Should fwknop be listening to a port?

2

1

I am trying to install fwknop on a VirtualBox Debian 7 machine.

It installs with no error (apt-get install fwknop-server -y), i made the modification in /etc/default/fwknop-server file so daemon runs. I have made a stanza for testing purposes. Than I have restarted fwnop /etc/init.d/fwknop-server restart. I have done a fwknop -S to see status and it's all running.

I also tried uninstalling it with apt-get remove --purge fwknop-server -y and reinstall using aptitude install fwknop-server -y.

However, in both cases, it doesn't seem to run properly. I tried running the command to open a port (in client) as stanza is configured, but does not open the configured port. If I run in server iptables -vL I see the rule made by fwknop in the upper part of INPUT chain, and I see also the chain FWKNOP_INPUT which is empty. If I run a netstat -nulp | less i do not find the fwknop as listening to port udp/62201 nor any other port.

Q1:Shouldn't fwknop listen to the udp 62201 and appear in netstat -nulp output?

Q2:How can I debug this problem?

Update 2014-02-19

A little bit about the setup: Debian 7 Machine is on VirtualBox. I have the host on 192.168.1.101 and Debian on 192.168.56.101. The network is configured as Host-only Adapter.

The /etc/network/interfaces file is configured as follows:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.56.101
netmask 255.255.0.0
gateway 192.168.56.1
dns-nameservers 192.168.56.1
network 192.168.56.0
broadcast 192.168.56.255

Tried even with pgp. But under windows the client does not work with pgp.

Back to Rijndel key.

So, the problem is with the packet sent. Server seems to be working properly.

The sanza is as simple as:

SOURCE: ANY;
OPEN_PORTS: tcp/22;
FW_ACCESS_TIMEOUT: 30;
REQUIRE_SOURCE_ADDRESS: N;
KEY: 1234567890;

Then o windows client I have the fwknop client binaries and I run fwknop.exe -A tcp/22 -a 192.168.56.1 -D 192.168.56.101 --verbose

FKO Field Values:
=================

   Random Value: 8856223091859216
       Username: Bogdan
      Timestamp: 1392826691
    FKO Version: 2.0
   Message Type: 1 (Access msg)
 Message String: 192.168.56.1,tcp/22
     Nat Access: <NULL>
    Server Auth: <NULL>
 Client Timeout: 0 (seconds)
    Digest Type: 3 (SHA256)
      HMAC Type: 0 (Unknown)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)

   Encoded Data: 8856223091859216:Qm9nZGFu:1392826691:2.0:1:MTkyLjE2OC41Ni4xLHRjcC8yMg
SPA Data Digest: CBjwLFaaNxitUlJPZqpx3xIPE+3pbi3o4QH8D16DC9I
           HMAC: <NULL>
      Plaintext: 8856223091859216:Qm9nZGFu:1392826691:2.0:1:MTkyLjE2OC41Ni4xLHRjcC8yMg:CBjwLFaaNxitUlJPZqpx3xIPE+3pbi3o4QH8D16DC9I


Final Packed/Encrypted/Encoded Data:

9tkJaoeN8qetZ+zQUiQHNL2SI57wRIs4LFEjRXNQKbEncxQ5/4KCCKm1knvcyH4kTdAdNch8kLAmExbHgpTcq/N9qf+OMLHnrD8tqKGHF2uKCAJIE3THgTr4LvBZWMAz/xTxXoAQf0jo5EjwsK6gOx9MEyEUAQB+Do69BvbG4kONUeW
YgiTvJr

Generating SPA packet:
            protocol: udp
         source port: <OS assigned>
    destination port: 62201
             IP/host: 192.168.56.101
send_spa_packet: bytes sent: 182

The verbose result on the server is:

SPA Packet from ip 192.168.56.1 received. 
Error creating fko context: Decryption failed or decrypted data is invalid

Please help me further debug.

codiac

Posted 2014-02-14T11:44:00.263

Reputation: 121

CPJ, did you get this resolved? I'm running into what might be the same issue between my laptop (Mac OS X) and VPS Linux server (Debian). Please let me know. – Harv – 2015-01-01T21:42:45.403

@Harv Yes and No. The problem was not from server but from Windows fwknop client. I have made a linux VM and tried connecting and properly connected. However on Windows did not manage to make client work. – codiac – 2015-01-02T09:00:26.607

Okay, interesting. So it may have something to do with library versions not matching up and thus being incompatible, is that accurate? That's about as far as I could discern based on what I saw here and in my own testing today. – Harv – 2015-01-02T09:02:33.060

Well. It seemd, at that time, that the client was very much not up to date. And if I remember correctly there were fewer argument options available/working (than for linux) which made the sequence incorrect. But than again, it is almost one year since than and right now I am unaware of changes made (if any) to the windows client. If you find anything new it might be helful to me and also to somebody else, so please share. – codiac – 2015-01-03T20:07:51.540

Answers

5

Q1: No, fwknopd does not listen on a port. It runs as an Ethernet sniffer and therefore does not function as a normal "server" in that it doesn't listen on a port.

Q2: Best way to debug what is happening with fwknopd is to run it as follows:

fwknopd -f -v -i eth0

...this will start up fwknopd against eth0 (you might need to change that depending on your setup) but not fork() to become a daemon so you can see debugging output on the console...

Now, with fwknopd running, then go ahead and run the fwknop client. You will see verbose information about SPA packet specifics if it authenticates/decrypts along with corresponding iptables commands that fwknopd executes to grant access to whatever service you are requesting with the client.

A comprehensive tutorial on fwknop is available here:

http://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html

Michael Rash

Posted 2014-02-14T11:44:00.263

Reputation: 51

0

After more than 5 hours of trying, mr. Michael Rash' answer made me realize that fwknop wasn't working because the daemon was turned off. : /

Starting fwknop-server daemon on an Ubuntu:

In Ubuntu 15.10 (and probably others), the service is not enabled by default, so one should:

  1. Edit the file:

    /etc/default/fwknop-server

  2. Change the line 5 from:

    START_DAEMON="no"

    to guess what? to:

    START_DAEMON="yes"

  3. Then stop it (even if it is already stopped) and start again, with the command:

    sudo service fwknop-server stop

    and restart it with:

    sudo service fwknop-server start

  4. Apparently the command service fwknop-server restart doesn't works.

Check if the service is running

If you want to see if you have your daemon currently running, use the command:

sudo fwknopd -S

When it is not running it displays: No running fwknopd detected.

When it is running it displays: Detected fwknopd is running (pid=PID_NUM).

So I think Mr. Michael's answer should be marked as the correct one for the community's sake, because other people may have other kind of problems with their setup. And thanks for this great piece of software mr.!

Iacchus

Posted 2014-02-14T11:44:00.263

Reputation: 111

Asked: 2014-02-14T11:44:00.263

Viewed: 1 003 times

Active: 2015-11-26T20:39:57.623