[Openswan Users] OpenSWAN -> ISAKMPD (OpenBSD)?
Mark Voelker
mhsvoice at rocketmail.com
Sun Jun 13 10:20:26 CEST 2004
Hi all,
I've recently been asked to help harden the wireless portion of
a small LAN, replacing WEP with IPSec. The LAN setup looks
something like this:
INTERNET
|
|
------------------------------
|1st NIC |
|OpenBSD 3.5 Server w/ISKAMPD|
|(does firewalling and NAT) |
|2nd NIC 3rd NIC |
|172.16.1.1 10.0.0.1|
------------------------------
| |
| |
----------------- -----------------
|L2 wired switch| | Wireless AP |
|Wired LAN | | Wireless LAN |
|172.16.1.0/24 | | 10.0.0.0/28 |
----------------- -----------------
| | | | | | | | |
<multiple <A few laptops
clients running running Fedora Core 1
various OS's> with OpenSWAN 2.1.2>
In the currnet topo, the wireless clients just use a 128-bit WEP
key, and 10.0.0.1 is their default gateway. The goal here is
really just to provide the wireless laptops with access to the
internet using IPSEC from laptop <-> OpenBSD server as a
replacement for WEP.
I'm fairly new to OpenSWAN, so I'm having a bit of trouble
getting this set up. Has anyone done something similar? Anyone
have sample config files I could look at (on both ends)? Just
to take wireless problems out of the picture, I'm currently
using one of the wired hosts (172.16.1.7) for a test run. My
config files are shown below. But when I start isakmpd on the
OpenBSD machine and then immediately start OpenSWAN on the other
side, the OpenBSD box reports:
Jun 13 12:15:41 jermaine isakmpd[27124]: message_negotiate_sa:
no compatible proposal found
Jun 13 12:15:41 jermaine isakmpd[27124]: dropped message from
172.16.1.7 port 500 due to notification type NO_PROPOSAL_CHOSEN
Jun 13 12:16:39 jermaine isakmpd[27124]:
transport_send_messages: giving up on message 0x3c12d000,
exchange ISAKMP-peer-OpenSWAN
Jun 13 12:16:39 jermaine isakmpd[27124]:
transport_send_messages: either this message did not reach the
other peer
Jun 13 12:16:39 jermaine isakmpd[27124]:
transport_send_messages: or the responsemessage did not reach us
back
Anyone have any ideas to offer?
At Your Service,
Mark
Linux/OpenSWAN side:
[root at magnus mtvoelke]# cat /etc/ipsec.conf
# basic configuration
empty lines.
version 2
config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=none
uniqueids=yes
# some defaults...
conn %default
keyingtries=0
spi=0x200
esp=3des-md5-96
espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
conn ISAKMP-peer-MAGNUS
auto=start
left=172.16.1.7
leftnexthop=172.16.1.1
right=172.16.1.1
spi=0x201
authby=secret
#############
# Everything from here down is to disable OE since OpenBSD
# Won't be able to use it.
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#############
[root at magnus mtvoelke]# cat /etc/ipsec.secrets
172.16.1.1 172.16.1.7: PSK "testing"
OpenBSD Side:
# cat /etc/isakmpd/isakmpd.conf
[General]
Listen-on= 172.16.1.1
Retransmits= 5
#Incoming phase 1 negotiations
[Phase 1]
#10.0.0.7= ISAKMP-peer-OpenSWAN
172.16.1.7= ISAKMP-peer-OpenSWAN
#These connections are walked over after config file parsing
#and told to the application layer so that it will inform us
#when traffic wants to pass over them.
[Phase 2]
Connections= ISAKMP-peer-MAGNUS
[ISAKMP-peer-OpenSWAN]
Phase= 1
Transport= udp
Local-address= 172.16.1.1
Address= 172.16.1.7
Configuration= Default-main-mode
Authentication= 172.16.1.7
[ISAKMP-peer-MAGNUS]
Phase= 2
ISAKMP-peer= ISAKMP-peer-OpenSWAN
Configuration= Default-quick-mode
Local-ID= Net-LOCAL
Remote-ID= Net-HOST1
[X509-certificates]
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
Private-key= /etc/isakmpd/private/local.key
[Net-HOST1]
ID-type= IPV4_ADDR_SUBNET
Network= 172.16.1.7
Netmask= 255.255.255.255
[Net-LOCAL]
ID-type= IPV4_ADDR_SUBNET
Network= 172.16.1.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
# Main mode transforms
# 3DES
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_180_SECS
# Quick mode descriptions
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
#Suites=
QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE
Suites= QM-ESP-3DES-MD5-PFS-SUITE
# Quick mode protection suites
#3DES
[QM-ESP-3DES-SHA-PFS-SUITE]
Protocols= QM-ESP-3DES-SHA-PFS
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols= QM-ESP-3DES-MD5-PFS
# Quick mode protocols
#3DES
[QM-ESP-3DES-SHA-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-SHA-PFS-XF
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-PFS-XF
# Quick mode transforms
#3DES
[QM-ESP-3DES-SHA-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_SHA
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_3600_SECS
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
Anyone have ideas?
# cat /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: HOST1
Authorizer: "POLICY"
Licensees: "testing:172.16.1.7"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
initiator == "yes" &&
esp_enc_alg != "null" &&
ah_enc_alg != "null" &&
phase_1 == "main" -> "true";
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
More information about the Users
mailing list