Discussion:
isakmpd ignoring contents of /etc/ipsec.conf
Bernd
2017-12-06 14:57:49 UTC
Permalink
Hi @misc,

I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).

My /etc/ipsec.conf looks like this:

ike esp from any to any peer x.y.z.0/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"

(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use a
fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from
there – it also failed.)

isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
as its flag(s) in /etc/rc.conf.local

However, it seems to ignore the settings made in ipsec.conf (without
complaining about them, though):

Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got MD5, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
HASH_ALGORITHM: got SHA2_256, expected SHA
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable:
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found
Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
port 500 due to notification type NO_PROPOSAL_CHOSEN

For example, ENCRYPTION_ALGORITHM is clearly not what was set in
/etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION
and HASH_ALGORITHM.

As a result, the IPSec tunnel can not be established. What did I
overlook here?

Thanks in advance for any hints.

Best

Bernd
Jeremie Courreges-Anglas
2017-12-06 17:26:22 UTC
Permalink
Post by Bernd
I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).
ike esp from any to any peer x.y.z.0/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"
(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use
a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
from there – it also failed.)
isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
as its flag(s) in /etc/rc.conf.local
However, it seems to ignore the settings made in ipsec.conf (without
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
HASH_ALGORITHM: got MD5, expected SHA
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
HASH_ALGORITHM: got MD5, expected SHA
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
HASH_ALGORITHM: got SHA2_256, expected SHA
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
HASH_ALGORITHM: got SHA2_256, expected SHA
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found
Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
port 500 due to notification type NO_PROPOSAL_CHOSEN
For example, ENCRYPTION_ALGORITHM is clearly not what was set in
/etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION
and HASH_ALGORITHM.
As a result, the IPSec tunnel can not be established. What did
I overlook here?
Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of
DESCRIPTION.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Bernd
2017-12-07 09:39:55 UTC
Permalink
Post by Jeremie Courreges-Anglas
Post by Bernd
I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla
OpenBSD 6.2 amd64 (dmesg below).
ike esp from any to any peer x.y.z.0/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"
(As can be seen, I want the settings to be applied to a /27 network,
from where the tunnel initiation is sent out of. I also tried to use
a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec
from there – it also failed.)
isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set
as its flag(s) in /etc/rc.conf.local
However, it seems to ignore the settings made in ipsec.conf (without
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024
HASH_ALGORITHM: got MD5, expected SHA
AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG
HASH_ALGORITHM: got MD5, expected SHA
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
HASH_ALGORITHM: got SHA2_256, expected SHA
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
GROUP_DESCRIPTION: got MODP_768, expected MODP_1024
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
HASH_ALGORITHM: got SHA2_256, expected SHA
GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024
ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC
Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no
compatible proposal found
Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1
port 500 due to notification type NO_PROPOSAL_CHOSEN
For example, ENCRYPTION_ALGORITHM is clearly not what was set in
/etc/ipsec.conf, but rather a default. Same applies to
GROUP_DESCRIPTION
and HASH_ALGORITHM.
As a result, the IPSec tunnel can not be established. What did
I overlook here?
Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of
DESCRIPTION.
Hi,

ipsec=YES is set in rc.conf.local:

# cat /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES # IPsec

# sysctl -a | grep ipsec
net.inet.ip.ipsec-expire-acquire=30
net.inet.ip.ipsec-invalid-life=60
net.inet.ip.ipsec-pfs=1
net.inet.ip.ipsec-soft-allocs=0
net.inet.ip.ipsec-allocs=0
net.inet.ip.ipsec-soft-bytes=0
net.inet.ip.ipsec-bytes=0
net.inet.ip.ipsec-timeout=86400
net.inet.ip.ipsec-soft-timeout=80000
net.inet.ip.ipsec-soft-firstuse=3600
net.inet.ip.ipsec-firstuse=7200
net.inet.ip.ipsec-enc-alg=aes
net.inet.ip.ipsec-auth-alg=hmac-sha1
net.inet.ip.ipsec-comp-alg=deflate

Best

Bernd
Jeremie Courreges-Anglas
2017-12-07 12:34:44 UTC
Permalink
[...]
Post by Bernd
Post by Jeremie Courreges-Anglas
Post by Bernd
As a result, the IPSec tunnel can not be established. What did
I overlook here?
Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of
DESCRIPTION.
Hi,
# cat /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES # IPsec
OK, then let's go back to your config: did you test it for validity?

ritchie ~$ cat /tmp/ipsec.conf
ike esp from any to any peer 192.0.2.1/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"
ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf
/tmp/ipsec.conf: 1: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
ritchie ~$

Drop the /27 and ipsecctl(8) is happy. It seems weird to specify
a netmask as a "peer", maybe you should reconsider what you're using
"peer" for.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Bernd
2017-12-07 12:50:03 UTC
Permalink
Post by Jeremie Courreges-Anglas
[...]
Post by Bernd
Post by Jeremie Courreges-Anglas
Post by Bernd
As a result, the IPSec tunnel can not be established. What did
I overlook here?
Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of
DESCRIPTION.
Hi,
# cat /etc/rc.conf.local
isakmpd_flags="-K"
ipsec=YES # IPsec
OK, then let's go back to your config: did you test it for validity?
ritchie ~$ cat /tmp/ipsec.conf
ike esp from any to any peer 192.0.2.1/27 \
main auth hmac-sha2-256 enc aes-256 group modp2048 \
psk "myverygoodsecretPSK"
ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf
/tmp/ipsec.conf: 1: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded
ritchie ~$
Drop the /27 and ipsecctl(8) is happy. It seems weird to specify
a netmask as a "peer", maybe you should reconsider what you're using
"peer" for.
Yes, thanks, it was indeed the netmask. Tunnel was up and running.
However, in the meanwhile our customer forced us – "due to legal
reasons" – to use Cisco equipment.

Thanks

Bernd

Loading...