OPENBSD isakmpd VPN Problems

Discussion:

Steve Glaus

2006-07-19 21:52:32 UTC

Hello all,

I'm finally desperate enough to post this to a list...

I have been trying for two days to set up a basic VPN between my OpenBSD
box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running 3.9.

I know this is going to look like a lot of information but I don't
really know what else to do:

HOME GATEWAY
------------------------------------------------------------------------------------------------
This is isakmpd.conf on the home end:

[General]
Listen-on=<publicIP>

[Phase 1]
<work public IP> = work

[work]
Phase = 1
Transport = udp
Address = <work public IP>
Local-address=<public IP>
Configuration = Default-main-mode
Authentication =sharedsecret

[Phase 2]
Connections = VPN-home-work

[VPN-home-work]
Phase = 2
ISAKMP-peer=work
Configuration = Default-quick-mode
Local-ID = internal-net
Remote-ID = remote-net

[internal-net]
ID-type=IPV4_ADDR_SUBNET
Network = 192.168.2.0
Netmask = 255.255.255.0

[remote-net]
ID-type=IPV4_ADDR_SUBNET
Network = 10.113.10.0
Netmask = 255.255.255.0

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA

[Default-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites = QM-ESP-3DES-SHA-SUITE

This is isakmpd.policy:

KeyNote-Version 2
Authorizer: "POLICY"
Licensees: "sharedsecret"
Conditions: app_domain == "IPsec policy" && esp_present=="yes"
esp_enc_alg != "null" -> "true";

WORK GATEWAY
------------------------------------------------------------------------------------------------
This is isakmpd.conf on the work end:

[General]
Listen-on = <public IP>

[Phase 1]
<home public IP> = steveHome

[Phase 2]
Connections = VPN-Peachnet-steveHome

[steveHome]
Phase = 1
Transport = udp
Address = <home public IP>
Local-address = <public IP>
Configuration = Default-main-mode
Authentication = sharedsecret

[VPN-Peachnet-steveHome]
Phase = 2
ISAKMP-peer = steveHome
Configuration = Default-quick-mode
Local-ID = local-internal-network
Remote-ID = steveHome-net

[local-internal-network]
ID-type = IPV4_ADDR_SUBNET
Network = 10.113.10.0
Netmask = 255.255.255.0

[steveHome-net]
ID-type = IPV4_ADDR_SUBNET
Network = 192.168.2.0
Netmask = 255.255.255.0

[Default-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA

[Default-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = QM-ESP-3DES-SHA-SUITE

This is isakmpd.policy on the work end:

KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:sharedsecret"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";

END CONFIG FILES
---------------------------------------------------------------------------------------------------------

Now as far as I know the config files are OK (I've tired them every
which way)

Now here is what I do. I start up the work end of the VPN (isakmpd -d
-DA=90 >& outfile) and then start
up the home end the same way.

the outfile on the home end is here: http://bartowpc.com/home_outfile
outfile on the work end is here: http://bartowpc.com/work_outfile (I
marked the file about halfway down at around the point where I start my
home isakmpd)

I can provide the TCPDUMPS too if necessary.

I know this is a lot of info to pore over but I'm at my wits end. The
VPN between my home and work isn't even the ultimate goal
here but I'm trying to take it one step at a time.

Thanks a ton for any help!!

Daniel Ouellet

2006-07-19 22:16:42 UTC

Permalink

Post by Steve Glaus
Hello all,
I'm finally desperate enough to post this to a list...
I have been trying for two days to set up a basic VPN between my OpenBSD
box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running 3.9.

May be worth to have 3.9 both place.

Here is something that might help:

http://www.securityfocus.com/infocus/1859

Also may be good to read:

http://www.undeadly.org/cgi?action=article&sid=20060621160000

and this specially:

http://www.undeadly.org/cgi?action=article&sid=20060606210130

man 8 ipsecctl

man 8 isakmpd

man 5 isakmpd.conf

So many changes happened in the last few months and many things have
been replace that I think trying to setup a VPN using what we may call
the old way is a waist of time.

I have seen many articles and examples in the last few months explaining
all the great changes to this that I would say trying to use 3.7 for
this is wrong. But I may be wrong for sure. It's just based on what was
posted in the lately really.

I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.

Just a thought.

Hope this help you some.

Steve Glaus

2006-08-10 04:04:08 UTC

Permalink

Post by Daniel Ouellet

Post by Steve Glaus
Hello all,
I'm finally desperate enough to post this to a list...
I have been trying for two days to set up a basic VPN between my
OpenBSD box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running 3.9.

