February 28, 2002
IPsec between OpenBSD and Debian Linux [ Software ]
I've run through this scenario a while ago, so I wrote up my notes on the experience in the hopes that they'd prove useful. The Debian Linux portion should still be more or less correct, but OpenBSD has changed a fair bit from 2.8, including dropping IPFilter support in favor of 'pf'. YMMV.
IPsec between OpenBSD 2.8/sparc and Debian Linux 3.0/i386 (kernel 2.4.14)
OpenBSD 2.8/sparc on a SparcClassic with le0 (10Mb Ethernet) interface
Debian 3.0/i386, kernel 2.4.14 on a Dell GX1 with lec0 (ATM ELAN) interface, using FreeS/WAN 1.95
SETUP
OpenBSD (hostA)
# sysctl -w net.inet.esp.enable=1 # ifconfig enc0 up # edit /etc/isakmpd/isakmpd.policy as below # edit /etc/isakmpd/isakmpd.conf as belowipfilter rules:
# Allow encapsulated traffic between hostA and hostB pass in on enc0 from B.B.B.B/32 to A.A.A.A/32 pass out on enc0 from A.A.A.A/32 to B.B.B.B/32 # # Allow ISAKMP traffic between hostA and hostB pass in quick on le0 proto udp from A.A.A.A/32 port = 500 to B.B.B.B/32 port = 500 pass out quick on le0 proto udp from B.B.B.B/32 port = 500 to A.A.A.A/32 port = 500 # # Allow ESP traffic between hostA and hostB pass in quick on le0 proto esp from B.B.B.B/32 to A.A.A.A/32 pass out quick on le0 proto esp from A.A.A.A/32 to B.B.B.B/32
enable isakmpd
edit /etc/rc.conf, change isakmpd_flags=NO to isakmpd_flags=""
edit /etc/sysctl.conf, uncomment net.inet.esp.enable=1
Linux (hostB)
# apt-get install iproute libgmp2 libgmp3 libgmp3-dev # apt-get install kernel-source-2.4.14 # cd /usr/src # bzip2 -cd kernel-source-2.4.14.tar.bz2 | tar xf - # rm linux # ln -s kernel-source-2.4.14 linux # wget ftp://ftp.xs4all.nl/pub/crypto/freeswan/freeswan* # pgp -ka freeswan-sigkey.asc # pgp freeswan-1.95.tar.gz.sig -p freeswan-1.95.tar.gz, verify integrity # tar xfz freeswan-1.95.tar.gz # cd linux # make menuconfig
configure your kernel if necessary - 'iproute' pkg needs CONFIG_NETLINK and CONFIG_RTNETLINK kernel options, under : Networking options -> Kernel/User netlink socket, Routing messages
# cd ../freeswan-1.95 # make menugo, save kernel config # cd ../linux # make-kpkg --revision=hostB.0+freeswan1.9.5 kernel_image # dpkg -i ../kernel-image-2.4.14_hostB.0+freeswan1.9.5_i386.deb
edit /etc/network/options, set spoofprotect=no (otherwise KLIPS will generate errors and possibly not work)
edit /etc/ipsec.secrets as below
edit /etc/ipsec.conf as below
edit iptables rules as necessary:
# Allow ISAKMP negotiation between hostA and hostB iptables -A INPUT -s A.A.A.A -p udp --dport 500 -j ACCEPT # # Allow ESP traffic between hostA and hostB iptables -A INPUT -s A.A.A.A -p 50 -j ACCEPT iptables -A INPUT -s B.B.B.B -p 50 -j ACCEPT
Reboot the system
# reboot
OpenBSD side - hostA (A.A.A.A)
/etc/isakmpd/isakmpd.policy:
KeyNote-Version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
/etc/isakmpd/isakmpd.conf:
# /etc/isakmpd/isakmpd.conf - ISAKMP/IPsec config file # ################################################### # # The network topology of this VPN is: # # hostA [A.A.A.A/32] - inet - hostB [B.B.B.B/32] # ################################################### [General] Retransmits= 5 Exchange-max-time= 120 Listen-on= A.A.A.A [Phase 1] # List remote gateways here with identifying names # B.B.B.B= ISAKMP-peer-hostB [Phase 2] # List IPSec connection names that should be brought up automatically # Connections= IPsec-hostA-hostB # List remote hosts here with appropriate info # [ISAKMP-peer-hostB] Phase= 1 Transport= udp Address= B.B.B.B Configuration= hostB-main-mode Authentication= some-shared-secret # List connections here # [IPsec-temujin-hostB] Phase= 2 ISAKMP-peer= ISAKMP-peer-hostB Configuration= hostB-quick-mode Local-ID= Host-hostA Remote-ID= Host-hostB # List remote networks here # [Host-hostB] ID-type= IPV4_ADDR Address= B.B.B.B # List local networks here # [Host-hostA] ID-type= IPV4_ADDR Address= A.A.A.A # List configuration for Phase 1 transforms here # [hostB-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA,3DES-MD5 # List configuration for Phase 2 encryption suites here # [hostB-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-MD5-PFS-SUITE # eof
Linux Side - hostB (B.B.B.B)
/etc/ipsec.secrets:
# ISAKMP/IKE private shared keys B.B.B.B A.A.A.A: PSK "some-shared-secret"/etc/ipsec.conf:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#
###################################################
