[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC woes
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: IPSEC woes
- From: Bobby Johnson <bobby_(_at_)_plexuscomp_(_dot_)_com>
- Date: Sat, 5 Jun 2004 09:09:30 -0600
"Regular" ipsec will work behind a nat box if it does ipsec passthrough and there is only one client behind the box. I think the only thing that ipsec passthrough does is send out the key exchange stuff from port 500 instead of some random high port. If your requests for key exchange from the windows box aren't coming from port 500 your cisco isn't doing ipsec passthrough. Most of the little linksys or netgear routers do ipsec passthrough.
On Fri, 04 Jun 2004 20:58:16 -0400
"Curtis H. Wilbar Jr." <bsd_(_at_)_hawkmountain_(_dot_)_net> wrote:
> Thanks everyone for links on info on setting up IPSEC.
>
> I've been working on this today, and I'm wondering if the problem
> I'm having is due to my network setup....
>
> Windows XP <--> Cisco <-- net --> Cisco <--> Firewall --> LAN
> 10.0.0.203 w/NAT no nat OpenBSD/NAT 192.168.10.0
>
> I'm wondering if the NAT on the Cisco is throwing the wrench in
> the works.
>
> I've changed the IPs in the traces to 333.333.333.333 and
> 999.999.999.999. The 3s address is the public interface on the
> 1st Cisco (with NAT (Cisco PAT)). The 9s address is the
> real world IP of the public interface on the OpenBSD Firewall/VPN.
>
> using isakmpd -d -l and then tcpdump, this is the exchange I see:
>
> 19:56:12.986094 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange ID_PROT
> cookie: f1295fb4455b4383->0000000000000000 msgid: 00000000 len: 216
> payload: SA len: 164 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 152 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 4
> payload: TRANSFORM len: 36
> transform: 1 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 000070ffffff80
> payload: TRANSFORM len: 36
> transform: 2 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = MD5
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 000070ffffff80
> payload: TRANSFORM len: 36
> transform: 3 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute GROUP_DESCRIPTION = MODP_768
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 000070ffffff80
> payload: TRANSFORM len: 36
> transform: 4 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = DES_CBC
> attribute HASH_ALGORITHM = MD5
> attribute GROUP_DESCRIPTION = MODP_768
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 000070ffffff80
> payload: VENDOR len: 24 [ttl 0] (id 1)
>
> 19:56:12.986402 999.999.999.999.500 > 333.333.333.333.500: [udp sum ok]
> isakmp v1.0 exchange ID_PROT
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 84
> payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0
> xforms: 1
> payload: TRANSFORM len: 36
> transform: 1 ID: ISAKMP
> attribute ENCRYPTION_ALGORITHM = 3DES_CBC
> attribute HASH_ALGORITHM = SHA
> attribute GROUP_DESCRIPTION = MODP_1024
> attribute AUTHENTICATION_METHOD = PRE_SHARED
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 000070ffffff80 [ttl 0] (id 1)
>
> 19:56:13.114227 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange ID_PROT
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 184
> payload: KEY_EXCH len: 132
> payload: NONCE len: 24 [ttl 0] (id 1)
>
> 19:56:13.142888 999.999.999.999.500 > 333.333.333.333.500: [udp sum ok]
> isakmp v1.0 exchange ID_PROT
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 184
> payload: KEY_EXCH len: 132
> payload: NONCE len: 24 [ttl 0] (id 1)
>
> 19:56:13.208829 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange ID_PROT
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 68
> payload: ID len: 12 type: IPV4_ADDR = 10.0.0.203
> payload: HASH len: 24 [ttl 0] (id 1)
>
> 19:56:13.208937 999.999.999.999.500 > 333.333.333.333.500: [udp sum ok]
> isakmp v1.0 exchange ID_PROT
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 00000000 len: 92
> payload: ID len: 12 type: IPV4_ADDR = 999.999.999.999
> payload: HASH len: 24
> payload: NOTIFICATION len: 28
> notification: INITIAL CONTACT (f1295fb4455b4383->5de6bed8520439c5)
> [ttl 0] (id 1)
>
> 19:56:13.247254 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange QUICK_MODE
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: adbc08a0 len: 1116
> payload: HASH len: 24
> payload: SA len: 1012 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 92 proposal: 1 proto: IPSEC_ESP spisz: 4
> xforms: 2 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: TRANSFORM len: 40
> transform: 2 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 52 proposal: 2 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 48 proposal: 2 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 36
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> payload: PROPOSAL len: 52 proposal: 3 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: SHA
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: PROPOSAL len: 48 proposal: 3 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 36
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 52 proposal: 4 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 40
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: SHA
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: PROPOSAL len: 52 proposal: 5 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 40
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: PROPOSAL len: 92 proposal: 6 proto: IPSEC_ESP spisz: 4
> xforms: 2 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: TRANSFORM len: 40
> transform: 2 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 52 proposal: 7 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 48 proposal: 7 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 36
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> payload: PROPOSAL len: 52 proposal: 8 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: SHA
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: PROPOSAL len: 48 proposal: 8 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 36
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 52 proposal: 9 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_SHA
> payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_AH spisz: 4
> xforms: 1 SPI: 0xf18599a6
> payload: TRANSFORM len: 40
> transform: 1 ID: SHA
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: PROPOSAL len: 52 proposal: 10 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x0765800d
> payload: TRANSFORM len: 40
> transform: 1 ID: DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: NONCE len: 24
> payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.0.0.203
> payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 999.999.999.999
> [ttl 0] (id 1)
>
> 19:56:13.247798 999.999.999.999.500 > 333.333.333.333.500: [udp sum ok]
> isakmp v1.0 exchange QUICK_MODE
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: adbc08a0 len: 164
> payload: HASH len: 24
> payload: SA len: 64 DOI: 1(IPSEC) situation: IDENTITY_ONLY
> payload: PROPOSAL len: 52 proposal: 1 proto: IPSEC_ESP spisz: 4
> xforms: 1 SPI: 0x5e5f1869
> payload: TRANSFORM len: 40
> transform: 1 ID: 3DES
> attribute LIFE_TYPE = SECONDS
> attribute LIFE_DURATION = 00000e10
> attribute LIFE_TYPE = KILOBYTES
> attribute LIFE_DURATION = 0003ffffffd0ffffff90
> attribute ENCAPSULATION_MODE = TRANSPORT
> attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
> payload: NONCE len: 24
> payload: ID len: 12 proto: 17 port: 1701 type: IPV4_ADDR = 10.0.0.203
> payload: ID len: 12 proto: 17 port: 0 type: IPV4_ADDR = 999.999.999.999
> [ttl 0] (id 1)
>
> 19:56:13.276832 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange QUICK_MODE
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: adbc08a0 len: 52
> payload: HASH len: 24 [ttl 0] (id 1)
>
> 19:56:48.305065 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange INFO
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 106ab99c len: 68
> payload: HASH len: 24
> payload: DELETE len: 16 [ttl 0] (id 1)
>
> 19:56:48.311231 333.333.333.333.500 > 999.999.999.999.500: [udp sum ok]
> isakmp v1.0 exchange INFO
> cookie: f1295fb4455b4383->5de6bed8520439c5 msgid: 9c143a0f len: 84
> payload: HASH len: 24
> payload: DELETE len: 28 [ttl 0] (id 1)
>
>
> The Windows XP box never indicates it connects and finally errors
> out saying it was expecting a response from the server. At that
> point it sends the INFO packets with the DELETE requests.
>
> No errors get logged by isakmpd....
>
> Here is the policy file (/etc/isakmpd/isakmpd.policy):
>
> KeyNote-version: 2
> Comment: This policy accepts ESP SAs from a remote that uses the right
> password
> Authorizer: "POLICY"
> Licensees: "passphrase:bigsecret"
> Conditions: app_domain == "IPsec policy" &&
> esp_present == "yes" &&
> esp_enc_alg != "null" -> "true";
>
>
> Here is the isakmpd.conf file:
>
> [General]
> Listen-on= 216.206.161.162
> Exchange-max-time= 120
> Retransmits= 5
>
> [Phase 1]
> Default= ISAKMP-clients
>
> [Phase 2]
> Passive-Connections= IPsec-clients
>
> [ISAKMP-clients]
> Phase= 1
> Transport= udp
> Configuration= Windows-main-mode
> Authentication= bigsecret
>
> [IPsec-clients]
> Phase= 2
> Configuration= Windows-quick-mode
> Local-ID= Net-office
> Remote-ID= Host-remote
>
> [Net-office]
> ID-type= IPV4_ADDR_SUBNET
> Network= 192.168.10.0
> Netmask= 255.255.255.0
>
> [Host-remote]
> ID-type= IPV4_ADDR
> Address= 0.0.0.0
>
> [Windows-main-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= ID_PROT
> Transforms= 3DES-SHA
>
> [Windows-quick-mode]
> DOI= IPSEC
> EXCHANGE_TYPE= QUICK_MODE
> Suites= QM-ESP-3DES-SHA-SUITE
>
> The last thing that happens before the failure is that
> my XP host sends a QUICK_MODE payload HASH... then after
> a period of time my XP hosts throws a dialog box saying
> it expected a response, and sends two INFO packets with
> payloads HASH and DELETE.
>
> This will be fore remote users, many of whom are beind
> NATing firwalls (probably many Linksys cable routers).
>
> I hope I haven't come this far to find out it won't work
> in this situation.....
>
> If it should work, maybe someone more experienced with isakmpd
> will see something I didn't in the traces.
>
> Thanks in advance,
>
> -- Curt
Visit your host, monkey.org