isakmpd ignoring contents of /etc/ipsec.conf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

isakmpd ignoring contents of /etc/ipsec.conf

bernd-34
Hi @misc,

I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).

My /etc/ipsec.conf looks like this:

ike esp from any to any peer x.y.z.0/27 \
  main auth hmac-sha2-256 enc aes-256 group modp2048 \
  psk "myverygoodsecretPSK"

(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use a
fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from
there – it also failed.)

isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
as its flag(s) in /etc/rc.conf.local

However, it seems to ignore the settings made in ipsec.conf (without
complaining about them, though):

Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec  1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found
Dec  1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
port 500 due to notification type NO_PROPOSAL_CHOSEN

For example, ENCRYPTION_ALGORITHM is clearly not what was set in
/etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION
and HASH_ALGORITHM.

As a result, the IPSec tunnel can not be established. What did I
overlook here?

Thanks in advance for any hints.

Best

Bernd

Reply | Threaded
Open this post in threaded view
|

Re: isakmpd ignoring contents of /etc/ipsec.conf

Jeremie Courreges-Anglas-2
On Wed, Dec 06 2017, Bernd <[hidden email]> wrote:

> Hi @misc,
>
> I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
> OpenBSD 6.2 amd64 (dmesg below).
>
> My /etc/ipsec.conf looks like this:
>
> ike esp from any to any peer x.y.z.0/27 \
>  main auth hmac-sha2-256 enc aes-256 group modp2048 \
>  psk "myverygoodsecretPSK"
>
> (As can be seen, I want the settings to be applied to a /27 network,
> from where the tunnel initiation is sent out of. I also tried to use
> a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
> from there – it also failed.)
>
> isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
> as its flag(s) in /etc/rc.conf.local
>
> However, it seems to ignore the settings made in ipsec.conf (without
> complaining about them, though):
>
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got MD5, expected SHA
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got MD5, expected SHA
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> HASH_ALGORITHM: got SHA2_256, expected SHA
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
> Dec  1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
> compatible proposal found
> Dec  1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
> port 500 due to notification type NO_PROPOSAL_CHOSEN
>
> For example, ENCRYPTION_ALGORITHM is clearly not what was set in
> /etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION
> and HASH_ALGORITHM.
>
> As a result, the IPSec tunnel can not be established. What did
> I overlook here?

Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of
DESCRIPTION.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: isakmpd ignoring contents of /etc/ipsec.conf

bernd-34
Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:

> On Wed, Dec 06 2017, Bernd <[hidden email]> wrote:
>> Hi @misc,
>>
>> I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
>> OpenBSD 6.2 amd64 (dmesg below).
>>
>> My /etc/ipsec.conf looks like this:
>>
>> ike esp from any to any peer x.y.z.0/27 \
>>  main auth hmac-sha2-256 enc aes-256 group modp2048 \
>>  psk "myverygoodsecretPSK"
>>
>> (As can be seen, I want the settings to be applied to a /27 network,
>> from where the tunnel initiation is sent out of. I also tried to use
>> a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
>> from there – it also failed.)
>>
>> isakmpd is being started as described in ipsec.conf(5) et al: ``-K''
>> set
>> as its flag(s) in /etc/rc.conf.local
>>
>> However, it seems to ignore the settings made in ipsec.conf (without
>> complaining about them, though):
>>
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got MD5, expected SHA
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got MD5, expected SHA
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got SHA2_256, expected SHA
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> HASH_ALGORITHM: got SHA2_256, expected SHA
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
>> Dec  1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
>> ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
>> Dec  1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
>> compatible proposal found
>> Dec  1 14:01:20 myhostname isakmpd[55480]: dropped message from
>> x.y.z.1
>> port 500 due to notification type NO_PROPOSAL_CHOSEN
>>
>> For example, ENCRYPTION_ALGORITHM is clearly not what was set in
>> /etc/ipsec.conf, but rather a default. Same applies to
>> GROUP_DESCRIPTION
>> and HASH_ALGORITHM.
>>
>> As a result, the IPSec tunnel can not be established. What did
>> I overlook here?
>
> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4
> of
> DESCRIPTION.

Hi,

ipsec=YES is set in rc.conf.local:

# cat /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES               # IPsec

# sysctl -a | grep ipsec
net.inet.ip.ipsec-expire-acquire=30
net.inet.ip.ipsec-invalid-life=60
net.inet.ip.ipsec-pfs=1
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ipsec-timeout=86400
net.inet.ip.ipsec-soft-timeout=80000
net.inet.ip.ipsec-soft-firstuse=3600
net.inet.ip.ipsec-firstuse=7200
net.inet.ip.ipsec-enc-alg=aes
net.inet.ip.ipsec-auth-alg=hmac-sha1
net.inet.ip.ipsec-comp-alg=deflate

Best

Bernd

Reply | Threaded
Open this post in threaded view
|

Re: isakmpd ignoring contents of /etc/ipsec.conf

Jeremie Courreges-Anglas-2
On Thu, Dec 07 2017, Bernd <[hidden email]> wrote:
> Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
>> On Wed, Dec 06 2017, Bernd <[hidden email]> wrote:

[...]

>>> As a result, the IPSec tunnel can not be established. What did
>>> I overlook here?
>>
>> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph
>> 4 of
>> DESCRIPTION.
>
> Hi,
>
> ipsec=YES is set in rc.conf.local:
>
> # cat /etc/rc.conf.local
> isakmpd_flags="-K"
> ipsec=YES               # IPsec

OK, then let's go back to your config: did you test it for validity?

  ritchie ~$ cat /tmp/ipsec.conf
  ike esp from any to any peer 192.0.2.1/27 \
   main auth hmac-sha2-256 enc aes-256 group modp2048 \
   psk "myverygoodsecretPSK"
  ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf
  /tmp/ipsec.conf: 1: syntax error
  ipsecctl: Syntax error in config file: ipsec rules not loaded
  ritchie ~$

Drop the /27 and ipsecctl(8) is happy.  It seems weird to specify
a netmask as a "peer", maybe you should reconsider what you're using
"peer" for.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: isakmpd ignoring contents of /etc/ipsec.conf

bernd-34
Am 2017-12-07 13:34, schrieb Jeremie Courreges-Anglas:

> On Thu, Dec 07 2017, Bernd <[hidden email]> wrote:
>> Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas:
>>> On Wed, Dec 06 2017, Bernd <[hidden email]> wrote:
>
> [...]
>
>>>> As a result, the IPSec tunnel can not be established. What did
>>>> I overlook here?
>>>
>>> Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph
>>> 4 of
>>> DESCRIPTION.
>>
>> Hi,
>>
>> ipsec=YES is set in rc.conf.local:
>>
>> # cat /etc/rc.conf.local
>> isakmpd_flags="-K"
>> ipsec=YES               # IPsec
>
> OK, then let's go back to your config: did you test it for validity?
>
>   ritchie ~$ cat /tmp/ipsec.conf
>   ike esp from any to any peer 192.0.2.1/27 \
>    main auth hmac-sha2-256 enc aes-256 group modp2048 \
>    psk "myverygoodsecretPSK"
>   ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf
>   /tmp/ipsec.conf: 1: syntax error
>   ipsecctl: Syntax error in config file: ipsec rules not loaded
>   ritchie ~$
>
> Drop the /27 and ipsecctl(8) is happy.  It seems weird to specify
> a netmask as a "peer", maybe you should reconsider what you're using
> "peer" for.

Yes, thanks, it was indeed the netmask. Tunnel was up and running.
However, in the meanwhile our customer forced us – "due to legal
reasons" – to use Cisco equipment.

Thanks

Bernd