OpenBSD 5.5 ISAKMPD

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 5.5 ISAKMPD

mottycruz
Hello All,

I'm trying to setup IPSec Tunnel using the following parameters.
Phase 1
exchange encryption: AES256
Data Integrity: SHA256
DH: group 20
Agressive Mode

phase 2
encryption: AESGCM256
HASH: SHA384

I can't find examples to configure isakmpd.conf using parameters above.

[fw2-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES256-SHA2-GRP20

[fw2-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AESGCM-SHA2-SUITE

[QM-ESP-AESGCM-256-SHA2-SUITE]
TRANSFORM_ID=                           AESGCM
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=   HMAC_SHA2
GROUP_DESCRIPTION=              EC_384
Life=                           LIFE_3600_SECS

using this configuration I get the following error:
isakmpd[30247]: exchange_run: doi->initiato

Thanks in advance,
-Motty

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

Maxim Bourmistrov-5
Hey,
You probably want to start with ipsec.conf(5).
isakmpd.conf is generated out of ipsec.conf.
I think people running 5.4+ don’t even use it any more.

Br

//mxb

> On 16 jan 2015, at 21:22, Motty Cruz <[hidden email]> wrote:
>
> Hello All,
>
> I'm trying to setup IPSec Tunnel using the following parameters.
> Phase 1
> exchange encryption: AES256
> Data Integrity: SHA256
> DH: group 20
> Agressive Mode
>
> phase 2
> encryption: AESGCM256
> HASH: SHA384
>
> I can't find examples to configure isakmpd.conf using parameters above.
>
> [fw2-main-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          ID_PROT
> Transforms=             AES256-SHA2-GRP20
>
> [fw2-quick-mode]
> DOI=                    IPSEC
> EXCHANGE_TYPE=          QUICK_MODE
> Suites=                 QM-ESP-AESGCM-SHA2-SUITE
>
> [QM-ESP-AESGCM-256-SHA2-SUITE]
> TRANSFORM_ID=                           AESGCM
> ENCAPSULATION_MODE=             TUNNEL
> AUTHENTICATION_ALGORITHM=   HMAC_SHA2
> GROUP_DESCRIPTION=              EC_384
> Life=                           LIFE_3600_SECS
>
> using this configuration I get the following error:
> isakmpd[30247]: exchange_run: doi->initiato
>
> Thanks in advance,
> -Motty

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

mottycruz
Thanks Br,

I tried it but did not generated isakmpd for me.

do you have any idea of what "exchange_run: doi->initiator" means?

Thanks,
Motty
On 01/16/2015 01:16 PM, mxb wrote:

> Hey,
> You probably want to start with ipsec.conf(5).
> isakmpd.conf is generated out of ipsec.conf.
> I think people running 5.4+ don’t even use it any more.
>
> Br
>
> //mxb
>
>> On 16 jan 2015, at 21:22, Motty Cruz <[hidden email]> wrote:
>>
>> Hello All,
>>
>> I'm trying to setup IPSec Tunnel using the following parameters.
>> Phase 1
>> exchange encryption: AES256
>> Data Integrity: SHA256
>> DH: group 20
>> Agressive Mode
>>
>> phase 2
>> encryption: AESGCM256
>> HASH: SHA384
>>
>> I can't find examples to configure isakmpd.conf using parameters above.
>>
>> [fw2-main-mode]
>> DOI=                    IPSEC
>> EXCHANGE_TYPE=          ID_PROT
>> Transforms=             AES256-SHA2-GRP20
>>
>> [fw2-quick-mode]
>> DOI=                    IPSEC
>> EXCHANGE_TYPE=          QUICK_MODE
>> Suites=                 QM-ESP-AESGCM-SHA2-SUITE
>>
>> [QM-ESP-AESGCM-256-SHA2-SUITE]
>> TRANSFORM_ID=                           AESGCM
>> ENCAPSULATION_MODE=             TUNNEL
>> AUTHENTICATION_ALGORITHM=   HMAC_SHA2
>> GROUP_DESCRIPTION=              EC_384
>> Life=                           LIFE_3600_SECS
>>
>> using this configuration I get the following error:
>> isakmpd[30247]: exchange_run: doi->initiato
>>
>> Thanks in advance,
>> -Motty

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

mottycruz
In reply to this post by Maxim Bourmistrov-5
Hello All,
is actually OpenBSD 4.8 not OpenBSD 5.5, I apologize for the mistake.

I still get the exchange_run: doi->initiator error, not even sure what
to look for.

Thanks,
Motty

On 01/16/2015 01:16 PM, mxb wrote:

> Hey,
> You probably want to start with ipsec.conf(5).
> isakmpd.conf is generated out of ipsec.conf.
> I think people running 5.4+ don’t even use it any more.
>
> Br
>
> //mxb
>
>> On 16 jan 2015, at 21:22, Motty Cruz <[hidden email]> wrote:
>>
>> Hello All,
>>
>> I'm trying to setup IPSec Tunnel using the following parameters.
>> Phase 1
>> exchange encryption: AES256
>> Data Integrity: SHA256
>> DH: group 20
>> Agressive Mode
>>
>> phase 2
>> encryption: AESGCM256
>> HASH: SHA384
>>
>> I can't find examples to configure isakmpd.conf using parameters above.
>>
>> [fw2-main-mode]
>> DOI=                    IPSEC
>> EXCHANGE_TYPE=          ID_PROT
>> Transforms=             AES256-SHA2-GRP20
>>
>> [fw2-quick-mode]
>> DOI=                    IPSEC
>> EXCHANGE_TYPE=          QUICK_MODE
>> Suites=                 QM-ESP-AESGCM-SHA2-SUITE
>>
>> [QM-ESP-AESGCM-256-SHA2-SUITE]
>> TRANSFORM_ID=                           AESGCM
>> ENCAPSULATION_MODE=             TUNNEL
>> AUTHENTICATION_ALGORITHM=   HMAC_SHA2
>> GROUP_DESCRIPTION=              EC_384
>> Life=                           LIFE_3600_SECS
>>
>> using this configuration I get the following error:
>> isakmpd[30247]: exchange_run: doi->initiato
>>
>> Thanks in advance,
>> -Motty