May be worth to have 3.9 both place.
http://www.securityfocus.com/infocus/1859
http://www.undeadly.org/cgi?action=article&sid=20060621160000
http://www.undeadly.org/cgi?action=article&sid=20060606210130
man 8 ipsecctl
man 8 isakmpd
man 5 isakmpd.conf
So many changes happened in the last few months and many things have
been replace that I think trying to setup a VPN using what we may call
the old way is a waist of time.
I have seen many articles and examples in the last few months
explaining all the great changes to this that I would say trying to
use 3.7 for this is wrong. But I may be wrong for sure. It's just
based on what was posted in the lately really.
I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.
Just a thought.
Hope this help you some.

Hello again,

Thanks for your help earlier. I haven't really had time to look at this
problem in the last few weeks.

I've started trying to use ipsecctl on my 3.9 box to connect to the
actual service we will be using this for and I've made SOME progress so
thank you for steering me in the right direction.

Now,

Whenever I try to connect to one of our cheesy little VPN routers (DLINK
DFL-300's) using ipsectl it works perfectly. The tunnel comes up
everything looks beautiful.

But I can't stop there I'm afraid (though GOD I wish I could)....

I'm trying to connect to a sonicwall 4060 VPN that our software vendor
uses. When I try to do this using the same setup (with the appropriate
changes made) I get NO_PROPOSAL_CHOSEN messages.

One glaring difference that I can see is that when I connect to the
DLINK I use a passive connection and isakpmd sits and listens for
incoming connections. Could this be a lifetime issue? Tech support at
the other end said this is possible. How do you set the lifetime using
ipsecctl (I've read that this is only possible with -current)

Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?

Looking at my logs I'm pretty sure that it's making it through phase1.
Our vendors phase1 and phase2 use identical encryption/authorization so
I don't quite understand why I would be getting NO_PROPOSALS for only
phase2. The lifetimes for both phases are also identical on the vendors
end.

This is the relevant configuration info:

ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main
auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX"

The debug outpout can be found here:

http://ww2.bartowpc.com:8080/isakmpd_out

I really don't know where to go from here. I've invested hours & hours
into this and we've (foolishly?) commited to this direction.

Thanks for any help anyone can give.

Hans-Joerg Hoexer

2006-08-10 09:24:10 UTC

Permalink

Hi,

Post by Steve Glaus
...
One glaring difference that I can see is that when I connect to the
DLINK I use a passive connection and isakpmd sits and listens for
incoming connections. Could this be a lifetime issue? Tech support at
the other end said this is possible. How do you set the lifetime using
ipsecctl (I've read that this is only possible with -current)

this only works in -current:

ike from 1.1.1.1 to 2.2.2.2 main life 3600 quick life 1200

However, this sets the life times for all connections, ie. it's not
possible yet to say "use life time x for this connection and life
time y fort that connection."

For 3.9 you could achive the same with this isakmpd.conf:

# cat /etc/isakmpd.isakmpd.conf
[General]
Default-phase-1-lifetime= 3600
Default-phase-2-lifetime= 1200

Post by Steve Glaus
Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?

pfs is enabled by default.

Post by Steve Glaus
Looking at my logs I'm pretty sure that it's making it through phase1.

yes, according to isakmpd_out phase 1 has succesfully finished.

Post by Steve Glaus
Our vendors phase1 and phase2 use identical encryption/authorization so
I don't quite understand why I would be getting NO_PROPOSALS for only
phase2. The lifetimes for both phases are also identical on the vendors
end.
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main

^
typo?
(Looks right in isakmpd_out)

Post by Steve Glaus
auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX"
http://ww2.bartowpc.com:8080/isakmpd_out

Please provide the full isakmp configuration of that sonicwall.

Tech Support

2006-08-10 14:26:21 UTC

Permalink

Post by Hans-Joerg Hoexer
# cat /etc/isakmpd.isakmpd.conf
[General]
Default-phase-1-lifetime= 3600
Default-phase-2-lifetime= 1200

Question: Can I have an isakmpd.conf file, set only the config options I
want, run isakmpd WITHOUT
the -K and still use ipsectl?

Post by Hans-Joerg Hoexer
Another item - IS PFS disabled or enabled by default when one uses

Post by Steve Glaus
ipsecctl? Can this be set?

pfs is enabled by default.

PFS is off on the vendors side, does this matter? I will search how to
disable on my end

Post by Hans-Joerg Hoexer

Post by Steve Glaus
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main

^
typo?
(Looks right in isakmpd_out)

Out of curiousity, why would you consider 10.110.38.0/24 a typo? Am I doing
something wrong here?

