OpenBSD + IPNAT + VPN - HELP!....

Jurgen Kobierczynski plug-discuss@lists.PLUG.phoenix.az.us
Mon, 30 Jul 2001 19:38:12 +0200


No, the Ipsec stack of the OpenBSD add a virtual interface "enc0" or
similar, where you can configure your rules for your VPN connection as like
if these connections are not encrypted, so you can define separate rules on
these VPN connections. check "ifconfig -A", it should list this interface.
If no, checkout the kernelcompiling of sysctlflags, I think I've seen these
listed somewhere. I did by accedent tried a Nortel VPN connection a month
ago, and this user/password authentication "draft" extention makes
configuring indeed worse :(
   
Jurgen

-----Original Message-----
From: Furmanek, Greg
To: 'Jurgen Kobierczynski'; Furmanek, Greg; PLUG (E-mail); IP Filter Mail
List (E-mail); 'misc@openbsd.org'
Sent: 7/30/01 5:56 PM
Subject: RE: OpenBSD + IPNAT + VPN - HELP!....

How can I configure "simple redirection"?


How can I configure the virtual interface "enc0"?
(I just hope you are not suggesting connecting 
OpenBSD to Nortel tunel.  The network guys will not 
configure the Nortel to allow anything else but
but Nortel client - "kind of proprietary authentication"
to log in.)

I was considering converting my firewall to Linux/IPtables
but first I want to see if there is a way of configuring 
the ipf.  BTW I kind of like the ease of configuring 
ipf.  (I have not tried iptables, but ipchains was kind
of confusing).

> -----Original Message-----
> From: Jurgen Kobierczynski [mailto:JKobierczynski@sdlintl.com]
> Sent: Monday, July 30, 2001 8:40 AM
> To: 'Furmanek, Greg'; PLUG (E-mail); IP Filter Mail List (E-mail);
> 'misc@openbsd.org'
> Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> 
> 
> There is no NAT support for the ESP packets as far as I know 
> it. IPSec was
> not designed for use within a NAT/Masquerading, but I know that Linux
> IPTables has a VPN-Masquerading feature, check the 
> VPN-Masuerading for Linux
> for more details on these issues with VPN Masquerading. There 
> is the problem
> that the SPI assignment to hosts is encypted, so the firewall can only
> assign these connections a best as possible by "capturing" 
> the creating of
> each connection. Also key renewal change SPI numbers, so it won't work
> perfectly.
> 
> ,but this isn't possible in IPF (jet?), as I know, but a 
> simple redirection
> of the ESP packets to one particular host should be possible. 
> (Not tried
> jet, btw)
> 
> Also, I know from my latest setup that there was a virtual 
> interface "enc0"
> defined, and that I had to define rules for it.
> 
> Jurgen
> 
> -----Original Message-----
> From: Furmanek, Greg [mailto:Greg.Furmanek@hit.cendant.com]
> Sent: maandag 30 juli 2001 16:46
> To: PLUG (E-mail); IP Filter Mail List (E-mail); 'misc@openbsd.org'
> Subject: RE: OpenBSD + IPNAT + VPN - HELP!....
> 
> 
> Can anyone Help with this one.
> 
> I have looked online for somre info but
> it seams that everything I have tried did not
> work.  
> 
> Why "esp" is not forwarded?
> 
> Any suggestions would be appreciated.
> 
> Greg
> 
> 
> > -----Original Message-----
> > From: Greg [mailto:codewolf@earthlink.net]
> > Sent: Saturday, July 28, 2001 4:55 PM
> > To: misc@openbsd.org
> > Subject: Fw: OpenBSD + IPNAT + VPN - HELP!....
> > 
> > 
> > Hi everyone....
> > 
> > I am trying to setup VPN connection from Windows (Nortel 
> > Client) through
> > OpenBSD (NAT/IPF) to Nortel.
> > 
> > It seems that I get the ISAKMP to negotiate just fine but
> > when it comes to the tunnel it is a differnt story:
> > 
> > This is my setup:
> > 
> > | WIN  Client |-----------|Open  BSD |-----------| Nortel |
> > 
> > 
> > xl0 - external
> > xl1 - internal
> > x.x.x.x - Nortel
> > y.y.y.y  - ip on xl0
> > z.z.z.z - ip on host with the client
> > k.k.k.k - ip on xl1 - gateway
> > ipf.rules
> > =========
> > # for esp protocol   -  I have not specify the protocol since 
> > I allow all
> > from this specific host
> > pass in quick on xl0 from x.x.x.x/32 to y.y.y.y/32
> > pass out quick on xl0 from y.y.y.y/32 to x.x.x.x/32
> > pass in quick on xl1 from any to x.x.x.x/32
> > pass out quick on xl1 from x.x.x.x/32 to any
> > 
> > #---------------------      UDP ISAKMP KEY
> > OTIATION    ----------------------
> > pass in quick on xl1 proto udp from z.z.z.z port = 500 to 
> > x.x.x.x/32 port =
> > 500 keep state
> > 
> > ipnat.rules
> > ===========
> > bimap xl0 y.y.y.y/32 -> x.x.x.x/32
> > 
> > External Interface TCPDUMP
> > 07:43:27.549341 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> > 07:43:27.550407 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> > 07:43:27.705309 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 exchange INFO
> > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> > 07:43:27.738159 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> > 07:43:28.193897 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> > 07:43:28.229533 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> > 07:43:28.452708 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> > exchange unknown
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> > 07:43:28.453900 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> > exchange unknown
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> > 07:43:28.583195 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> > exchange QUICK_MODE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> > 07:43:28.648425 y.y.y.y.500 > x.x.x.x.500: isakmp v1.0 
> > exchange QUICK_MODE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> > 07:43:28.756717 x.x.x.x.500 > y.y.y.y.500: isakmp v1.0 
> > exchange QUICK_MODE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> > 
> > 
> > INTERNAL INTERFACE TCPDUMP
> > 07:43:27.463431 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 316
> > 07:43:27.549484 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> > cookie: 706c21ba7b23ffee->bc913c8656d13c01 msgid: 00000000 len: 40
> > 07:43:27.550272 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 324
> > 07:43:27.705446 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 exchange INFO
> > cookie: 706c21ba7b23ffee->285de1c413970480 msgid: 00000000 len: 40
> > 07:43:27.738025 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->0000000000000000 msgid: 00000000 len: 284
> > 07:43:28.194061 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 232
> > 07:43:28.229392 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> > exchange AGGRESSIVE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: 00000000 len: 52
> > 07:43:28.452855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> > exchange unknown
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 124
> > 07:43:28.453769 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> > exchange unknown
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: bf12bff5 len: 76
> > 07:43:28.583338 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> > exchange QUICK_MODE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 580
> > 07:43:28.648283 z.z.z.z.500 > x.x.x.x.500: isakmp v1.0 
> > exchange QUICK_MODE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 292
> > 07:43:28.756855 x.x.x.x.500 > z.z.z.z.500: isakmp v1.0 
> > exchange QUICK_MODE
> > encrypted
> > cookie: 706c21ba7b23ffee->aa6518a779fa28b9 msgid: b4331353 len: 52
> > 
> > 07:43:28.759525 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 1 len 84
> > 07:43:28.759747 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > 07:43:29.716258 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 2 len 60
> > 07:43:29.716470 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > 07:43:30.390774 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 3 len 116
> > 07:43:30.391030 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > 07:43:30.391077 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 4 len 124
> > 07:43:30.391097 esp z.z.z.z > x.x.x.x spi 0x00202AD8 seq 5 len 116
> > 07:43:30.391283 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > 07:43:30.391457 k.k.k.k > z.z.z.z: icmp: host x.x.x.x unreachable
> > 
> 
> 
> "The sender believes that this E-mail and any attachments 
> were free of any
> virus, worm, Trojan horse, and/or malicious code when sent.  
> This message
> and its attachments could have been infected during transmission.  By
> reading the message and opening any attachments, the 
> recipient accepts full
> responsibility for taking protective and remedial action 
> about viruses and
> other defects.  The sender's employer is not liable for any 
> loss or damage
> arising in any way from this message or its attachments."
> 


"The sender believes that this E-mail and any attachments were free of
any
virus, worm, Trojan horse, and/or malicious code when sent.  This
message
and its attachments could have been infected during transmission.  By
reading the message and opening any attachments, the recipient accepts
full
responsibility for taking protective and remedial action about viruses
and
other defects.  The sender's employer is not liable for any loss or
damage
arising in any way from this message or its attachments."