mazpe
September 22nd, 2004, 21:22
Hola Mates:
I'm trying to setup an OpenBSD VPN server that will allow multiple FreeBSD VPN Clients to tunnel in. The idea is that they all form a huge network (i guess that is kind of the idea of VPN <g>). This is my first expirience with IPsec, so i'm using Kernel_Killers tutorial as a start off point... (http://screamingelectron.org/forum/showthread.php?p=10141#post10141)
Currently, i'm getting the following error on my FreeBSD Client side...
and google has very little to say about it.. It actually just quotes ipsec.c
road# isakmpd -d
201919.529167 Default ipsec_id_size: section client1@vpn has no "ID-type" tag
201919.529351 Default exchange_run: doi->initiator (0x8082800) failed
#############################################
here is the isakmpd.conf on the OpenBSD Server (the VPN server)
#############################################
[Phase 1]
Default= ISAKMP-peer-default
[Phase 2]
Passive-connections= IPsec-vpn-client1, IPsec-vpn-client2
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
[client1@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase
[client2@vpn]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= passphrase2
[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-vpn-client2]
Phase= 2
ISAKMP-peer= client2@vpn
Configuration= Default-quick-mode
Local-ID= Net-client2
Remote-ID= Net-vpn
[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[Net-client1]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0
[Net-client2]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0
[General]
Listen-on= 192.168.0.11
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /etc/isakmpd/isakmpd.policy
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
#############################################
the isakmpd.conf from my FreeBSD client
#############################################
[Phase 1]
22.22.22.22= ISAKMP-peer-vpn
[Phase 2]
Connections= IPsec-client1-vpn,IPsec-client2-vpn
[ISAKMP-peer-vpn]
Phase= 1
ID= client1@vpn
Transport= udp
Address= 22.22.22.22
Configuration= Default-aggressive-mode
Authentication= passphrase
[IPsec-client1-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-client2-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client2
Remote-ID= Net-vpn
[Net-vpn]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[Net-client1]
ID-Type= IPV4_ADDR_SUBNET
Network= 10.0.2.0
Netmask= 255.255.255.0
[Net-client2]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.3.0
Netmask= 255.255.255.0
[General]
Retransmits= 3
Exchange-max-time= 120
Check-interval= 300
Policy-file= /usr/local/etc/isakmpd/isakmpd.policy
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
------------------------------@---------------------------------
Thanks in advance for the help folks....
Kernel_Killer
September 23rd, 2004, 00:28
OK. Just a few things here. Just looks like your Phase 2 vonfigurations are mixed up.
From the concentrator conf:
[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-vpn-client2]
Phase= 2
ISAKMP-peer= client2@vpn
Configuration= Default-quick-mode
Local-ID= Net-client2
Remote-ID= Net-vpn
The local and remote should be:
[IPsec-vpn-client1]
Phase= 2
ISAKMP-peer= client1@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client1
[IPsec-vpn-client2]
Phase= 2
ISAKMP-peer= client2@vpn
Configuration= Default-quick-mode
Local-ID= Net-vpn
Remote-ID= Net-client2
Just remember, the local is the local system. So the local net is the net of the local system.
The entire Phase 2 needs reworking on the client conf.
Assuming this would be "client1", then you might do this:
[Phase 2]
Connections= IPsec-client1-vpn,IPsec-client2-vpn
You want to code it like this: IPsec-<local>-<remote>
So.....
[Phase 2]
Connections= IPsec-client1-vpn,IPsec-client1-client2
Now we hit the Phase 2 sections:
[IPsec-client1-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-client2-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client2
Remote-ID= Net-vpn
The section has to match the connections, and the local and remote IDs need to be set for the local system, and the remote systems. Here we have the remotes being the local, and the local being the remote. Here's what you should use:
[IPsec-client1-vpn]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-vpn
[IPsec-client1-client2]
Phase= 2
ISAKMP-peer= ISAKMP-peer-vpn
Configuration= Default-quick-mode
Local-ID= Net-client1
Remote-ID= Net-client2
The whole local remote thing can be a bit confusing. You just have to remember the IPsec-<local>-<remote>. Local-ID=Net-<local> Remote-ID= Net-<remote>.
Of course, this can be completely different. As long as the client and concentrator know that Client1 is using a specific network it is all good.