Please provide the full isakmp configuration of that sonicwall.

This is the information they give us about their configuration. I compiled
this from EXCEL spread sheets so forgive
the layout

In a file called client settings:
-------------------------------------------

Router: Dlink
External IP: 66.151.2.218
Local Router Lan IP: 10.110.38.1
SubnetMask: 255.255.255.0
IP Range: 10.110.38.2 - 254

In a sub-section marked IPSEC VPN Settings

Gateway IP Address: 204.244.106.134
Exchange: Main Mode
Subnet: 10.110.38.0
Subnet Mask: 255.255.255.0
Remote IP address: 172.28.128.0
Subnet Mask: 255.255.248.0
Keying Mode: IKE
P1 Encrypt: 3DES
P1 Auth: SHA1
P1 Lifetime: 28800
p2 Encrypt: 3DES
P2 Auth: SHA1
PFS: Disabled
Preshared Key: "XXXXXXXXXX"

In another file marked 4060 settings
----------------------------------------------------

Under GENERAL:

SA Name: Peachnet - West
IPSec Gateway Address: 66.151.2.218
Shared Secret: "XXXXXXX"

Under Network:
Subnet: 10.110.38.0
Mask: 255.255.255.0

Under Proposal:
Exchange: Main Mode
DH GROUP: Group 2
Encryp: 3DES
Auth: SHA1
LifeTime: 28800
Protocol: ESP
Encrypt: 3DES
Auth: SHA1
PFS: No
DHGroup: N/A
LifeTime: 28800

Hope this is useful and thank you for your response!

Alexander Hall

2006-08-10 15:21:09 UTC

Permalink

Post by Tech Support

Post by Hans-Joerg Hoexer

Post by Steve Glaus
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main

^
typo?
(Looks right in isakmpd_out)

Out of curiousity, why would you consider 10.110.38.0/24 a typo? Am I doing
something wrong here?

Your mistake may be to not use a fixed-width font. He was pointing out
the "/0/21" in the second ip address, which indeed looks weird. :-)

/Alexander

Håkan Olsson

2006-08-11 07:47:19 UTC

Permalink

Post by Tech Support
Question: Can I have an isakmpd.conf file, set only the config options I
want, run isakmpd WITHOUT
the -K and still use ipsectl?

Yes.

Post by Tech Support

Post by Steve Glaus
Another item - IS PFS disabled or enabled by default when one uses

Post by Steve Glaus
ipsecctl? Can this be set?

pfs is enabled by default.

PFS is off on the vendors side, does this matter? I will search how to
disable on my end

Definitely. A suite proposal with PFS can never match a proposal
without it.

/H

Steve Glaus

2006-08-11 20:59:28 UTC

Permalink

Post by HÃ¥kan Olsson

Post by Tech Support
Question: Can I have an isakmpd.conf file, set only the config options I
want, run isakmpd WITHOUT
the -K and still use ipsectl?

Yes.

Post by Tech Support

Post by Steve Glaus
Another item - IS PFS disabled or enabled by default when one uses

Post by Steve Glaus
ipsecctl? Can this be set?

pfs is enabled by default.

PFS is off on the vendors side, does this matter? I will search how to
disable on my end

Definitely. A suite proposal with PFS can never match a proposal
without it.
/H

Alright! Thanks for all the help from this list - it's very appreciated.
I have gotten this working reliably for the most part. I decided to go
back and try to use the 'old' way of doing things. Namely using isakmpd.conf

I couldn't quit figure out how to override the default suite proposal
using ipsecctl.

I'm mostly asking questions now for my own curiousity so feel free
everyone to ignore these ramblings.

- Is PFS something that's negotiated only during phase 2? Could this be
why it was passing phase one but not passing phase two?
- when I specify a quick mode suite in isakmpd.conf does ipsecctl USE
that suite?

Can I do something like this in isakmpd.conf and then use ipsecctl to
add the add the flows?

[General]
listen on = x.x.x.x

[Phase 1]
x.x.x.x = Remote

[Phase 2]
Connections = VPN1

[Remote]
Configuration = Default-main-mode

[VPN1]
Configuration = Default-quick-mode

[Default-main-mode]
Transforms=(whatever)

[Default-quick-mode]
Suites=(whatever)

Does isakmpd -K simply use a default policy of allowing everything?

Again, thank you everyone for their help!

Håkan Olsson

2006-08-14 08:48:06 UTC

Permalink

Post by Steve Glaus
...
I'm mostly asking questions now for my own curiousity so feel free
everyone to ignore these ramblings.
- Is PFS something that's negotiated only during phase 2? Could
this be why it was passing phase one but not passing phase two?

Yup. PFS means a new Diffie-Hellman key generation exhcange should
take place in phase 2. Running without PFS means no such exchange
(keying material from the DH exchange in phase 1 is reused instead)
which is slightly faster, but not as strong. If you look closely at
the various suites you can select in phase 2, you'll see that only
the 'PFS' suites have a D-H "group description" attached. (No PFS ->
no group desc required)

Post by Steve Glaus
- when I specify a quick mode suite in isakmpd.conf does ipsecctl
USE that suite?

I think you can override the defaults, i.e override the default
isakmpd configuration for a particular suite to do this. I haven't
looked that closely at how this can be done. You'll probably end up
with modifying all tunnels using this quick mode configuration, so it
may be a bit tricky.

Of course, if you have a particularly weird peer that only accepts
certain options, I'd write all config for this peer in isakmpd.conf
syntax (and use ipsecctl for the well-behaved peers :).

Post by Steve Glaus
Can I do something like this in isakmpd.conf and then use ipsecctl
to add the add the flows?

Sure, but...

Post by Steve Glaus
[General]
listen on = x.x.x.x
[Phase 1]
x.x.x.x = Remote
[Phase 2]
Connections = VPN1

you will want to use 'Passive-connections' instead of 'Connections'
here. Otherwise isakmpd itself will enforce the tunnel being
negotiated (and in doing so, isakmpd will setup the flows).

Post by Steve Glaus
[Remote]
Configuration = Default-main-mode
[VPN1]
Configuration = Default-quick-mode
[Default-main-mode]
Transforms=(whatever)
[Default-quick-mode]
Suites=(whatever)
Does isakmpd -K simply use a default policy of allowing everything?

Well, there are a bunch of sanity checks still in place, but
basically yes.

/H

Matthew Closson

2006-08-11 23:44:14 UTC

Permalink

Post by Steve Glaus

Post by Daniel Ouellet

May be worth to have 3.9 both place.
http://www.securityfocus.com/infocus/1859
http://www.undeadly.org/cgi?action=article&sid=20060621160000
http://www.undeadly.org/cgi?action=article&sid=20060606210130
man 8 ipsecctl
man 8 isakmpd
man 5 isakmpd.conf
So many changes happened in the last few months and many things have been
replace that I think trying to setup a VPN using what we may call the old
way is a waist of time.
I have seen many articles and examples in the last few months explaining
all the great changes to this that I would say trying to use 3.7 for this
is wrong. But I may be wrong for sure. It's just based on what was posted
in the lately really.
I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.
Just a thought.
Hope this help you some.

Hello again,
Thanks for your help earlier. I haven't really had time to look at this
problem in the last few weeks.
I've started trying to use ipsecctl on my 3.9 box to connect to the actual
service we will be using this for and I've made SOME progress so thank you
for steering me in the right direction.
Now,
Whenever I try to connect to one of our cheesy little VPN routers (DLINK
DFL-300's) using ipsectl it works perfectly. The tunnel comes up everything
looks beautiful.
But I can't stop there I'm afraid (though GOD I wish I could)....
I'm trying to connect to a sonicwall 4060 VPN that our software vendor uses.
When I try to do this using the same setup (with the appropriate changes
made) I get NO_PROPOSAL_CHOSEN messages.
One glaring difference that I can see is that when I connect to the DLINK I
use a passive connection and isakpmd sits and listens for incoming
connections. Could this be a lifetime issue? Tech support at the other end
said this is possible. How do you set the lifetime using ipsecctl (I've read
that this is only possible with -current)
Another item - IS PFS disabled or enabled by default when one uses ipsecctl?
Can this be set?
Looking at my logs I'm pretty sure that it's making it through phase1. Our
vendors phase1 and phase2 use identical encryption/authorization so I don't
quite understand why I would be getting NO_PROPOSALS for only phase2. The
lifetimes for both phases are also identical on the vendors end.
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134 main auth
hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk "XXXXXXXXXX"
http://ww2.bartowpc.com:8080/isakmpd_out
I really don't know where to go from here. I've invested hours & hours into
this and we've (foolishly?) commited to this direction.
Thanks for any help anyone can give.

