[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPsec-isakmpd problem

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: IPsec-isakmpd problem
From: Jason Dixon <jasondixon_(_at_)_myrealbox_(_dot_)_com>
Date: 13 Dec 2002 17:08:29 -0500

I'm attempting a simple east-west vpn setup between 2 locations.  I've
taken the sample isakmpd configurations from /usr/share/ipsec/isakmpd
and swapped the address information with my own.  I've also made one
minor suite modifcation to quick-mode.  Both gateways are allowing esp
and udp/500 traffic through pf. 

     LAN1             GW1 (3.2)         GW2 (3.2)          LAN2 
192.168.0.0/24 --- 68.65.xxx.xxx --- 68.55.xxx.xxx --- 10.10.10.0/24 

Everything comes up successfull, the SA is created (confirmed via
debug): 
165145.461621 Timr 10 timer_handle_expirations: event
connection_checker(0x1b6ae0) 
165145.462705 Misc 95 conf_get_str: configuration value not found
[General]:check-interval 
165145.463125 Timr 10 timer_add_event: event
connection_checker(0x1b6ae0) added before sa_soft_expire(0x114b00),
expiration in 60s 
165145.463541 SA   90 sa_find: return SA 0x114b00 
165145.463910 Sdep 70 pf_key_v2_connection_check: SA for LAN2-LAN1
exists 

Everything also looks good in netstat (same in reverse on other host): 
Encap: 
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction) 
10.10.10/24        0     192.168.0/24       0     0    
68.55.xxx.xxx/50/use/in 
192.168.0/24       0     10.10.10/24        0     0    
68.55.xxx.xxx/50/require/out 

Unfortunately, nothing seems to be traversing from the private LANs
properly.  Pings leave the external interface, but never make it to the
other side (tested with tcpdump): 
-bash-2.05b# ping 10.10.10.100 
PING 10.10.10.100 (10.10.10.100): 56 data bytes 
--- 10.10.10.100 ping statistics --- 
4 packets transmitted, 0 packets received, 100% packet loss 

Everything I know tells me that I'm just missing a route for each
private network.  I haven't found anything in the documentation that
hints at needing to add a static route for your vpn'd LANs.  It's my
understanding that unlike ipsecadm, isakmpd should take care of this for
you. 

Any assistance will be greatly appreciated.  I'd prefer to not attach my
conf files, since it appears the connection is "successful", but a
little voice keeps suggesting otherwise.  :)

Thanks, 
J.
#	$OpenBSD: VPN-west.conf,v 1.12 2002/06/09 08:13:07 todd Exp $
#	$EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.0.0/24 - LAN1 [68.65.xxx.xxx] - 0.0.0.0/0 - [68.55.xxx.xxx] LAN2 -
10.10.10.0/24
#
# "LAN1" and "LAN2" are the respective secrity gateways (aka VPN-nodes).

[Phase 1]
68.55.xxx.xxx=		LAN2

[Phase 2]
Connections=		LAN1-LAN2

[LAN2]
Phase=			1
Transport=		udp
Address=		68.55.xxx.xxx
Configuration=		Default-main-mode
Authentication=		testpassphrase

[LAN1-LAN2]
Phase=			2
ISAKMP-peer=		LAN2
Configuration=		Default-quick-mode
Local-ID=		Net-LAN1
Remote-ID=		Net-LAN2

[Net-LAN1]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.0.0
Netmask=		255.255.255.0

[Net-LAN2]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.10.10.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE
#	$OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $
#	$EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.0.0/24 - west [68.65.xxx.xxx] - 0.0.0.0/0 - [68.55.xxx.xxx] east -
10.10.10.0/24
#
# "west" and "east" are the respective secrity gateways (aka VPN-nodes).

[Phase 1]
68.65.xxx.xxx=		LAN1

[Phase 2]
Connections=		LAN2-LAN1

[LAN1]
Phase=			1
Transport=		udp
Address=		68.65.xxx.xxx
Configuration=		Default-main-mode
Authentication=		testpassphrase

[LAN2-LAN1]
Phase=			2
ISAKMP-peer=		LAN1
Configuration=		Default-quick-mode
Local-ID=		Net-LAN2
Remote-ID=		Net-LAN1

[Net-LAN1]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.0.0
Netmask=		255.255.255.0

[Net-LAN2]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.10.10.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE

Follow-Ups:
- Re: IPsec-isakmpd problem
  - From: Jason Dixon

Prev by Date: Re: What is OpenBSD ?
Next by Date: Re: Anoncvs Question
Previous by thread: Re: Anoncvs Question
Next by thread: Re: IPsec-isakmpd problem
Index(es):
- Date
- Thread

Visit your host, monkey.org