List Info

Thread: IPSec Road Warriors
IPSec Road Warriors
country flaguser name
Germany		 2007-07-03 08:33:08 
Hi,

we are running an OpenBSD 4.0 Firewall/VPN Cluster (CARP).
One of my collegues connects with a DrayTek 2700 Router to
the Internet,
and this router is establishing an IPSec-Tunnel to our
Firewall-
Cluster. The Tunnel is stable,
besides the 24-Hour disconnect. The IP of the DrayTek
changes, and
the Tunnel isn't set up again.

my ipsec.conf:

--snip--
ike dynamic  esp from 10.0.0.0/24 to 10.1.1.0/24 local
<myip> peer
myhost.ath.cx
         main auth hmac-sha1  enc 3des group modp1024
         quick auth hmac-sha1 enc aes 
         srcid myID dstid hisID 
         psk abcdefg
--snap--

the manual-page says "dynamic for roadwarriors".
the error message my vpn-endpoint is:

--snip--
Jul  3 09:09:25 bonnie isakmpd[24104]: dropped message from
84.186.179.171 port 500 due to notification type
NO_PROPOSAL_CHOSEN
--snap--

after flushing and reloading the /etc/ipsec.conf, the
connection is
established.

any ideas, what i can do?

Thx!



Mit freundlichen Gr|_en

Georg Buschbeck
Information Technology

THOMAS DAILY GmbH
Adlerstra_e 19
79098 Freiburg
Deutschland
T  + 49 761 3 85 59 170
F  + 49 761 3 85 59 550
E  georg.buschbeckthomas-daily.de
www.thomas-daily.de

Geschdftsf|hrer/Managing Directors:
Wendy Thomas, Susanne Larbig
Handelsregister Freiburg i.Br., HRB 3947
Re: IPSec Road Warriors
country flaguser name
Germany		 2007-07-04 03:36:13 
Hi,


--snip--
> Von: Stuart Henderson <stuspacehopper.org>
> On 2007/07/03 15:33, Georg Buschbeck wrote:

> sounds like it may need DPD, is this an option on the
draytek?
--snap--


--snip--
> Von: "Warren J. Beckett" <warrena-generic.com>

> Does the draytek realise the VPN is down after the IP
change?
>
> I think you may want to try enabling on the OBSD side,
Dead Peer
> Detection, if not done so already. No idea how this is
done on the
> Draytek side but I think the draytek 2700 does support
it.
>
> Hope that helps,
>
> Warren.
--snap---


Hi, i think it does so, because in most cases this happens,
when the  
draytek is switched on,
and the draytek tryies to establish the connection.

my  suggestion is, that the openbsd box, doesn't resolve the
new ip  
of the draytek,
in the logfiles i can see the openbsd systems trying to
reestablish  
the connection to
the old ip of the draytek.

the dyndns-name of the draytek does not have a correct
reverse lookup.


Thanks ...

Georg
Re: IPSec Road Warriors
user name
 2007-07-04 04:14:29 
On 2007/07/04 10:36, Georg Buschbeck wrote:
>
> my  suggestion is, that the openbsd box, doesn't
resolve the new ip of the 
> draytek, in the logfiles i can see the openbsd systems
trying to reestablish
> the connection to the old ip of the draytek.

That's not how DPD works, it should just pull down the SA
when it can't
contact the other side. This would happen at both sides, the
dynamic side
would see the SA is down, then try and reconnect when it
gets another
packet that should traverse the vpn.

The static side (i.e. OpenBSD) should be configured passive
without
listing the peer address, something like this:

ike passive esp 
        from 192.168.64.0/21 to any 
        main auth hmac-sha1 enc aes group grp2 
        quick auth hmac-sha1 enc aes group grp2 
        tag ipsec-$id

("to any" is magic). If you use PSK rather than
public-key, specify
it here (same psk for all dynamic endpoints).

> the dyndns-name of the draytek does not have a correct
reverse lookup.

You don't need dyndns for this (though it may be useful for
other
things).
Re: IPSec Road Warriors
country flaguser name
Germany		 2007-07-05 09:39:08 
Hi Stuart,

> That's not how DPD works, it should just pull down the
SA when it
> can't
> contact the other side. This would happen at both
sides, the
> dynamic side
> would see the SA is down, then try and reconnect when
it gets another
> packet that should traverse the vpn.
>
> The static side (i.e. OpenBSD) should be configured
passive without
> listing the peer address, something like this:

okay - this was the main thing i was wrong .... :/

> ike passive esp 
>         from 192.168.64.0/21 to any 
>         main auth hmac-sha1 enc aes group grp2 
>         quick auth hmac-sha1 enc aes group grp2 
>         tag ipsec-$id


"to any" didn't work with the draytek vigor 2700,
but this hier did
work:

ike passive esp from 192.168.0.0/16 to 192.168.XX.0/24 local
my-
address peer hishost.ath.cx 
         main auth hmac-sha1  enc 3des group modp1024
         quick auth hmac-sha1 enc aes 
         srcid myID dstid hisID 
         psk 12345

sometimes it works without the "peer
hishost.ath.cx", sometimes not:

--snip--
Jul  5 16:31:15 openbsd isakmpd[11169]: dropped message
from
84.186.224.71 port 500 due to notification type
INVALID_PAYLOAD_TYPE
Jul  5 16:31:20 openbsd isakmpd[11169]:
message_parse_payloads:
reserved field non-zero: 6f
Jul  5 16:31:20 openbsd isakmpd[11169]: dropped message
from
84.186.224.71 port 500 due to notification type
PAYLOAD_MALFORMED
Jul  5 16:31:23 openbsd isakmpd[11169]:
message_parse_payloads:
reserved field non-zero: 6f
--snap--

is this a bug in vigor's IPSec-Stack?



> ("to any" is magic). If you use PSK rather
than public-key, specify
> it here (same psk for all dynamic endpoints).
>
>> the dyndns-name of the draytek does not have a
correct reverse
>> lookup.
>
> You don't need dyndns for this (though it may be useful
for other
> things).
>


Yours,

Georg Buschbeck
Information Technology

THOMAS DAILY GmbH
Adlerstra_e 19
79098 Freiburg
Deutschland
T  + 49 761 3 85 59 170
F  + 49 761 3 85 59 550
E  georg.buschbeckthomas-daily.de
www.thomas-daily.de

Geschdftsf|hrer/Managing Directors:
Wendy Thomas, Susanne Larbig
Handelsregister Freiburg i.Br., HRB 3947
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )