a little help with ipsec

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

a little help with ipsec

Marko Cupać
Hi,

I am trying to setup IPsec VPN between fixed-ip central location and
dynamic-ip branch office. It works well once established, but when
public ip of branch office changes, it never re-establishes again. I
guess I misunderstood "dead peer detection" mechanism, which I hoped
will take care of realising the other side is dead, and try to
re-negotiate.

Is my ipsec.conf below optimal for such setup? Is it ok to use
"dynamic" on both sides or should i use "passive" in central office?
Should I go for "agressive" instead of "main" in branch office?

I can re-establish VPN by restarting no-ip2 on branch host, manually
restarting isakmpd, flushing SAs and reloading ipsec.conf with
ipsecctl after both hosts become aware that gate.noip.me points
to a new address. Should I script this with some pinger, or is there a
better way to accomplish my goal?

Thank you in advance.

ipsec.conf:
# central config
lan_central = "192.168.33.0/24"
lan_branche = "10.30.8.0/22"
gw_central =  "vpn.example.org" # <--- static
gw_branche =  "gate.noip.me" # <--- noip dynamic dns


ike dynamic esp from $gw_central to $gw_branche \
   main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   psk "hackme"

ike dynamic esp from $lan_central to $lan_branche peer $gw_branche \
   main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   psk "hackme"

# branch config
lan_central = "192.168.33.0/24"
lan_branche = "10.30.8.0/22"
gw_central =  "vpn.example.org" # <--- static
gw_branche =  "pppoe0"


ike dynamic esp from $gw_branche to $gw_central \
   main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   psk "hackme"

ike dynamic esp from $lan_branche to $lan_central peer $gw_central \
   main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
   psk "hackme"
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply | Threaded
Open this post in threaded view
|

Re: a little help with ipsec

Stuart Henderson
On 2015-12-01, Marko Cupać <[hidden email]> wrote:

> Hi,
>
> I am trying to setup IPsec VPN between fixed-ip central location and
> dynamic-ip branch office. It works well once established, but when
> public ip of branch office changes, it never re-establishes again. I
> guess I misunderstood "dead peer detection" mechanism, which I hoped
> will take care of realising the other side is dead, and try to
> re-negotiate.
>
> Is my ipsec.conf below optimal for such setup? Is it ok to use
> "dynamic" on both sides or should i use "passive" in central office?
> Should I go for "agressive" instead of "main" in branch office?

Do not use aggressive mode.

> I can re-establish VPN by restarting no-ip2 on branch host, manually
> restarting isakmpd, flushing SAs and reloading ipsec.conf with
> ipsecctl after both hosts become aware that gate.noip.me points
> to a new address. Should I script this with some pinger, or is there a
> better way to accomplish my goal?
>
> Thank you in advance.
>
> ipsec.conf:
> # central config
> lan_central = "192.168.33.0/24"
> lan_branche = "10.30.8.0/22"
> gw_central =  "vpn.example.org" # <--- static
> gw_branche =  "gate.noip.me" # <--- noip dynamic dns
>
>
> ike dynamic esp from $gw_central to $gw_branche \
>    main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    psk "hackme"
>
> ike dynamic esp from $lan_central to $lan_branche peer $gw_branche \
>    main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    psk "hackme"

Neither isakmpd nor iked tracks DNS changes. On the central side use
"passive" not "dynamic". Remove the "peer $gw_branche" to set this for the
'default peer' (i.e. to avoid matching on IP address).

Do you really need the first flow? It will simplify things if you can restrict
yourself to $lan_branche addresses and just have the second flow. (Otherwise
because you want to use the 'default peer' you'll need to collapse these into
a single rule with "to any").

It might be easier to get the basic setup working with psk first, but when
you have that up and running, see the PUBLIC KEY AUTHENTICATION section
in isakmpd(8) and get that setup, it is pretty simple to use and much safer
than psk.

> # branch config
> lan_central = "192.168.33.0/24"
> lan_branche = "10.30.8.0/22"
> gw_central =  "vpn.example.org" # <--- static
> gw_branche =  "pppoe0"
>
>
> ike dynamic esp from $gw_branche to $gw_central \
>    main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    psk "hackme"

See above "Do you really need the first flow?". (If you do, you're going
to need to at least monitor addresses on pppoe0 on the client side and
restart; it won't track changes automatically).

