[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD2.8 bridge and isakmpd probs

Hi All,

I'm having trouble trying to implement a "bump in the wire" ipsec gateway configuration as outlined in Keromytis and Wright's paper "Transparent Network Security Policy Enforcement".
I have a feeling this is probably due to my failure to grasp some fundamental step in the setup.

I have set up bridge0 with the following interfaces dc2 dc3 and enc1 using hostname/bridgename.if files and am using the isakmpd config and policy files appended below.

My problem is that I don't seem to be getting any ipsec packets come thru on enc0 and running isakmpd -d -DA=99 doesn't show any indication of connection attempts (using mac pgpnet 7.0). I have monitored the outside interface of the bridge using tcpdump -i dc2 udp and can see packets arriving on that interface.

20:01:39.141799 sss.ttt.uuu.vvv. 16442 > aaa.bbb.ccc.ddd.isakmp: isakmp v1.0 exchange ID_PROT
cookie: 2300a4381652e218->0000000000000000 msgid: 00000000 len: 88

Having read the ipsec bridge section of brconfig(8) it would seem as thought I need to associate an SA with the enc1, altho i can't see how that should be done in a bridge configuration. I had assumed that this would be handled by isakmpd but that doesn't seem to be the case.

The machine is running OpenBSD 2.8 stable from cvs'd source downloaded 1dec00 .au time and compiled with all necessary kernel options. I have rebuilt userland using the procedure documented in release(8)

if someone can shed some light i'd be grateful...


/etc/sysctl.conf - relevant options net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ip.encdebug=1

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[Phase 1]
Default=                PGPNet_Config

[Phase 2]
Default=                PGPNet_OpenBSD

Phase=                  1
Transport=              udp
Local-Address=          aaa.bbb.ccc.ddd
Configuration=          Default-main-mode
Authentication=         test

Phase=                  2
#ISAKMPD-peer=          PGPNet_Config
Configuration=          Default-quick-mode
Local-ID=               Net_YourNet
Remote-ID=              Net_PGPClient

ID-type=                IPV4_ADDR_SUBNET

ID-type=                IPV4_ADDR

DOI=                    IPSEC
Transforms=             3DES-SHA

DOI=                    IPSEC
Suites=                 QM-ESP-3DES-SHA-SUITE

CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees:  "passphrase:test"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";

Visit your host, monkey.org