'Re: IPsec VPN (fwd)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: IPsec VPN (fwd)
From:       Håkan_Olsson <ho () crt ! se>
Date:       1999-11-25 16:16:39
[Download RAW message or body]


Hi.

> I'm writing a script that will connect host A to host B using IPsec.
> the 'vpn' script creates key/authkey on the fly, and ssh's to each
> host and runs 'vpn-connect'. vpn-connect sets the sysctl's, the
> tunnel, and the flow.
> 
> Eventually, this will actually connect from 1 host to n other hosts,
> and from each of those n hosts to all the others. I'm having
> to role out a bunch of remote OpenBSD NAT boxes this month, and this seems
> like a good way to go.
> 
> In my current settings, 10.1.1.10 & 10.1.1.11 are sitting right next
> to each other, but eventually they will be real IPs of remote hosts.

I'm not sure I completely follow this, but in the example below, I'd say
the problem is you only setup one of the two required SPIs (SAs) per host.

You need the incoming SPI setup also, otherwise, you encrypt traffic on
one host, but the other cannot decrypt it.  If you look closer inside
rc.vpn, you'll see it does setup SPI pairs.

> 
> There is a problem, however. When vpn hits the second host, and right
> after it runs the 1st ipsecadm command (new esp), the host drops
> the ssh connection.
> 

As soon as the other ipsecadm command takes effect, you add a 'flow'
encrypting the traffic, which you are not prepared to decrypt. So, it
stops.

> Any thoughts?
> 

Yes, you need to add something like:

> ---
> vpn
> ------
> #!/bin/sh
> 
> VPN_HOME=/home/gelbardn
> SRC_HOST=10.1.1.10
> DEST_HOST=10.1.1.11
> SRC_SPI=1000
> DST_SPI=1001
> 
> _KEY=`dd if=/dev/urandom bs=1024 count=1 | sha1`
> _AUTH_KEY=`dd if=/dev/urandom bs=1024 count=1 | sha1`
> 
> ssh $SRC_HOST -l root \
> 	$VPN_HOME/vpn-connect $SRC_HOST $DEST_HOST $_KEY $_AUTH_KEY $SRC_SPI 

(Add "$DST_SPI" to the end of the above line)

> 
> ssh $DEST_HOST -l root \
> 	$VPN_HOME/vpn-connect $DEST_HOST $SRC_HOST $_KEY $_AUTH_KEY $DST_SPI

(Add "$SRC_SPI" to the end of the above line)

and add something like the following to the 'vpn-connect' script:

> vpn-connect
> ---
> #!/bin/sh
> 
> SRC_HOST=$1
> DEST_HOST=$2
> _KEY=$3
> _AUTH_KEY=$4
> SPI=$5

SPI_IN=$6

> 
> sysctl -w net.inet.esp.enable=1
> sysctl -w net.inet.ah.enable=1
> 
> ipsecadm new esp -spi $SPI -src $SRC_HOST -dst $DEST_HOST \
> 	-forcetunnel -enc blf -auth sha1 \
> 	-key $_KEY \
> 	-authkey $_AUTH_KEY
> echo "added tunnel $SRC_HOST -> $DEST_HOST"

ipsecadm new esp -spi $SPI_IN -src $DEST_HOST -dst $SRC_HOST \
	-forcetunnel -enc blf -auth sha1 \
	-key $_KEY -authkey $_AUTHKEY

# (Note: -forcetunnel is not really needed above)

> 
> ipsecadm flow -proto esp -dst $DEST_HOST -spi $SPI \
> 	-addr $SRC_HOST 255.255.255.255 \
> 	$DEST_HOST 255.255.255.255
> echo "added flow $SRC_HOST -> $DEST_HOST"
> 
> 

Otherwise, I'd recommed looking at isakmpd(8), as key exchange is what
it's designed to do. There are, unfortunately, no example isakmpd.conf
files under /usr/share/ipsec, but the manual page (isakmpd.conf(5)),
should give you enough hints. If not, I can mail you an example file.

Good luck, 
  Håkan

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4200        & Technology AB

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic