Thursday, June 29, 2017

Re: OpenBSD IPSec setup

Why are you using ipsec in the 21th century:

https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use

I see no pros here just cons unless you need to setup a vpn with some
crappy old device which should be just switched out with an obsd box
anyway :)

On 2017-06-29 11:29, Liviu Daia wrote:
> On 29 June 2017, Liviu Daia <Liviu.Daia@gmail.com> wrote:
> [...]
>> On the server:
>>
>> # iked -d
>> ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to
>> x.y.z.t:500 policy 'sb1' id 0, 510 bytes
>> ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to
>> 89.136.163.27:500 msgid 0, 471 bytes
>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>> x.y.z.t:500 policy 'sb1' id 1, 1520 bytes
>> ikev2_msg_send: IKE_AUTH response from x.y.z.t:500 to
>> 89.136.163.27:500 msgid 1, 1440 bytes
>> sa_state: VALID -> ESTABLISHED from 89.136.163.27:500 to x.y.z.t:500
>> policy 'sb1'
>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>> ikev2_recv: IKE_AUTH request from initiator 89.136.163.27:500 to
>> x.y.z.t:500 policy 'sb1' id 2, 1520 bytes
>>
>> On the home router:
>>
>> # iked -d
>> set_policy: could not find pubkey for /etc/iked/pubkeys/ipv4/x.y.z.t
>> ikev2_msg_send: IKE_SA_INIT request from 89.136.163.27:500 to
>> x.y.z.t:500 msgid 0, 510 bytes
>> ikev2_recv: IKE_SA_INIT response from responder x.y.z.t:500 to
>> 89.136.163.27:500 policy 'home' id 0, 471 bytes
>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
>> msgid 1, 1520 bytes
>> ikev2_recv: IKE_AUTH response from responder x.y.z.t:500 to
>> 89.136.163.27:500 policy 'home' id 1, 1440 bytes
>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
>> ikev2_msg_send: IKE_AUTH request from 89.136.163.27:500 to x.y.z.t:500
>> msgid 2, 1520 bytes
>>
>> The warning about pubkey doesn't go away if I copy the server's
>> certificate to /etc/iked/pubkeys/ipv4/x.y.z.t, nor if I install it in
>> /etc/iked/certs. And then there's this, which doesn't look normal:
>>
>> ikev2_ike_auth_recv: unexpected auth method RSA_SIG, was expecting SIG
> [...]
>
> Ok this post sent me on the right course:
>
> http://www.going-flying.com/blog/mikrotik-openbsd-ikev2.html
>
> Here's what I did:
>
> cd /etc/ssl/vpn/private
> openssl rsa -in x.y.z.t.key -pubout -out ~/x.y.z.t
> ... copy ~/x.y.z.t to /etc/iked/pubkeys/ipv4 on the home
> router.
>
> After that the VPN works, I can send packets from a machine at home
> and I'm seeing them on enc0 on the remote server:
>
> # tcpdump -n -i enc0
>
> tcpdump: listening on enc0, link-type ENC
> 05:14:04.103254 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> > 10.0.0.102: icmp: echo request (encap)
> 05:14:05.134106 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> > 10.0.0.102: icmp: echo request (encap)
> 05:14:06.137831 (authentic,confidential): SPI 0xd51e3910: 192.168.7.2
> > 10.0.0.102: icmp: echo request (encap)
> ...
>
> However, I'm now running into what seems to be a firewall problem,
> an I'm getting no answer. I do have "pass quick inet proto esp" on
> both
> VPN ends. Any idea where / how to fix this?
>
> Also, IPs aren't assigned automatically to the VPN ends. I can
> add them to hostname.enc0, but is this the right thing to do? I tried
> adding a line
>
> config address 10.0.0.102
>
> to /etc/iked.conf, but that's rejected as a syntax error. A clue stick
> again please?
>
> Regards,
>
> Liviu Daia

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)