The aim is to avoid having anything in config files which references the
dynamic address.

> ike dynamic esp from $lan_branche to $lan_central peer $gw_central \
>    main auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    quick auth hmac-sha2-256 enc aes-256 group modp4096 lifetime 3600 \
>    psk "hackme"

Reply | Threaded
Open this post in threaded view
|

Re: a little help with ipsec

Marko Cupać
On Tue, 1 Dec 2015 23:49:37 +0000 (UTC)
Stuart Henderson <[hidden email]> wrote:

> Neither isakmpd nor iked tracks DNS changes.

This is good to know, thank you for the information.

> On the central side use "passive" not "dynamic". Remove the "peer
> $gw_branche" to set this for the 'default peer' (i.e. to avoid
> matching on IP address).
>
> Do you really need the first flow? It will simplify things if you can
> restrict yourself to $lan_branche addresses and just have the second
> flow. (Otherwise because you want to use the 'default peer' you'll
> need to collapse these into a single rule with "to any").

Also very helpful. All the examples I found, including "AUTOMATIC
KEYING" section of ipsec.conf, have flow between gateways configured. I
tried without them first, but I couldn't make it work. Only later I
discovered it was related to the firewall rule, but forgot to retry
without gateway-to-gateway flow once I fixed it.

> It might be easier to get the basic setup working with psk first, but
> when you have that up and running, see the PUBLIC KEY AUTHENTICATION
> section in isakmpd(8) and get that setup, it is pretty simple to use
> and much safer than psk.

That was the idea from the beginning, didn't want to complicate further
before having basic setup working.

Regards,
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply | Threaded
Open this post in threaded view
|

Re: a little help with ipsec

Christopher Sean Hilton
On Wed, Dec 02, 2015 at 03:53:46PM +0100, Marko Cupać wrote:

> On Tue, 1 Dec 2015 23:49:37 +0000 (UTC)
> Stuart Henderson <[hidden email]> wrote:
>
> > Neither isakmpd nor iked tracks DNS changes.
>
> This is good to know, thank you for the information.
>
> > On the central side use "passive" not "dynamic". Remove the "peer
> > $gw_branche" to set this for the 'default peer' (i.e. to avoid
> > matching on IP address).
> >

[ ...snip ]

> > It might be easier to get the basic setup working with psk first, but
> > when you have that up and running, see the PUBLIC KEY AUTHENTICATION
> > section in isakmpd(8) and get that setup, it is pretty simple to use
> > and much safer than psk.
>
> That was the idea from the beginning, didn't want to complicate further
> before having basic setup working.
>

You have things working as well as they can if you have a Dynamic IP
address for one endpoint. It's really too bad that ipsec is such a
black box in this area. You really have to deconstruct IPSec to
understand the mechanisms that it uses to identify a peer and choose a
configuration.

When your ipsec.conf file specifies multiple stanzas corresponding to
different tunnels, the isakmpd or iked has to figure out which peer
it's talking to. Let's call this peer endpoint identification. It has
to do this so it can apply the correct stanza to the connecting
peer. It can identify a peer via IP address, FQDN from DNS, or via a
key or certificate. Alternatively your static side configuration can
specify a default and if the dynamic side only needs to present the
correct key, the static side can establish the tunnel. As someone
mentioned above, both isakmpd, and iked do a DNS lookup at program
startup and then never consult DNS again. The implication of "once at
startup DNS" is that using FQDN via DNS with a dynamic IP is always
going to be problematic.

You know that the tunnel parameters you have are setup correctly on
both sides because the tunnel works initially. If your dynamic side is
truly dynamic what's happening is this:

     The dynamic side tries to renegotiate because it's IP address
     changed;

     The static side rejects the negotiation because it hasn't updated
     it's config to match the new state in DNS.

Moving to public keys will fix the renegotiation problem by using an
identification token that's independent of DNS.

-- Chris

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]