#
# The network topology of this VPN is:
#
# hostA [A.A.A.A/32] - inet - hostB [B.B.B.B/32]
#
###################################################
#
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
#uniqueids=yes
plutowait=no
# Connection between hostB and hostA
conn hostB-hostA
auto=start
type=tunnel
left=B.B.B.B
leftnexthop=%defaultroute
right=A.A.A.A
keyexchange=ike
ikelifetime=1h
keyingtries=5
keylife=8h
rekeymargin=9m
rekeyfuzz=25%
pfs=yes
# eof
TROUBLESHOOTING
OpenBSD:
# cat /kern/ipsec
Hashmask: 63, policy entries: 2
SPI = b77e3473, Destination = B.B.B.B, Sproto = 50
Established 0 seconds ago
Source = A.A.A.A
Flags (00001082) =
Crypto ID: 1
xform =
Encryption = <3DES>
Authentication =
0 flows have used this SA
336 bytes processed by this SA
Expirations:
Hard expiration(1) in 22650 seconds
Soft expiration(1) in 19770 seconds
SPI = d5b6a92c, Destination = A.A.A.A, Sproto = 50
Established 0 seconds ago
Source = B.B.B.B
Flags (00001082) =
Crypto ID: 2
xform =
Encryption = <3DES>
Authentication =
0 flows have used this SA
352 bytes processed by this SA
Expirations:
Hard expiration(1) in 22650 seconds
Soft expiration(1) in 19770 seconds
# netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
B.B.B.B/32 0 A.A.A.A/32 0 0 B.B.B.B/50/require/in
A.A.A.A/32 0 B.B.B.B/32 0 0 B.B.B.B/50/require/out
# kill `cat /var/run/isakmpd.pid` ; ipsecadm flush ; isakmpd
# tail /var/log/messages
# isakmpd -d -DA=99 -D1=70
Linux:
# ipsec whack --status 000 interface ipsec0/lec0 B.B.B.B 000 000 "hostB-hostA": B.B.B.B---B.B.B.1...A.A.A.A 000 "hostB-hostA": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 25%; keyingtries: 5 000 "hostB-hostA": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: lec0; erouted 000 "hostB-hostA": newest ISAKMP SA: #5; newest IPsec SA: #2; eroute owner: #2 000 000 #5: "hostB-hostA" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 882s; newest ISAKMP 000 #2: "hostB-hostA" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 22647s; newest IPSEC; eroute owner 000 #2: "hostB-hostA" esp.d5b6a92c@A.A.A.A esp.b77e3473@B.B.B.B tun.1002@A.A.A.A tun.1001@B.B.B.B # ipsec look hostB Thu Feb 28 18:11:38 EST 2002 B.B.B.B/32 -> A.A.A.A/32 => tun0x1002@A.A.A.A esp0xd5b6a92c@A.A.A.A (10) ipsec0->lec0 mtu=16260(1443)->1500 esp0xb77e3473@B.B.B.B ESP_3DES_HMAC_MD5: dir=in src=A.A.A.A iv_bits=64bits \ iv=0x0734bc1b32b9ad8a ooowin=64 seq=4 bit=0xf alen=128 aklen=128 eklen=192 \ life(c,s,h)=bytes(416,0,0)addtime(167757,0,0)usetime(167770,0,0)packets(4,0,0) idle=5664 esp0xd5b6a92c@A.A.A.A ESP_3DES_HMAC_MD5: dir=out src=B.B.B.B iv_bits=64bits \ iv=0x334b40d0c3e2ee96 ooowin=64 seq=5 alen=128 aklen=128 eklen=192 \ life(c,s,h)=bytes(680,0,0)addtime(167757,0,0)usetime(167769,0,0)packets(5,0,0) idle=5664 tun0x1001@B.B.B.B IPIP: dir=in src=A.A.A.A life(c,s,h)=bytes(416,0,0)addtime(167757,0,0)usetime(167770,0,0)packets(4,0,0) idle=5664 tun0x1002@A.A.A.A IPIP: dir=out src=B.B.B.B life(c,s,h)=bytes(520,0,0)addtime(167757,0,0)usetime(167769,0,0)packets(5,0,0) idle=5664 Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 B.B.B.1 0.0.0.0 UG 40 0 0 lec0 B.B.B.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0 B.B.B.0 0.0.0.0 255.255.255.0 U 40 0 0 lec0 A.A.A.A B.B.B.1 255.255.255.255 UGH 40 0 0 ipsec0 # dmesg | grep -i ipsec klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.95 # /etc/init.d/ipsec restart # tail /var/log/daemon.log Feb 28 16:31:57 hostB ipsec_setup: Starting FreeS/WAN IPsec 1.95... Feb 28 16:31:57 hostB ipsec_setup: KLIPS debug `none' Feb 28 16:31:58 hostB ipsec_setup: KLIPS ipsec0 on lec0 B.B.B.B/255.255.255.0 broadcast B.B.B.255 Feb 28 16:31:58 hostB ipsec_setup: ...FreeS/WAN IPsec started # tail /var/log/auth.log Feb 28 16:36:30 hostB ipsec__plutorun: Starting Pluto subsystem... Feb 28 16:36:31 hostB Pluto[13352]: adding interface ipsec0/lec0 B.B.B.B Feb 28 16:36:31 hostB Pluto[13352]: loading secrets from "/etc/ipsec.secrets" Feb 28 16:36:44 hostB Pluto[13352]: "hostB-hostA" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT Feb 28 16:36:57 hostB Pluto[13352]: "hostB-hostA" #2: sent QI2, IPsec SA establishedPosted by edobbs at February 28, 2002 05:36 PM
Original content copyright ©1995-2006 Eric Dobbs, except where otherwise noted.
