[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and IPNAT on OpenBSD 2.9



Austin Godber wrote:
> 
> Hakan Olsson wrote:
> >
> > You'r VPN is between 10.0.0.64 and 10.0.0.1 only, i.e only packets
> > matching this will be encapsulated in IPsec. A packet sent to any other
> > address will not. The fact that the W2K box matches this anyway (and
> > sends it encapsulated) must be because of some magic option. :)
> >
> > If you want to tunnel all traffic, you should use something like 10.0.0.64
> > to 0.0.0.0/0, i.e tunnel everything from 10.0.0.64 to "default". If you do
> > this, the OpenBSD box will match the returning traffic, and encapsulate
> > these packets also.
> 
> On My Windows Box I encrypt pkacets to all IPs and decrypt packets from
> all IPs.  If you are familiar with Windows ipsecpol command I use the
> following:
> 
> ipsecpol -f 0=* -t 10.0.0.1 -a PRESHARE:"sharedsecret"
> ipsecpol -f *=0 -t 10.0.0.64 -a PRESHARE:"sharedsecret"
> 
> (the 0=* says originating from my IP to any other IP and *=0 the
> opposite).
> 
> Lets see, I need to man isakmpd.conf again.  But I am now thinking that
> my problem is that in my isakmpd.conf file I am only telling it to
> encrypt packets if they originate from 10.0.0.1 and are destined for
> 10.0.0.64.  Rather I need to tell it to encrypt packets from anywhere
> destined to 10.0.0.64.  Is that correct?
> 
> > Also, I'm not quite clear where you are using NAT in the below picture?
> > Are you NAT:in 10.0.0.0/NN or 10.6.X.Y/NN ? From your example, I'm
> > assuming its 10.0.0.0 that is the NAT:ed network, i.e you hide it behind
> > the 10.6.6.145 address. If so, the above should work just fine. I've run
> > similar setups without problems.
> 
> Yes, sorry, the 10.0.0.0/NN netowrk is NATed.
> 
> Thanks for your reply.
> -Austin
> 
> 
> > On Fri, 22 Feb 2002, Austin Godber wrote:
> >
> > > Hello,
> > >       I have been trying to get IPSEC and IPNAT working together on the same
> > > OpenBSD 2.9 gateway with a Windows 2000 client machine.  I am using
> > > ISAKMPD and the Windows 2000 IPSec implementation.  I have no trouble
> > > communicating between the gateway and the windows client but when the
> > > the client tries to go beyond the gateway the traffic doesn't make it
> > > back.
> > >
> > >       Here is my setup:
> > >
> > >
> > >                   OpenBSD 2.9 w/ NAT           Windows 2k
> > > +----------+    +----------------------+      +---------+
> > > | 10.6.6.7 |----|10.6.6.145    10.0.0.1|======|10.0.0.64|
> > > |          |    | (ne3)          (wi0) |      +---------+
> > > +----------+    +----------------------+
> > >                                    ^           ^
> > >                                    |           |
> > >                                  tunnel endpoints
> > >
> > >
> > >       Using tcpdump I can see a ping packet do this:
> > >
> > > 10.0.0.64->wi0(ESP)->ne3->10.6.6.7->ne3->wi0(no ESP)
> > >
> > > Since the echo reply doesn't get stuffed onto enc0 on the return trip it
> > > is dropped by the win2k host.
> > >
> > > I do realize the strangeness with IPNAT and IPSEC both working in the ip
> > > stack at different places ...  well, its only strangeness since I don't
> > > fully understand it.  Does this fall into the category of things that
> > > can't be done?
> > >
> > > Thanks for your help.  I hope I am not asking a question that has
> > > already been asked, I tried to find a solution.
> > > -Austin

Yes, what I stated as being my problem (isakmpd.conf only encrypts
traffic if the source is the gw ... bad bad) was in fact my problem. 
Thanks for your help.
Austin

-- 
Austin Godber
godber_(_at_)_asu_(_dot_)_edu
Rotten Philomathian

Fixed Config ...

/etc/isakmpd/isakmpd.conf
[Phase 2]
Connections=            IPSec-Conn-bsd_box-win2k_box

[ISAKMP-peer-node-win2k_box]
Phase=                  1
Transport=              udp
Address=                10.0.0.64
Configuration=          Windows-main-mode
Authentication=         sharedsecret

[IPSec-Conn-bsd_box-win2k_box]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-node-win2k_box
Configuration=          Windows-quick-mode
Local-ID=               Addr-World
Remote-ID=              Addr-win2k_box

[Addr-win2k_box]
ID-type=                IPV4_ADDR
Address=                10.0.0.64

[Addr-World]
ID-type=                IPV4_ADDR_SUBNET
Network=                0.0.0.0
Netmask=                0.0.0.0

[Windows-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Windows-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-WINDOWS-SUITE

[QM-WINDOWS-SUITE]
Protocols=              QM-WINDOWS-PROTOS

[QM-WINDOWS-PROTOS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-WINDOWS-XF

[QM-WINDOWS-XF]
TRANSFORM_ID=           3DES
ENCAPSULATION_MODE=     TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA