[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD2.8 bridge and isakmpd probs



Hi All,

I'm having trouble trying to implement a "bump in the wire" ipsec gateway configuration as outlined in Keromytis and Wright's paper "Transparent Network Security Policy Enforcement".
I have a feeling this is probably due to my failure to grasp some fundamental step in the setup.


I have set up bridge0 with the following interfaces dc2 dc3 and enc1 using hostname/bridgename.if files and am using the isakmpd config and policy files appended below.

My problem is that I don't seem to be getting any ipsec packets come thru on enc0 and running isakmpd -d -DA=99 doesn't show any indication of connection attempts (using mac pgpnet 7.0). I have monitored the outside interface of the bridge using tcpdump -i dc2 udp and can see packets arriving on that interface.

20:01:39.141799 sss.ttt.uuu.vvv. 16442 > aaa.bbb.ccc.ddd.isakmp: isakmp v1.0 exchange ID_PROT
cookie: 2300a4381652e218->0000000000000000 msgid: 00000000 len: 88


Having read the ipsec bridge section of brconfig(8) it would seem as thought I need to associate an SA with the enc1, altho i can't see how that should be done in a bridge configuration. I had assumed that this would be handled by isakmpd but that doesn't seem to be the case.

The machine is running OpenBSD 2.8 stable from cvs'd source downloaded 1dec00 .au time and compiled with all necessary kernel options. I have rebuilt userland using the procedure documented in release(8)

if someone can shed some light i'd be grateful...

cheers
Paul


/etc/sysctl.conf - relevant options net.inet.ip.forwarding=1 net.inet.esp.enable=1 net.inet.ip.encdebug=1

/etc/isakmpd/isakmpd.conf
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[Phase 1]
Default=                PGPNet_Config

[Phase 2]
Default=                PGPNet_OpenBSD

[PGPNet_Config]
Phase=                  1
Transport=              udp
Local-Address=          aaa.bbb.ccc.ddd
Address=                0.0.0.0
Configuration=          Default-main-mode
Authentication=         test

[PGPNet_OpenBSD]
Phase=                  2
#ISAKMPD-peer=          PGPNet_Config
Configuration=          Default-quick-mode
Local-ID=               Net_YourNet
Remote-ID=              Net_PGPClient

[Net_YourNet]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[Net_PGPClient]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-SUITE

[X509-certificates]
CA-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

/etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees:  "passphrase:test"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";