Ask the SonicWall4060 admin how he/she is defining their network objects.
You have specified 172.28.128.0/21. On SonicOS enhanced you can define
address objects as "Single Host", "Network", or "Address Range". I think
they want to use Network, and specify the netmask rather than address
range, that could be an issue. Also SonicOS also uses 28800/28800 SA
lifetime's as opposed to 86400/28800.

Good luck! I've connected to a 4060 multiple times before but not using
the new ipsecctl syntax, I used the old isakmpd.conf syntax. Later,

-Matt-

Steve Glaus

2006-08-11 05:12:22 UTC

Permalink

Post by Matthew Closson

Post by Steve Glaus

Post by Daniel Ouellet

Post by Steve Glaus
Hello all,
I'm finally desperate enough to post this to a list...
I have been trying for two days to set up a basic VPN between my
OpenBSD box at home and my OpenBSD box at work.
The box at home is running 3.7 and the box here at work is running 3.9.

May be worth to have 3.9 both place.
http://www.securityfocus.com/infocus/1859
http://www.undeadly.org/cgi?action=article&sid=20060621160000
http://www.undeadly.org/cgi?action=article&sid=20060606210130
man 8 ipsecctl
man 8 isakmpd
man 5 isakmpd.conf
So many changes happened in the last few months and many things have
been replace that I think trying to setup a VPN using what we may
call the old way is a waist of time.
I have seen many articles and examples in the last few months
explaining all the great changes to this that I would say trying to
use 3.7 for this is wrong. But I may be wrong for sure. It's just
based on what was posted in the lately really.
I am not 100% sure, but I think even some of the best changes are in
current that make the setup very simple now based on articles on
undeadly.org about the subject.
Just a thought.
Hope this help you some.

Hello again,
Thanks for your help earlier. I haven't really had time to look at
this problem in the last few weeks.
I've started trying to use ipsecctl on my 3.9 box to connect to the
actual service we will be using this for and I've made SOME progress
so thank you for steering me in the right direction.
Now,
Whenever I try to connect to one of our cheesy little VPN routers
(DLINK DFL-300's) using ipsectl it works perfectly. The tunnel comes
up everything looks beautiful.
But I can't stop there I'm afraid (though GOD I wish I could)....
I'm trying to connect to a sonicwall 4060 VPN that our software
vendor uses. When I try to do this using the same setup (with the
appropriate changes made) I get NO_PROPOSAL_CHOSEN messages.
One glaring difference that I can see is that when I connect to the
DLINK I use a passive connection and isakpmd sits and listens for
incoming connections. Could this be a lifetime issue? Tech support at
the other end said this is possible. How do you set the lifetime
using ipsecctl (I've read that this is only possible with -current)
Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?
Looking at my logs I'm pretty sure that it's making it through
phase1. Our vendors phase1 and phase2 use identical
encryption/authorization so I don't quite understand why I would be
getting NO_PROPOSALS for only phase2. The lifetimes for both phases
are also identical on the vendors end.
ike esp from 10.110.38.0/24 to 172.28.128/0/21 peer 204.244.106.134
main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des psk
"XXXXXXXXXX"
http://ww2.bartowpc.com:8080/isakmpd_out
I really don't know where to go from here. I've invested hours &
hours into this and we've (foolishly?) commited to this direction.
Thanks for any help anyone can give.

Ask the SonicWall4060 admin how he/she is defining their network
objects. You have specified 172.28.128.0/21. On SonicOS enhanced you
can define address objects as "Single Host", "Network", or "Address
Range". I think they want to use Network, and specify the netmask
rather than address range, that could be an issue. Also SonicOS also
uses 28800/28800 SA lifetime's as opposed to 86400/28800.
Good luck! I've connected to a 4060 multiple times before but not
using the new ipsecctl syntax, I used the old isakmpd.conf syntax.
Later,
-Matt-

Alright, an update:

I've managed to connect to the sonicwall.

Once.

And everything worked perfectly until I took the tunnel down, made some
changes and tried to reconnect again and lo and behold no joy.

To get it working in the FIRST place i had to set the connection type to
"passive" in ipsec.conf. I ran isakmpd, ran ipsecctl and the tunnels
came right up. Now, when I bring it up again I get INVALID_COOKIE
errors. I might be WAY off base here but I think that this is because
they're trying to re-establish the same connection (I had them set 'keep
alive' to yes on their end) and I'm just sitting here listening
passively, not re-initializing a new connection? I don't know if that
makes sense or not (I might just be revealing my ignorance). The one
time it DID work was the first time I tried connecting to this specific
endpoint.

When I try to connect without using passive I get the same old
NO_PROPOSAL_FOUND errors.

Thanks for all the help so far everyone.