Last but not least, you are missing a section for your @vpn tags. The concentrator is looking for the client1@vpn info, and since it's not set, it doesn't know what to do with it. So we add this to the client conf:
[client1@vpn]
ID-Type= USER_FQDN
Name= client1@vpn
See how that does.
mazpe
September 25th, 2004, 16:46
Hello:
I've made some changes to my configuration and it semi-works.
Objective: To create more like a host-to-network enviroment. Multiple FreeBSD client behind a NAT/Firewall will tunnel/vpn to my network OpenBSD VPN concentrator who also resides behind a Firewall/NAT. Only that FreeBSD client needs to connect to the VPN as we dont care for the network its attached to it.
10.27.50.100<>[OpenBSD VPN Concentrator]<>192.168.0.11
192.168.0.1<>[NAT / Firewall]<>22.22.22.22
INTERNET
33.33.33.33<>[Nat / Firewall]<>10.27.248.1
10.27.248.143<>[FreeBSD VPN Client]
With the configurations pasted below, the OpenBSD 3.5-STABLE VPN seems to load and is waiting for connections. Atleast no errors at this point.
Problem: With the FreeBSD 5.2.1-RELEASE using the config pasted below, i get the following errors when i run 'isakmpd -d -DA=99'
162927.918810 Timr 10 timer_handle_expirations: event connection_checker(0x81b0810)
162927.918876 Misc 95 conf_get_str: configuration value not found [General]:check-interval
162927.918900 Timr 10 timer_add_event: event connection_checker(0x81b0810) added last, expiration in 60s
162927.918924 SA 90 sa_find: no SA matched query
162927.918944 Sdep 70 pf_key_v2_connection_check: SA for IPsec-freebsd1-gate missing
162927.918968 Misc 95 conf_get_str: configuration value not found [IPsec-freebsd1-gate]:Phase
162927.918989 Default exchange_establish: peer "IPsec-freebsd1-gate" does not have a correct phase (0)
I used this how-to: http://www.rommel.stw.uni-erlangen.de/~hshoexer/ipsec-howto/HOWTO.html
Am i missing something? as the config for the OpenBSD in which is similar to the one on the FreeBSD works.. but the on the FreeBSD i get the error above...
Here are the configs...
################################################## ##########
################################################## ##########
###-- FreeBSD VPN Client /usr/local/etc/isakmpd/isakmpd.conf
# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
Default= ISAKMP-peer-void
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
Connections= IPsec-freebsd1-gate
# The peers
[ISAKMP-peer-void]
Phase= 1
Transport= udp
Local-address= 10.27.248.143
Configuration= Default-main-mode
ID= freebsd1-ID
Authentication= mypassword
[ISAKMP-peer-openbsd1]
Phase= 1
Transport= udp
Local-address= 10.27.248.143
Address= 22.22.22.22
Configuration= Default-main-mode
ID= freebsd1-ID
Remote-ID= openbsd1-ID
Authentication= mypassword
[freebsd1-ID]
ID-type= FQDN
Name= freebsd1.domain.net
[openbsd1-ID]
ID-type= FQDN
Name= openbsd1.domain.net
# The connections
[IPsec-freebsd1-void]
Phase= 2
Configuration= Default-quick-mode
Local-ID= Net-default
Remote-ID= Net-remote
[IPsec-freebsd1-openbsd1]
Phase= 2
ISAKMP-peer= ISAKMP-peer-gate
Configuration= Default-quick-mode
Local-ID= Host-freebsd1
Remote-ID= Host-openbsd1
# The networks
[Net-default]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[Net-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[Host-freebsd1]
ID-type= IPV4_ADDR
Address= 10.27.248.143
[Host-openbsd1]
ID-type= IPV4_ADDR
Address= 10.27.50.111
# Main mode descriptions
[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,3DES-MD5
# Quick mode descriptions
[Default-quick-mode]
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE
####
[General]
Policy-File= /usr/local/etc/isakmpd/isakmpd.policy
Retransmits= 3
Exchange-max-time= 120
Listen-on= 10.27.248.143
Renegotiate-on-HUP= yes
# Main mode transforms
######################
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
# Quick mode protection suites
##############################
# AES
[QM-ESP-AES-SHA-PFS-SUITE]
Protocols= QM-ESP-AES-SHA-PFS
[QM-ESP-AES-MD5-PFS-SUITE]
Protocols= QM-ESP-AES-MD5-PFS
# Quick mode protocols
######################
# AES
[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-AES-SHA-PFS-XF
