Discussion:
Listen-on parameter in iked.conf
Add Reply
mabi
2018-04-15 16:31:35 UTC
Reply
Permalink
Raw Message
Hello,

I just moved from isakmpd to iked and could not find the parameter name in iked.conf in order to tell iked on which IP it should listen. With isakmpd.conf I would use the following:

[General]
Listen-on= 123.123.123.123

Is there any equivalent with iked?

Regards,
Mabi

​​
Stuart Henderson
2018-04-16 07:05:12 UTC
Reply
Permalink
Raw Message
Post by mabi
[General]
Listen-on= 123.123.123.123
Is there any equivalent with iked?
There is not, but the main place this is needed is for setting the
"from" address for outgoing packets. isakmpd uses the "default" address
for this, which is often wrong on a multihomed system so it's necessary
to bind to a particular address to fix this. iked (at least in the
last few releases) uses the address from "local" in the config instead,
so binding isn't needed in most cases.
mabi
2018-04-16 07:33:00 UTC
Reply
Permalink
Raw Message
Post by Stuart Henderson
There is not, but the main place this is needed is for setting the
"from" address for outgoing packets. isakmpd uses the "default" address
for this, which is often wrong on a multihomed system so it's necessary
to bind to a particular address to fix this. iked (at least in the
last few releases) uses the address from "local" in the config instead,
so binding isn't needed in most cases.
I see, so as long as I use the "local" parameter in iked.conf with the local IP address which I use for my site-2-site VPN I am saying to iked to listen only on that IP address. Here would be my generic example for a site-2-site VPN between two OpenBSD firewalls:

ikev2 passive esp \
from $local_network to $remote_network local $local_ip peer $remote_ip \
srcid $local_ip

I was also wondering in the case of a site-2-site VPN should one side be in active mode and the other one in passive mode? or what is usually used for site-2-site VPN?
Stefan Sperling
2018-04-17 10:54:29 UTC
Reply
Permalink
Raw Message
Post by Stuart Henderson
Post by mabi
[General]
Listen-on= 123.123.123.123
Is there any equivalent with iked?
There is not, but the main place this is needed is for setting the
"from" address for outgoing packets. isakmpd uses the "default" address
for this, which is often wrong on a multihomed system so it's necessary
to bind to a particular address to fix this. iked (at least in the
last few releases) uses the address from "local" in the config instead,
so binding isn't needed in most cases.
I have run into this exact isakmpd problem in several situations.
IPsec didn't work reliably, and it turns out that IKE traffic
was using the wrong source IP.

This is a nasty pitfall for people want to set up IKEv1 with carp(4).
It think we should document this better. The diff below scatters some
hints across relevant man pages.

OK?

Index: ipsecctl/ipsec.conf.5
===================================================================
RCS file: /cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.154
diff -u -p -r1.154 ipsec.conf.5
--- ipsecctl/ipsec.conf.5 23 Nov 2017 20:49:38 -0000 1.154
+++ ipsecctl/ipsec.conf.5 17 Apr 2018 10:43:32 -0000
@@ -288,7 +288,16 @@ The
.Ic local
parameter specifies the address or FQDN of the local endpoint.
Unless we are multi-homed or have aliases,
-this option is generally not needed.
+this parameter is generally not needed.
+This parameter does not affect the set of IP addresses
+.Xr isakmpd 8
+will listen on and send packets from.
+The
+.Em Listen-on
+directive in
+.Xr isakmpd.conf 5
+should additionally be used to ensure that the local endpoint will
+send IKE messages with an appropriate source IP address.
.Pp
The
.Ic peer
Index: isakmpd/isakmpd.8
===================================================================
RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v
retrieving revision 1.119
diff -u -p -r1.119 isakmpd.8
--- isakmpd/isakmpd.8 23 Nov 2017 20:49:38 -0000 1.119
+++ isakmpd/isakmpd.8 17 Apr 2018 10:24:05 -0000
@@ -806,8 +806,17 @@ It is not possible to change the interfa
.Nm
listens on without a restart.
.Pp
-For redundant setups,
+For redundant setups with
+.Xr carp 4
+and
+.Xr sasyncd 8 ,
.Xr sasyncd 8
must be manually restarted every time
.Nm
-is restarted.
+is restarted, and
+.Xr isakmpd.conf 5
+must explicitly configure
+.Nm
+to listen on the virtual IP address of each
+.Xr carp 4
+interface.
Index: isakmpd/isakmpd.conf.5
===================================================================
RCS file: /cvs/src/sbin/isakmpd/isakmpd.conf.5,v
retrieving revision 1.134
diff -u -p -r1.134 isakmpd.conf.5
--- isakmpd/isakmpd.conf.5 27 Oct 2017 08:29:32 -0000 1.134
+++ isakmpd/isakmpd.conf.5 17 Apr 2018 10:49:39 -0000
@@ -221,6 +221,9 @@ This list is used as a filter for the se
configured provides.
This means that we won't see if an address given here does not exist
on this host, and thus no error is given for that case.
+On multi-homed systems, this parameter can be used to enforce the
+use of particular source IP addresses in packets sent by
+.Xr isakmpd 8 .
.It Em Loglevel
A list of the form
.Ar class Ns = Ns Ar level ,
Stuart Henderson
2018-04-17 10:59:56 UTC
Reply
Permalink
Raw Message
Post by Stefan Sperling
Post by Stuart Henderson
Post by mabi
[General]
Listen-on= 123.123.123.123
Is there any equivalent with iked?
There is not, but the main place this is needed is for setting the
"from" address for outgoing packets. isakmpd uses the "default" address
for this, which is often wrong on a multihomed system so it's necessary
to bind to a particular address to fix this. iked (at least in the
last few releases) uses the address from "local" in the config instead,
so binding isn't needed in most cases.
I have run into this exact isakmpd problem in several situations.
IPsec didn't work reliably, and it turns out that IKE traffic
was using the wrong source IP.
This is a nasty pitfall for people want to set up IKEv1 with carp(4).
It think we should document this better. The diff below scatters some
hints across relevant man pages.
OK?
Yes, OK. (Unless anyone has a "sendfromto" diff for isakmpd sitting in
a tree somewhere.. :-)

Loading...