6

Trying to use IPSEC between two hosts on a LAN. No VPN involved

Using OpenBSD 5.8 (in VirtualBox). I'd prefer to use OpenBSD's built-in support for IPSEC and key exchange and not a third-party.

Two hosts: 10.0.2.10 (host "A") and 10.0.2.11 (host "B")

They can ping/ssh each other before trying to setup IPSEC.

UPDATE: I think maybe OpenIKED (IKE v2) doesn't support transport mode, so I'll accept answers for isakmp (IKE v1) too

Copied A's /etc/iked/local.pub to B's /etc/iked/pubkeys/ipv4/10.0.2.10
Copied B's /etc/iked/local.pub to A's /etc/iked/pubkeys/ipv4/10.0.2.11

On both:

echo "ikev2 esp from any to any" > /etc/iked.conf

chmod 640 /etc/iked.conf

echo "ipsec=YES" > /etc/rc.conf.local

echo "iked_flags=" >> /etc/rc.conf.local

Check configuration:

/sbin/iked -n
Configuration OK

I'm confused as to what to do next. I think I need to setup /etc/ipsec.conf , but I've only found IKEv1 documentation out there.

Restarted both machines. No errors. Says iked daemon started. If I rename the public keys to anything, can still ping each other, so IPSEC doesn't seem to be working.

  1. What else do I need to configure?
  2. Are there logs for IPSEC and iked, and if so, where can I find them?
  3. How to tell if IPSEC is working once configured, without looking at packets between the machines? Ping from B to A, tcpdump on A. Should see "esp" and "spi" in tcpdump

UPDATE: I got IPSEC working with manual key exchange

/etc/ipsec.conf:

# .10 is source, .11 is destination
flow esp from 10.0.2.10 to 10.0.2.11 type require

esp transport from 10.0.2.10 to 10.0.2.11 \
spi 0xCAFEBABE:0xCAFEBABE \
authkey 0x64CHARHEX:0x64CHARHEX \
enckey 0x64CHARHEX:0x64CHARHEX

hex needs to be in all uppercase 

chmod 640 /etc/ipsec.conf

ipsecctl -F (delete config)
ipsecctl -f /etc/ipsec.conf (load config)
ipsecctl -s all -v (show config)

I'd prefer to use IKEv2's automatic keying. What can I do?

Neil McGuigan
  • 204
  • 4
  • 14

2 Answers2

2

Answering my own question like a nerd

Problem 1. OpenIKED (IKEv2) does not support transport mode, so you can only use it for VPNs, and not on a LAN. Use isakmpd (IKEv1)

Problem 2. The documentation for ipsec.conf says that the auth and enc values have defaults, but you seem to need to set them anyways

What else do I need to configure?

You need to set the correct rc.d flags on isakmpd (see below)

Are there logs for IPSEC and iked, and if so, where can I find them?

The logs are at /var/log/daemon

How to tell if IPSEC is working once configured, without looking at packets between the machines?

on B, run tcpdump host A, and on A run ping B . You want to see esp and spi in the tcpdump output

Setup:

Host A (10.0.2.10)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.10 to 10.0.2.11 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.11:/etc/isakmpd/local.pub 10.0.2.11 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Host B (10.0.2.11)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.11 to 10.0.2.10 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.10:/etc/isakmpd/local.pub 10.0.2.10 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd
Neil McGuigan
  • 204
  • 4
  • 14
0

So I actually had something like this running recently - just an IPSec link between one single address and my network. I used it for one of my phone servers so I could try to get TFTP over the internet (for fun).

-------------------------the remote side, my phone server ----------------

for /etc/ipsec.conf:

config setup
        plutodebug=none
        klipsdebug=none
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        protostack=netkey
        plutostderrlog=/var/log/ipsec.log

conn L2TP-PSK-noNAT
        type=tunnel
        authby=secret
        pfs=no
        compress=no
        keyexchange=ike
        auth=esp
        keyingtries=3
        rekey=no
        ike=aes256-md5-modp1536
        ikelifetime=7800s
        esp=aes128-md5
        keylife=3600s
        left=XXX.XXX.XXX.XXX
        leftid=XXX.XXX.XXX.XXX
        leftsubnet=XXX.XXX.XXX.XXX/32  
        ####Those three addresses are all the same - No NAT/routing###
        right=hq.myDynDNSDomainToMyOffice.com
        rightid=hq.myDynDNSDomainToMyOffice.com
        rightsourceip=10.0.0.1
        rightsubnet=10.0.0.0/24
        auto=add

for /etc/ipsec.secrets:

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc
XXX.XXX.XXX.XXX hq.myDynDNSDomainToMyOffice.com: PSK "mySuperSecretPassword!"

----------------------the local side, my firewall ---------------------------

/etc/ipsec.conf

config setup
        plutodebug="none"
        nat_traversal="yes"
        dumpdir=/var/run/pluto/
        keep_alive="60"
        probe_psk="no"
        plutostderrlog=/var/log/ipsec.log

# Phone Server
conn S_REF_IpsSitPhoneServe_0
        authby="psk"
        auto="start"
        compress="no"
        ecn="no"
        esp="aes128-md5"
        ike="aes256-md5-modp1536"
        ikelifetime="7800"
        keyexchange="ike"
        keylife="3600"
        left="hq.myDynDNSDomainToMyOffice.com"
        leftid="hq.myDynDNSDomainToMyOffice.com"
        leftsourceip="10.0.0.1"
        leftsubnet="10.0.0.0/24"
        pfs="no"
        pmtu_discovery="no"
        rekeymargin="540"
        right="XXX.XXX.XXX.XXX"
        rightid="XXX.XXX.XXX.XXX"
        rightsubnet="XXX.XXX.XXX.XXX/32"
        type="tunnel"

for /etc/ipsec.secrets:

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc
hq.myDynDNSDomainToMyOffice.com XXX.XXX.XXX.XXX : PSK "mySuperSecretPassword!"

These will get you 99% of the way there. The other 1% is up to you with the error logs being created at /var/log/ipsec.log. Please note, the Phone server side was done all by hand, but the firewall side was what my firewall GUI coughed up. There may be some unneccessary/redundant config bits in the second half.

After you get it working, make sure you double check all security parameters before passing anything 'ipsec-worthy' through it.

Edit 01: I saw you wanted better examples so I'm posting some new config files I just tested:

----------------phone server ipsec.conf-----------------

root@phoneServerName:/home/neil# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
        plutodebug=all
        klipsdebug=none
        dumpdir=/var/run/pluto/
        protostack=netkey
        plutostderrlog=/var/log/ipsec.log

conn PSK-noNAT
        type=transport
        authby=secret
        keyexchange=ike
        ike=aes256-md5-modp1536
        ikelifetime=7800s
        phase2alg=aes128-md5
        keylife=3600s
        left=XXX.XXX.XXX.XXX
        leftid=XXX.XXX.XXX.XXX
        right=hq.myDynDNSDomainToMyOffice.com
        rightid=hq.myDynDNSDomainToMyOffice.com
        auto=add

--------------------- firewall ipsec.conf -------------------------

hq:/var/sec/chroot-ipsec/etc # cat ipsec.conf
#/etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        #metric="0"
        charonstart="no"
        plutodebug="none"
        uniqueids="no"
        nocrsend="yes"
        nat_traversal="no"
        keep_alive="60"
        crlcheckinterval="0"
        strictcrlpolicy="no"
        probe_psk="no"

conn %default
        rekeyfuzz="100%"
        keyingtries="0"
        leftsendcert="always"
        dpddelay="30"
        dpdtimeout="120"
        dpdaction="restart"

conn transportModeFirewallToPhoneServer
        authby="psk"
        auto="start"
        compress="no"
        ecn="no"
        esp="aes128-md5"
        ike="aes256-md5-modp1536"
        ikelifetime="7800"
        keyexchange="ike"
        keylife="3600"
        left="hq.myDynDNSDomainToMyOffice.com"
        leftid="hq.myDynDNSDomainToMyOffice.com"
        leftupdown="/usr/libexec/ipsec/updown classic"
        pfs="yes"
        pfsgroup="modp1536"
        pmtu_discovery="no"
        rekeymargin="540"
        right="XXX.XXX.XXX.XXX"
        rightid="XXX.XXX.XXX.XXX"
        type="transport"

Basically, just remove anything about subnets and change the type to transport.

This is a working configuration. How do I know it's working? IPTables blocks everything on the phone server. Once I connect the IPSec connection, my SIP traffic and web management traffic makes it through.

Neil
  • 842
  • 6
  • 13
  • 1
    this looks like VPN settings no? I am looking for host to host ipsec on the same lan – Neil McGuigan Nov 02 '15 at 20:20
  • Yep, correct. But if you switch type from tunnel to transport, that should be plenty. I tested this myself and edited the answer with a working config. Let me know if this helps! – Neil Nov 11 '15 at 07:28
  • Also, these are settings for openswan, not openbsd's built-in ipsec – Neil McGuigan Nov 20 '15 at 01:03