, and one of them running
a Microsoft SQL Server 2000 (Why? Library automation vendor certified,
that's why) as our shared hardware library database. The MS SQL Client
runs over the VPN from Windows XP scattered throughout three other
private subnets 10.1./16, 192.168.128./24, 192.168.1/24.
The problem:
The VPN and everything will run smoothly for a time. Then suddenly the
SQL clients scattered on the private subnets completely loose all
connection and cannot reconnect.
The VPN is still up because I can ping the servers from all affected
subnets. MS SQL server is up because THE SAME CLIENT installed on one
of the other servers local to the MS SQL database subnet CAN connect.
Even that same client can connect via the internet through a pf
redirected port on the firewall itself.
Thus far, only by rebooting the MS SQL server box can clients on the
other subnets (10.1/16, 192.168.128/24, 192.168.1/24) once again
connect. And no, leaving the SQL server on and rebooting the firewalls
DID NOT change the condition.
If there is anything I left out, just let me know. Helpful comments,
flames, etc all are welcome, and many thanks in advance.
Peter Verhagen
one client isakmpd.conf
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# cat isakmpd.conf
# Incoming phase 1 negotiations are multiplexed on the source IP
# address. Phase 1 is used to set up a protected channel just
# between the two gateway machines. This channel is then used for
# the phase 2 negotiation traffic (i.e. encrypted & authenticated).
[Phase 1]
207.229.38.25= Horizon
# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-SAPL-Horizon
# ISAKMP phase 1 peers (from [Phase 1])
[Horizon]
Phase= 1
Transport= udp
Address= 207.229.38.25
Configuration= Default-main-mode
Authentication= mysecretnotyours
# IPSEC phase 2 connections (from [Phase 2])
[VPN-SAPL-Horizon]
Phase= 2
ISAKMP-peer= Horizon
Configuration= Default-quick-mode
Local-ID= SAPL-Subnet
Remote-ID= Horizon-Subnet
# ID sections (as used in [VPN-SAPL-Horizon])
[SAPL-Subnet]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.128.0
Netmask= 255.255.255.0
[Horizon-Subnet]
ID-type= IPV4_ADDR_SUBNET
Network= 172.16.8.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions (as used by peers and connections)
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-SUITE
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
main ms sql server firewall isakmp.conf
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# cat isakmpd.conf
# Incoming phase 1 negotiations are multiplexed on the source IP
# address. Phase 1 is used to set up a protected channel just
# between the two gateway machines. This channel is then used for
# the phase 2 negotiation traffic (i.e. encrypted & authenticated).
[Phase 1]
207.229.38.13= SAPL
142.179.196.247= SCL
208.38.57.149= FORT
# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-Horizon-SAPL,VPN-Horizon-SCL,VPN-Horizon-FORT
# ISAKMP phase 1 peers (from [Phase 1])
[SAPL]
Phase= 1
Transport= udp
Address= 207.229.38.13
Configuration= Default-main-mode
Authentication= mysecretnotyours
[SCL]
Phase= 1
Transport= udp
Address= 142.179.196.247
Configuration= Default-main-mode
Authentication= mysecretnotyours
[FORT]
Phase= 1
Transport= udp
Address= 208.38.57.149
Configuration= Default-main-mode
Authentication= mysecretnotyours
# IPSEC phase 2 connections (from [Phase 2])
[VPN-Horizon-SAPL]
Phase= 2
ISAKMP-peer= SAPL
Configuration= Default-quick-mode
Local-ID= Horizon-Network
Remote-ID= SAPL-Network
[VPN-Horizon-SCL]
Phase= 2
ISAKMP-peer= SCL
Configuration= Default-quick-mode
Local-ID= Horizon-Network
Remote-ID= SCL-Network
[VPN-Horizon-FORT]
Phase= 2
ISAKMP-peer= FORT
Configuration= Default-quick-mode
Local-ID= Horizon-Network
Remote-ID= FORT-Network
# ID sections (as used in [VPN-A-B])
[SAPL-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.128.0
Netmask= 255.255.255.0
[Horizon-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 172.16.8.0
Netmask= 255.255.255.0
