> On Tue, May 13, 2008 at 5:41 PM, Lord Sporkton <lordsporkton@gmail.com>
quoted text > wrote:
>> I am trying to set up a ipsec link between my home network(private ip
>> network behind dynamic public ip)
>> and my colo server(single public static ip). I was a bit unclear on
>> how to set up a tunnel between a static
>> and dynamic ip
>>
>> interesting traffic:
>> 208.70.72.13 -> 10.0.0.0/16
>>
>>
>> My sad seems to set up ok, however afterward i get no flows and can not
>> pass
>> data, ive checked out logs, and ipsecctl -m, but see nothing of use.
>>
>> Below is data i believe relevant, if anything else is requested i will
>> do my best to post it back in a timely fashion
>> thank you
>>
>>
>> colo server:
>>
>> # uname -a
>> OpenBSD angie.sporkton.com 4.3 GENERIC#846 i386
>> # cat /etc/ipsec.conf
>>
>> ike passive from 208.70.72.13 to 10.0.0.0/16 \
>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>> quick auth hmac-sha1 enc 3des \
>> srcid "angie.sporkton.com" dstid "fire.sporkton.com" \
>> psk "password"
>> # ipsecctl -sa
>> FLOWS:
>> No flows
>>
>> SAD:
>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>> hmac-sha1 enc 3des-cbc
>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>> hmac-sha1 enc 3des-cbc
>> #
>>
>> ipsecctl -m output:
>>
>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>> address_src: 67.159.171.204
>> address_dst: 208.70.72.13
>> spirange: min 0x00000100 max 0xffffffff
>> sadb_getspi: satype esp vers 2 len 10 seq 9 pid 7557
>> sa: spi 0x581ea1f0 auth none enc none
>> state mature replay 0 flags 0
>> address_src: 67.159.171.204
>> address_dst: 208.70.72.13
>> sadb_add: satype esp vers 2 len 50 seq 10 pid 7557
>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 208.70.72.13
>> address_dst: 67.159.171.204
>> key_auth: bits 160: e7ee5eafe49c95cafc506ba1ba6c174a584e4859
>> key_encrypt: bits 192:
>> 65c174f84e389d2022ffbf9c1f152348d7b7f708ef757014
>> identity_src: type fqdn id 0: angie.sporkton.com
>> identity_dst: type fqdn id 0: fire.sporkton.com
>> src_mask: 255.255.255.255
>> dst_mask: 255.255.0.0
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction out
>> src_flow: 208.70.72.13
>> dst_flow: 10.0.0.0
>> sadb_add: satype esp vers 2 len 42 seq 10 pid 7557
>> sa: spi 0xe4968f00 auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 208.70.72.13
>> address_dst: 67.159.171.204
>> identity_src: type fqdn id 0: angie.sporkton.com
>> identity_dst: type fqdn id 0: fire.sporkton.com
>> src_mask: 255.255.255.255
>> dst_mask: 255.255.0.0
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction out
>> src_flow: 208.70.72.13
>> dst_flow: 10.0.0.0
>> sadb_update: satype esp vers 2 len 50 seq 11 pid 7557
>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 67.159.171.204
>> address_dst: 208.70.72.13
>> key_auth: bits 160: c2beffabe156d0dbaca586e730694a4ff3cc4ef5
>> key_encrypt: bits 192:
>> 496cd320b35638d36dd8f899b8ce76c150840092db466715
>> identity_src: type fqdn id 0: fire.sporkton.com
>> identity_dst: type fqdn id 0: angie.sporkton.com
>> src_mask: 255.255.0.0
>> dst_mask: 255.255.255.255
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction in
>> src_flow: 10.0.0.0
>> dst_flow: 208.70.72.13
>> sadb_update: satype esp vers 2 len 42 seq 11 pid 7557
>> sa: spi 0x581ea1f0 auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 67.159.171.204
>> address_dst: 208.70.72.13
>> identity_src: type fqdn id 0: fire.sporkton.com
>> identity_dst: type fqdn id 0: angie.sporkton.com
>> src_mask: 255.255.0.0
>> dst_mask: 255.255.255.255
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction in
>> src_flow: 10.0.0.0
>> dst_flow: 208.70.72.13
>>
>>
>>
>> Home firewall:
>>
>> # uname -a
>> OpenBSD fire.sporkton.com 4.3 GENERIC#698 i386
>> # cat /etc/ipsec.conf
>> ike from 10.0.0.0/16 to 208.70.72.13 peer 208.70.72.13 \
>> aggressive auth hmac-sha1 enc 3des group modp1024 \
>> quick auth hmac-sha1 enc 3des \
>> srcid "fire.sporkton.com" dstid "angie.sporkton.com" \
>> psk "password"
>> # ipsecctl -sa
>> FLOWS:
>> No flows
>>
>> SAD:
>> esp tunnel from 67.159.171.204 to 208.70.72.13 spi 0x26974f0d auth
>> hmac-sha1 enc 3des-cbc
>> esp tunnel from 208.70.72.13 to 67.159.171.204 spi 0xeac5bef2 auth
>> hmac-sha1 enc 3des-cbc
>> #
>>
>>
>> ipsecctl -m output:
>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>> address_src: 208.70.72.13
>> address_dst: 67.159.171.204
>> spirange: min 0x00000100 max 0xffffffff
>> sadb_getspi: satype esp vers 2 len 10 seq 4 pid 27351
>> sa: spi 0xeac5bef2 auth none enc none
>> state mature replay 0 flags 0
>> address_src: 208.70.72.13
>> address_dst: 67.159.171.204
>> sadb_add: satype esp vers 2 len 50 seq 5 pid 27351
>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 67.159.171.204
>> address_dst: 208.70.72.13
>> key_auth: bits 160: 3e8df0ca567d73038ec1ef434032c7edc40ae308
>> key_encrypt: bits 192:
>> 94acef899197f1bdfc762d296e5e0dfca1ccedb854823e57
>> identity_src: type fqdn id 0: fire.sporkton.com
>> identity_dst: type fqdn id 0: angie.sporkton.com
>> src_mask: 255.255.0.0
>> dst_mask: 255.255.255.255
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction out
>> src_flow: 10.0.0.0
>> dst_flow: 208.70.72.13
>> sadb_add: satype esp vers 2 len 42 seq 5 pid 27351
>> sa: spi 0x26974f0d auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 67.159.171.204
>> address_dst: 208.70.72.13
>> identity_src: type fqdn id 0: fire.sporkton.com
>> identity_dst: type fqdn id 0: angie.sporkton.com
>> src_mask: 255.255.0.0
>> dst_mask: 255.255.255.255
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction out
>> src_flow: 10.0.0.0
>> dst_flow: 208.70.72.13
>> sadb_update: satype esp vers 2 len 50 seq 6 pid 27351
>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 208.70.72.13
>> address_dst: 67.159.171.204
>> key_auth: bits 160: 1e2e1137f4421ee9d84c50bbd3b03aedb12938ac
>> key_encrypt: bits 192:
>> a9eeb920e58b7603ae697d692407bbbdd60c39b65bc57bfe
>> identity_src: type fqdn id 0: angie.sporkton.com
>> identity_dst: type fqdn id 0: fire.sporkton.com
>> src_mask: 255.255.255.255
>> dst_mask: 255.255.0.0
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction in
>> src_flow: 208.70.72.13
>> dst_flow: 10.0.0.0
>> sadb_update: satype esp vers 2 len 42 seq 6 pid 27351
>> sa: spi 0xeac5bef2 auth hmac-sha1 enc 3des-cbc
>> state mature replay 16 flags 4
>> lifetime_hard: alloc 0 bytes 0 add 1200 first 0
>> lifetime_soft: alloc 0 bytes 0 add 1080 first 0
>> address_src: 208.70.72.13
>> address_dst: 67.159.171.204
>> identity_src: type fqdn id 0: angie.sporkton.com
>> identity_dst: type fqdn id 0: fire.sporkton.com
>> src_mask: 255.255.255.255
>> dst_mask: 255.255.0.0
>> protocol: proto 0 flags 0
>> flow_type: type unknown direction in
>> src_flow: 208.70.72.13
>> dst_flow: 10.0.0.0
>
> I would recommend taking a look at if you haven't already:
>
http://www.securityfocus.com/infocus/1859
>
> Jonathan
>
>
http://www.securityfocus.com/infocus/1859
is the article that started it all for me using ipsec and OpenBSD. It's not exactly geared for one end being dynamic ip though.
I don't have much experience with dynamic addresses, but if my understanding is correct, the best would be as below.
Let me know if it works, I'm curious, since I've also never done ipsec between a static and dynamic device without an internal subnet on both hosts:
colo /etc/ipsec.conf:
ike passive from 208.70.72.13 to 10.0.0.0/16
home /etc/ipsec.conf:
ike dynamic from 10.0.0.0/16 to 208.70.72.13
(it looks TOO incomplete to me, but hey. IPsec on OpenBSD never ceases to amaze me in it's simplicity compared to other options)
Make sure your pf on both ends is allowing negotiation (which it seems to be). Also, unless you need to apply pf rules to your encrypted traffic, make sure you've got enc0 in your "set skip on" interfaces.
I'd suggest using pubkeys as in isakmpd(8) which should be:
copy /etc/isakmpd/local.pub from colo to /etc/isakmpd/pubkeys/ipv4/208.70.72.13 on home machine
copy /etc/isakmpd/local.pub from home to /etc/isakmpd/pubkeys/fqdn/client.host.name on the colo
That would be better than psk if you can get it working, imho.
Cheers
