Discussion:
isakmpd ignoring contents of /etc/ipsec.conf
(too old to reply)
Bernd
2017-12-06 14:57:49 UTC
Permalink
Raw Message
Hi @misc,

I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).

My /etc/ipsec.conf looks like this:

ike esp from any to any peer x.y.z.0/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"

(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use a
fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from
there – it also failed.)

isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
as its flag(s) in /etc/rc.conf.local

However, it seems to ignore the settings made in ipsec.conf (without
complaining about them, though):

Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found
Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
port 500 due to notification type NO_PROPOSAL_CHOSEN

For example, ENCRYPTION_ALGORITHM is clearly not what was set in
/etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION
and HASH_ALGORITHM.

As a result, the IPSec tunnel can not be established. What did I
overlook here?

Thanks in advance for any hints.

Best

Bernd
Jeremie Courreges-Anglas
2017-12-06 17:26:22 UTC
Permalink
Raw Message
On Wed, Dec 06 2017, Bernd <***@kroenchenstadt.de> wrote:
> Hi @misc,
>
> I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
> OpenBSD 6.2 amd64 (dmesg below).
>
> My /etc/ipsec.conf looks like this:
>
> ike esp from any to any peer x.y.z.0/27 \
> main auth hmac-sha2-256 enc aes-256 group modp2048 \
> psk "myverygoodsecretPSK"
>
> (As can be seen, I want the settings to be applied to a /27 network,
> from where the tunnel initiation is sent out of. I also tried to use
> a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
> from there – it also failed.)
>
> isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
> as its flag(s) in /etc/rc.conf.local
>
> However, it seems to ignore the settings made in ipsec.conf (without
> complaining about them, though):
>
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got MD5, expected SHA
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got MD5, expected SHA
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
> compatible proposal found
> Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
> port 500 due to notification type NO_PROPOSAL_CHOSEN
>
> For example, ENCRYPTION_ALGORITHM is clearly not what was set in
> /etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION
> and HASH_ALGORITHM.
>
> As a result, the IPSec tunnel can not be established. What did
> I overlook here?

Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of
DESCRIPTION.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Bernd
2017-12-07 09:39:55 UTC
Permalink
Raw Message
Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
> On Wed, Dec 06 2017, Bernd <***@kroenchenstadt.de> wrote:
>> Hi @misc,
>>
>> I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
>> OpenBSD 6.2 amd64 (dmesg below).
>>
>> My /etc/ipsec.conf looks like this:
>>
>> ike esp from any to any peer x.y.z.0/27 \
>> main auth hmac-sha2-256 enc aes-256 group modp2048 \
>> psk "myverygoodsecretPSK"
>>
>> (As can be seen, I want the settings to be applied to a /27 network,
>> from where the tunnel initiation is sent out of. I also tried to use
>> a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
>> from there – it also failed.)
>>
>> isakmpd is being started as described in ipsec.conf(5) et al: ``-K''
>> set
>> as its flag(s) in /etc/rc.conf.local
>>
>> However, it seems to ignore the settings made in ipsec.conf (without
>> complaining about them, though):
>>
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got MD5, expected SHA
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got MD5, expected SHA
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got SHA2_256, expected SHA
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got SHA2_256, expected SHA
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
>> Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
>> compatible proposal found
>> Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from
>> x.y.z.1
>> port 500 due to notification type NO_PROPOSAL_CHOSEN
>>
>> For example, ENCRYPTION_ALGORITHM is clearly not what was set in
>> /etc/ipsec.conf, but rather a default. Same applies to
>> GROUP_DESCRIPTION
>> and HASH_ALGORITHM.
>>
>> As a result, the IPSec tunnel can not be established. What did
>> I overlook here?
>
> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4
> of
> DESCRIPTION.

Hi,

ipsec=YES is set in rc.conf.local:

# cat /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES # IPsec

# sysctl -a | grep ipsec
net.inet.ip.ipsec-expire-acquire=30
net.inet.ip.ipsec-invalid-life=60
net.inet.ip.ipsec-pfs=1
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ipsec-timeout=86400
net.inet.ip.ipsec-soft-timeout=80000
net.inet.ip.ipsec-soft-firstuse=3600
net.inet.ip.ipsec-firstuse=7200
net.inet.ip.ipsec-enc-alg=aes
net.inet.ip.ipsec-auth-alg=hmac-sha1
net.inet.ip.ipsec-comp-alg=deflate

Best

Bernd
Jeremie Courreges-Anglas
2017-12-07 12:34:44 UTC
Permalink
Raw Message
On Thu, Dec 07 2017, Bernd <***@kroenchenstadt.de> wrote:
> Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
>> On Wed, Dec 06 2017, Bernd <***@kroenchenstadt.de> wrote:

[...]

>>> As a result, the IPSec tunnel can not be established. What did
>>> I overlook here?
>>
>> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph
>> 4 of
>> DESCRIPTION.
>
> Hi,
>
> ipsec=YES is set in rc.conf.local:
>
> # cat /etc/rc.conf.local
> isakmpd_flags="-K"
> ipsec=YES # IPsec

OK, then let's go back to your config: did you test it for validity?

ritchie ~$ cat /tmp/ipsec.conf
ike esp from any to any peer 192.0.2.1/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"
ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf
/tmp/ipsec.conf: 1: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
ritchie ~$

Drop the /27 and ipsecctl(8) is happy. It seems weird to specify
a netmask as a "peer", maybe you should reconsider what you're using
"peer" for.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Bernd
2017-12-07 12:50:03 UTC
Permalink
Raw Message
Am 2017-12-07 13:34, schrieb Jeremie Courreges-Anglas:
> On Thu, Dec 07 2017, Bernd <***@kroenchenstadt.de> wrote:
>> Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
>>> On Wed, Dec 06 2017, Bernd <***@kroenchenstadt.de> wrote:
>
> [...]
>
>>>> As a result, the IPSec tunnel can not be established. What did
>>>> I overlook here?
>>>
>>> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph
>>> 4 of
>>> DESCRIPTION.
>>
>> Hi,
>>
>> ipsec=YES is set in rc.conf.local:
>>
>> # cat /etc/rc.conf.local
>> isakmpd_flags="-K"
>> ipsec=YES # IPsec
>
> OK, then let's go back to your config: did you test it for validity?
>
> ritchie ~$ cat /tmp/ipsec.conf
> ike esp from any to any peer 192.0.2.1/27 \
> main auth hmac-sha2-256 enc aes-256 group modp2048 \
> psk "myverygoodsecretPSK"
> ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf
> /tmp/ipsec.conf: 1: syntax error
> ipsecctl: Syntax error in config file: ipsec rules not loaded
> ritchie ~$
>
> Drop the /27 and ipsecctl(8) is happy. It seems weird to specify
> a netmask as a "peer", maybe you should reconsider what you're using
> "peer" for.

Yes, thanks, it was indeed the netmask. Tunnel was up and running.
However, in the meanwhile our customer forced us – "due to legal
reasons" – to use Cisco equipment.

Thanks

Bernd
Loading...