[SCL-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.0.0
Netmask= 255.255.0.0
[FORT-Network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
# Main and Quick Mode descriptions (as used by peers and connections)
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= AES-SHA,BLF-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-SUITE
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
appropiate part of the ms sql firewall pf.conf ruleset
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
pass out quick on { $extif, $intif, enc0 } all keep state
pass out quick on { $extif, $intif, enc0 } proto esp all keep state
pass in quick on $extif from <isa-peers> to <isa-peers> keep state
pass out quick on $extif from <isa-peers> to <isa-peers> keep state
pass in quick on $extif proto udp from <isa-peers> to <isa-peers> port 500
pass out quick on $extif proto udp from <isa-peers> to <isa-peers> port 500
pass in quick on $extif proto udp from <isa-peers> to <isa-peers> port 4500
pass out quick on $extif proto udp from <isa-peers> to <isa-peers> port 4500
pass in on { $intif, $extif } from <isa-subnets> to <isa-subnets>
pass out on { $intif, $extif } from <isa-subnets> to <isa-subnets>
pass in on enc0 all
pass in quick proto esp from any to any keep state
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
yes quite right some of this was a hack just to get it running.
sql firewall dmesg
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# dmesg
OpenBSD 3.6 (GENERIC) #59: Fri Sep 17 12:32:57 MDT 2004
deraadt_(_at_)_i386_(_dot_)_openbsd_(_dot_)_org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) processor ("AuthenticAMD" 686-class) 1.40 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 267952128 (261672K)
avail mem = 237481984 (231916K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(f1) BIOS, date 07/11/02, BIOS32 rev. 0 @ 0xfb4b0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdf94
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/176 (9 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 ("VIA VT82C596A ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x10000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8363 Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "VIA VT8363 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "SIS 300/305/630 VGA" rev 0x90: aperture
at 0xe0000000, size 0x400000
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 "VIA VT82C686 ISA" rev 0x40
pciide0 at pci0 dev 7 function 1 "VIA VT82C571 IDE" rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <Maxtor 91366U4>
wd0: 16-sector PIO, LBA, 13029MB, 26684784 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <HL-DT-ST, CD-ROM GCR-8520B, 1.00> SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 7 function 2 "VIA VT83C572 USB" rev 0x16: irq 12
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 7 function 3 "VIA VT83C572 USB" rev 0x16: irq 12
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 7 function 4 "VIA VT82C686 SMBus" rev 0x40
skc0 at pci0 dev 13 function 0 "Linksys EG1032" rev 0x12: irq 11
skc0: SK-9521 10/100/1000Base-T Adapter
sk0 at skc0 port A: address 00:0c:41:eb:c3:2b
eephy0 at sk0 phy 0: Marvell 88E1000* Gigabit PHY
skc1 at pci0 dev 15 function 0 "Linksys EG1032" rev 0x12: irq 11
skc1: SK-9521 10/100/1000Base-T Adapter
sk1 at skc1 port A: address 00:0c:41:eb:bc:7c
eephy1 at sk1 phy 0: Marvell 88E1000* Gigabit PHY
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
isapnp0 at isa0 port 0x279: read port 0x203
sb1 at isapnp0 "Creative ViBRA16X PnP, CTL0043, , Audio" port
0x220/16,0x330/2,0x388/4 irq 5 drq 1,3: dsp v4.16
midi1 at sb1: <SB MPU-401 UART>
audio0 at sb1
opl0 at sb1: model OPL3
midi2 at opl0: <SB Yamaha OPL3>
joy0 at isapnp0 "Creative ViBRA16X PnP, CTL7005, PNPB02F, Game" port 0x201/1
biomask f745 netmask ff45 ttymask ffc7
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
--
I know too much and yet not enough
Visit your host, monkey.org