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

Daniel Ouellet
Just go to 5.6 or even better to current that is almost 5.7 now and use
ikev2 instead.

Much simpler to use.

At a minimum just give it a trial for fun if you like. You may fall in
love with it. (:>

4.8 is so old that I am not sure anyone will care to answer it, or even
remember if they had issue with it or not.




On 1/16/15 6:24 PM, Motty Cruz wrote:

> Hello All,
> is actually OpenBSD 4.8 not OpenBSD 5.5, I apologize for the mistake.
>
> I still get the exchange_run: doi->initiator error, not even sure what
> to look for.
>
> Thanks,
> Motty
>
> On 01/16/2015 01:16 PM, mxb wrote:
>> Hey,
>> You probably want to start with ipsec.conf(5).
>> isakmpd.conf is generated out of ipsec.conf.
>> I think people running 5.4+ don’t even use it any more.
>>
>> Br
>>
>> //mxb
>>
>>> On 16 jan 2015, at 21:22, Motty Cruz <[hidden email]> wrote:
>>>
>>> Hello All,
>>>
>>> I'm trying to setup IPSec Tunnel using the following parameters.
>>> Phase 1
>>> exchange encryption: AES256
>>> Data Integrity: SHA256
>>> DH: group 20
>>> Agressive Mode
>>>
>>> phase 2
>>> encryption: AESGCM256
>>> HASH: SHA384
>>>
>>> I can't find examples to configure isakmpd.conf using parameters above.
>>>
>>> [fw2-main-mode]
>>> DOI=                    IPSEC
>>> EXCHANGE_TYPE=          ID_PROT
>>> Transforms=             AES256-SHA2-GRP20
>>>
>>> [fw2-quick-mode]
>>> DOI=                    IPSEC
>>> EXCHANGE_TYPE=          QUICK_MODE
>>> Suites=                 QM-ESP-AESGCM-SHA2-SUITE
>>>
>>> [QM-ESP-AESGCM-256-SHA2-SUITE]
>>> TRANSFORM_ID=                           AESGCM
>>> ENCAPSULATION_MODE=             TUNNEL
>>> AUTHENTICATION_ALGORITHM=   HMAC_SHA2
>>> GROUP_DESCRIPTION=              EC_384
>>> Life=                           LIFE_3600_SECS
>>>
>>> using this configuration I get the following error:
>>> isakmpd[30247]: exchange_run: doi->initiato
>>>
>>> Thanks in advance,
>>> -Motty

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

Boris Goldberg
In reply to this post by mottycruz
Hello Motty,

Friday, January 16, 2015, 5:24:33 PM, you wrote:

MC> is actually OpenBSD 4.8 not OpenBSD 5.5, I apologize for the mistake.

>>> I'm trying to setup IPSec Tunnel using the following parameters.
>>> Phase 1
>>> exchange encryption: AES256
>>> Data Integrity: SHA256
>>> DH: group 20
>>> Agressive Mode
>>>
>>> phase 2
>>> encryption: AESGCM256
>>> HASH: SHA384

  Looking at the manual page for isakmpd.conf, OpenBSD-4.8:
  {group} is either GRP1, GRP2, GRP5, GRP14, or GRP15 - seems like group 20
isn't supported (not even in current, according to the man).
  Support of AESGCM starts in 5.0 (again according to man).
  Not sure if you can use just SHA2 (not SHA2-256 or SHA2-384).

  Start with suits examples from the man page (of your system). Only if
they work - try to adjust them (if really needed).

  Make sure there are no trailing spaced in your isakmpd.conf. I've had a
lot of "fun" with it in the past. Could be fixed since though.

--
Best regards,
 Boris                            mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

Stuart Henderson
In reply to this post by Daniel Ouellet
On 2015-01-17, Daniel Ouellet <[hidden email]> wrote:
> Just go to 5.6 or even better to current that is almost 5.7 now and use
> ikev2 instead.

This might add confusion though, ikev2 (iked) isn't compatible with v1,
and I'm imagining that somebody with a specific set of parameters to use will
be connecting to an existing vpn.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 5.5 ISAKMPD

Daniel Ouellet
On 1/19/15 3:19 AM, Stuart Henderson wrote:
> On 2015-01-17, Daniel Ouellet <[hidden email]> wrote:
>> Just go to 5.6 or even better to current that is almost 5.7 now and use
>> ikev2 instead.
>
> This might add confusion though, ikev2 (iked) isn't compatible with v1,
> and I'm imagining that somebody with a specific set of parameters to use will
> be connecting to an existing vpn.
>

True, but the man page indicate this clearly. I assume someone would
read the man page. Or they may use this instead of the version 1. But
yes you are 100% correct.

As I said at the end of my suggestion, trying it and he may fall in love
with. I didn't say it was the solution for all.