[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
isakmpd problem in checkpoint to openbsd vpn
Please let me know if there is a more appropriate place to post this
question, thanks.
I am setting up a vpn between a checkpoint NG FP2 linux box and an obsd
box ( OpenBSD robo 2.9 GENERIC#0 i386 ). I am very close, half of the vpn
works. I can send a packet from
one network, it goes into the vpn, comes out the other side decrypted,
and reaches its dst. But the reply from the dst does not go into the
vpn. Its as if the obsd box does not know it is supposed to route the
reply packet into the vpn.
west network 10.0.0.0/8
I
I
| 10.0.0.1 |
| |
| checkpoint box |
| |
| 192.168.2.50 |
I
I
| 192.168.2.2 |
| |
| obsd box |
| |
| 192.168.1.2 |
I
I
east network 192.168.1.0/24
This capture on the east network shows that the packet comes across, but
the SYN ACK never gets back, the obsd box says that network is
unreachable:
# tcpdump -n host 192.168.1.20
tcpdump: listening on eth0
12:50:23.905993 10.0.0.10.1088 > 192.168.1.20.80: S
219015624:219015624(0) win 32120 <mss 1460,sackOK,timestamp 102884098
0,nop,wscale 0>
12:50:23.910045 192.168.1.20.80 > 10.0.0.10.1088: S
1350987248:1350987248(0) ack 219015625 win 32120 <mss
1460,sackOK,timestamp 143218840 102884098,nop,wscale 0> (DF)
12:50:23.910491 192.168.1.2 > 192.168.1.20: icmp: host 10.0.0.10
unreachable
but according to netstat it seems to know about the 10. network:
# netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10/8 0 192.168.1/24 0 0
192.168.2.50/50/require/in
192.168.1/24 0 10/8 0 0
192.168.2.50/50/require/out
im using isakmpd -d -DA=99 , and dont see anything now that looks like a
big error message, except maybe
083936.410563 Misc 50 pf_key_v2_flow: done
083936.410835 SA 90 sa_find: no SA matched query
083936.411140 SA 80 sa_release: SA 0x10df00 had 4 references
or
084233.836326 Misc 60 conf_get_str: configuration value not found
[General]:check-interval
Its like the obsd box doesnt have a route to the 10. net? but none of the
docs mentioned id need to add a route, and when i did add it, the vpn
still didnt work. my isakmpd config files are below.
can you tell me what im doing wrong? thanks for any help,
marc
junk3@zounds.net
"If you want to find all the cops
They're hanging out in the donut shop
They sing and dance"
- Liam Sternberg
///////////////////////////////////////////////////
///////////////////////////////////////////////////
# cat /kern/ipsec
Hashmask: 31, policy entries: 2
SPI = 0c25d971, Destination = 192.168.2.2, Sproto = 50
Established 247 seconds ago
Source = 192.168.2.50
Flags (00001082) = <tunneling>
Crypto ID: 2
xform = <IPsec ESP>
Encryption = <3DES>
Authentication = <HMAC-SHA1>
0 bytes processed by this SA
Expirations:
Hard expiration(1) in 3353 seconds
Soft expiration(1) in 2993 seconds
SPI = 2a6b05c9, Destination = 192.168.2.50, Sproto = 50
Established 247 seconds ago
Source = 192.168.2.2
Flags (00001082) = <tunneling>
Crypto ID: 1
xform = <IPsec ESP>
Encryption = <3DES>
Authentication = <HMAC-SHA1>
0 bytes processed by this SA
Expirations:
Hard expiration(1) in 3353 seconds
Soft expiration(1) in 2993 seconds
///////////////////////////////////////////////////
///////////////////////////////////////////////////
# more isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
Authorizer: "POLICY"
Licensees: "passphrase:secret"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
///////////////////////////////////////////////////
///////////////////////////////////////////////////
# more isakmpd.conf
# $OpenBSD: VPN-east.conf,v 1.11 2000/10/09 23:27:29 niklas Exp $
# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east -
192.168.12.0/24
#
# "west" and "east" are the respective secrity gateways (aka VPN-nodes).
[General]
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 3600,60:86400
Listen-on= 192.168.2.2
[Phase 1]
192.168.2.50= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Local-address= 192.168.2.2
Address= 192.168.2.50
Configuration= Default-main-mode
Authentication= secret
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.0.0.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE