Google Groups Home
Help | Sign in
comp.unix.bsd.openbsd.misc
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
isakmpd: ESP + AH tunnel in OpenBSD
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   1 message - Collapse all
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Goh Choon Lye  
View profile
  More options Apr 27 2006, 5:49 pm
Newsgroups: comp.unix.bsd.openbsd.misc
From: "Goh Choon Lye" <cl...@willowglen.com.sg>
Date: 27 Apr 2006 00:49:23 -0700
Local: Thurs, Apr 27 2006 5:49 pm
Subject: isakmpd: ESP + AH tunnel in OpenBSD
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Hi,

  I try to setup IPSec with ESP + tunnel AH between host-to-host in
OpenBSD,
but fail to do so. Two hosts are PC openbsd1 to openbsd15.
openbsd1: 192.3.20.238
openbsd15: 192.3.40.55

When I ping from openbsd1 to openbsd15 and there is no reply from
openbsd1;
packet from openbsd1 to openbsd15 sniffed from ethereal is
[IP | AH | IP | ESP | data ]

When I ping from openbsd15 to openbsd1, there is reply from openbsd1 as
shown
by Ethereal software, but ping command doesn't print any reply packet.
Ethereal sniff:

>From openbsd15: [IP | ESP | data ]
>From openbsd1: [IP | AH | IP | ESP | data ]

  Can I have ESP + tunnel AH in host-to-host setup??

My Configuration files are following;
[In openbsd1, isakmpd.policy file:]
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
        $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $
        $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" -> "true";

[In openbsd1, isakmpd.conf file:]
#       $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $
#       $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
daemon.

[Phase 1]
192.3.40.55 =           ISAKMP-peer-open15

[Phase 2]
Connections=            IPsec-open15

[ISAKMP-peer-open15]
Phase=                  1
Transport=              udp
Address=                192.3.40.55
Configuration=          Default-main-mode
Authentication=         mekmitasdigoat

[IPsec-open15]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-open15
Configuration=          Default-quick-mode
Local-ID=               Net-open1
Remote-ID=              Net-open15

[Net-open1]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.3.20.238
Netmask=                255.255.255.255

[Net-open15]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.3.40.55
Netmask=                255.255.255.255

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-MD5

[3DES-SHA]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
#Suites=                 QM-ESP-3DES-SHA-SUITE
#Suites=                 QM-ESP-3DES-MD5-SUITE
#Suites=                         QM-AH-MD5-ESP-DES-SUITE
Suites=                 QM-ESP-3DES-MD5-AH-MD5-SUITE

# Quick mode protection suites
##############################
# 3DES
# [QM-AH-MD5-ESP-3DES-MD5-SUITE]
[QM-ESP-3DES-MD5-AH-MD5-SUITE]
Protocols=              QM-ESP-3DES-MD5,QM-AH-MD5

# Quick mode protocols
#############################
# 3DES
[QM-ESP-3DES-MD5]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-XF

# AH
[QM-AH-MD5]
PROTOCOL_ID=            IPSEC_AH
Transforms=             QM-AH-MD5-XF

# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TRANSPORT
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                           LIFE_3600_SECS

# AH Transform
[QM-AH-MD5-XF]
TRANSFORM_ID=                   MD5
ENCAPSULATION_MODE=             TRANSPORT
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                           LIFE_3600_SECS

[LIFE_3600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1800:7200

[In openbsd15, isakmpd.policy file:]
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right
password
        $OpenBSD: policy,v 1.4 2000/01/26 15:20:40 niklas Exp $
        $EOM: policy,v 1.5 2000/01/26 14:03:07 niklas Exp $
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" -> true;

[In openbsd15, isakmpd.conf file:]
#       $OpenBSD: singlehost-west.conf,v 1.8 2000/05/03 13:37:33 niklas Exp $
#       $EOM: singlehost-west.conf,v 1.8 2000/05/03 13:25:25 niklas Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE)
daemon.

[Phase 1]
192.3.20.238=           ISAKMP-open1

[Phase 2]
Connections=            IPsec-svr-open1

[ISAKMP-open1]
Phase=                  1
Transport=              udp
Address=                192.3.20.238
Configuration=          Default-main-mode
Authentication=         mekmitasdigoat

[IPsec-svr-open1]
Phase=                  2
ISAKMP-peer=            ISAKMP-rtu2
Configuration=          Default-quick-mode
Local-ID=               Net-open15
Remote-ID=              Net-open1

[Net-open15]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.3.40.55
Netmask=                255.255.255.255

[Net-open1]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.3.20.238
Netmask=                255.255.255.255

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-MD5

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-MD5-AH-MD5-SUITE

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=      MODP_1024
Life=                   LIFE_3600_SECS

# Quick mode protection suites
##############################
# ESP
# ESP + AH
# Work 1
#[QM-AH-MD5-ESP-3DES-MD5-SUITE]
[QM-ESP-3DES-MD5-AH-MD5-SUITE]
Protocols=              QM-ESP-3DES-MD5,QM-AH-MD5

# Quick mode protocols
#############################
# 3DES-SHA
[QM-ESP-3DES-MD5]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-3DES-MD5-XF

# AH
[QM-AH-MD5]
PROTOCOL_ID=            IPSEC_AH
Transforms=             QM-AH-MD5-XF

# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-MD5-XF]
TRANSFORM_ID=                   3DES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                           LIFE_3600_SECS

# AH Transform
[QM-AH-MD5-XF]
TRANSFORM_ID=                   MD5
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_MD5
GROUP_DESCRIPTION=      MODP_1024
Life=                           LIFE_3600_SECS

[LIFE_3600_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1800:7200


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google