[QM-ESP-AES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-AES-MD5-PFS-XF
# Quick mode transforms
#######################
# AES
[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID= AES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS
[QM-ESP-AES-SHA-MD5-XF]
TRANSFORM_ID= AES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS
# Lifetimes
###########
[LIFE_600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 600,450:720
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
################################################## ##########
################################################## ##########
###-- OpenBSD VPN Concentrator /etc/isakmpd/isakmpd.conf
# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
Default= ISAKMP-peer-void
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
Passive-Connections= IPsec-openbsd1-gate
# The peers
[ISAKMP-peer-void]
Phase= 1
Transport= udp
Local-address= 192.168.0.11
Configuration= Default-main-mode
ID= openbsd1-ID
Authentication= mypassword
[ISAKMP-peer-freebsd1]
Phase= 1
Transport= udp
Local-address= 192.168.0.11
Address= 10.27.248.143
Configuration= Default-main-mode
ID= openbsd1-ID
Remote-ID= freebsd1-ID
Authentication= mypassword
[openbsd1-ID]
ID-type= FQDN
Name= openbsd1.domain.net
[freebsd1-ID]
ID-type= FQDN
Name= freebsd1.domain.net
# The connections
[IPsec-openbsd1-void]
Phase= 2
Configuration= Default-quick-mode
Local-ID= Net-default
Remote-ID= Net-remote
[IPsec-openbsd1-freebsd1]
Phase= 2
ISAKMP-peer= ISAKMP-peer-gate
Configuration= Default-quick-mode
Local-ID= Host-openbsd1
Remote-ID= Host-freebsd1
# The networks
[Net-default]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[Net-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[Host-openbsd1]
ID-type= IPV4_ADDR
Address= 192.168.0.11
[Host-freebsd1]
ID-type= IPV4_ADDR
Address= 10.27.248.143
# Main mode descriptions
[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,3DES-MD5
# Quick mode descriptions
[Default-quick-mode]
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE
####
[General]
Policy-File= /etc/isakmpd/isakmpd.policy
Retransmits= 3
Exchange-max-time= 120
Listen-on= 192.168.0.11
Renegotiate-on-HUP= yes
# KeyNote credential storage
#[KeyNote]
#Credential-directory=/etc/isakmpd/keynote/
# Certificates stored in PEM format
#[X509-certificates]
#CA-directory= /etc/isakmpd/ca/
#Cert-directory= /etc/isakmpd/certs/
#Private-key= /etc/isakmpd/private/openbsd1.domain.net.priv
# Main mode transforms
######################
# 3DES
[3DES-SHA]
ENCRYPTION_ALGORITHM=3DES_CBC
HASH_ALGORITHM=SHA
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION=MODP_1024
Life= LIFE_3600_SECS
[3DES-MD5]
ENCRYPTION_ALGORITHM=3DES_CBC
HASH_ALGORITHM=MD5
AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION=MODP_1024
Life= LIFE_3600_SECS
# Quick mode protection suites
##############################
# AES
[QM-ESP-AES-SHA-PFS-SUITE]
Protocols= QM-ESP-AES-SHA-PFS
[QM-ESP-AES-MD5-PFS-SUITE]
Protocols= QM-ESP-AES-MD5-PFS
# Quick mode protocols
######################
# AES
[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID=IPSEC_ESP
Transforms= QM-ESP-AES-SHA-PFS-XF
[QM-ESP-AES-MD5-PFS]
PROTOCOL_ID=IPSEC_ESP
Transforms= QM-ESP-AES-MD5-PFS-XF
# Quick mode transforms
#######################
# AES
[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID=AES
ENCAPSULATION_MODE=TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS
[QM-ESP-AES-SHA-MD5-XF]
TRANSFORM_ID=AES
ENCAPSULATION_MODE=TUNNEL
AUTHENTICATION_ALGORITHM=HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS
# Lifetimes
###########
[LIFE_600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 600,450:720
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
----------------------------------
Thanks in Advance!
Kernel_Killer
September 25th, 2004, 21:15
Well, you have the Phase 2 connection set to IPsec-freebsd1-gate, but there isn't a Phase 2 section for that connection. You have IPsec-freebsd1-openbsd1 and IPsec-freebsd1-void, but no IPsec-freebsd1-gate. I guess you would want to change IPsec-freebsd1-openbsd1 to that.