Contributed by jose on from the ipsec dept.
"I've been trying to set up a vpn with a friend of mine for a while. We've gone through serveral docs but we are still unsuccessful. For those who have attempted to set up a VPN between two OpenBSD machines, what experiences have you had?The docs on VPN troubleshooting are pretty slim. Anyone have anything for debugging the setup?How did you test the vpn? Can you test it within a local network?
How did you debug it? I only know how to look at tcpdump. What about the million messages output from isakmpd?
Where there any gotchas or things to look for? Did you have a checklist to make sure you didn't forget anything?"
(Comments are closed)
By David Jobes () djobes@xscanners.org on http://www.xscanners.org
http://www.etla.net/~willey/projects/vpn/
Comments
By Anonymous Coward () on
I believe that's the path, but I'm absolute sure of the file name.
It's a very simple script for manual keying. Create and distribute auth and enc keys (easily made with dd if=/dev/urandom bs=1024k count=1 |sha) and run it. Piece of cake.
IKE is a horribly messy experience.
Comments
By kremlyn () on
This was on OpenBSD 3.1
//kremlyn
By Shane J Pearson () on
Are the keys case sensitive? (I'm rushing off to a client, no time to check) If they are, I like to use this to get alpha's that are mixed case...
dd if=/dev/urandom|tr -cd "[:alnum:]"|dd bs=1024 count=1>key.txt
BTW, 1024k is a Meg. Did you mean that?
Comments
By Dennis Oelkers () dennisNOSPAM@sgi-powered.de on mailto:dennisNOSPAM@sgi-powered.de
bs=n Set both the input and output block size to n bytes
-> 1024 bytes = 1 kbyte
Comments
By Anonymous Coward () on
bs=n Set both the input and output block size to n bytes
-> 1024 bytes = 1 kbyte
Thus, 1024 k is 1 mega byte exactly.
from the dd manpage:
Where sizes are specified, a decimal number of bytes is expected. If the number ends with a `b', `k', `m', or `w', the number is multiplied by 512, 1024 (1K), 1048576 (1M), or the number of bytes in an integer, respectively.
1024x1024=1048576bytes or 1MB.
By Anonymous Coward () on
By jaeger () alderon90@hotmail.com on mailto:alderon90@hotmail.com
i have setup openbsd gateways for clients no problems
to test from one gateway run tcpdump -i etho src host and dst host
examp..
# tcpdump -i etho src host 192.168.0.1 and dst host 216.212.44.1
you should see ESP encrypted traffic
also please include error messages next time
a million messages from isakmpd does not provide the proper amount of data to assist you resolving your
problem
jaeger
By kremlyn () on
This is an excellent resource. Absolutely awesome. There's even a mailing list; too good!
Also, FAQ 13 is brilliant..
//kremlyn
By blkwolf () blkwolf@bigfoot.com on mailto:blkwolf@bigfoot.com
It's extremly portable, a ton easier to setup than ipsec etc, and works great on OpenBSD
Comments
By littletmix () on
Comments
By Jim Swanson () jrswanson1@hotmail.com on mailto:jrswanson1@hotmail.com
By blkwolf () on
That said, OpenVPN has allready been ported to Cygwin/Windows and they are working on a tun/tap driver for cygwin so that it will work.
By Zaihan () zaihan@celestgate.com on mailto:zaihan@celestgate.com
Comments
By Anonymous Coward () on
By Zaihan () zaihan@celestgate.com on mailto:zaihan@celestgate.com
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
it says that the KAME code is implemented on OpenBSD 2.7 and above. :)
Comments
By Dries Schellekens () on
OpenBSD uses KAME's IPv6 implementation, but has its own IPsec implementation. So it doesn't use the KAME IPsec code.
Read www.openbsd.org/crypto.html
By Håkan Olsson () ho@openbsd.org on mailto:ho@openbsd.org
Testing the VPN is usually as easy as trying to ping something on the other side. tcpdump will show encrypted (assuming ESP is used) packets. For more info - check the FAQ.
Testing a VPN within a local network: yes, that's no problem. IPSec is "simply" another IP layer, so everything you'd expect to work, will work. The exception is NAT.
Debug: the OpenBSD FAQ, ch 13. http://www.allard.nu/openbsd, etc. There are quite a few examples available.
The "million" messages from isakmpd are *debug* messages, since you started it with debugging active. IKE is a (too) complex protocol, there are lots of things to check for. If you do not run with debugging, you'll only see (real) errors.
Useful "full" debugging is '-DA=90', not '-DA=99'.
Gotcha's/checklist: Again, the FAQ will help. The manual pages contain examples and all the info you need to setup a working VPN. (Did you check vpn(8)?).
Also check /usr/share/ipsec/isakmpd/ for some sample files. (For example, with the VPN-3way-template.conf you'll should have a VPN running in 15-20m or so...)
/H
Comments
By Justin () on
To the original poster, you should add a little more details on what you are having problems. What docs have you read? what keying method are you trying? Are you using NAT? are you using ESP, AH or both? re-read the openbsd FAQ of course.
g'luck
By Vig () on
FAQ 13 on www.openbsd.org (specifically section 13.10) has info on troubleshooting the link.
-Vig
Comments
By ArSa () on
the only tricky part is generating keys, for that you have to read vpn faq on openbsd.org , not an easy read...
however, that is "static" vpn, what about VPN where you can issue certificates to clients like PGPNet?
By oli () oli_freyrSP@Mhotmail.com on mailto:oli_freyrSP@Mhotmail.com
As you can see I haven't even gotten to the debugging part ;)
What is the best win client to use?
For someone without a bundle of cash or daddys credit card ;)
Can you give pointers to a "howto"/FAQ kind of document for that specific client?
Thanks
Oli
By Anonymous Coward () on
It, and OpenVPN, can be used in combination with OpenBSD + ISAKMP, right? Because both use the same protocol.
Comments
By Anonymous Coward () on
By chester_b () chester_b@ithryn.net on mailto:chester_b@ithryn.net
I have got a lot of info from your postings. I was unaware of rc.vpn, i'll look into that. I had seen OpenVPN, but i wasn't sure how well it worked on OpenBSD, and how it related to OpenBSD. It seems that people from the posts have been using this to set up their VPN. I'll look into this further. Also i will go back and re-read FAQ13.
Someone asked about windows clients to a VPN. This is a really good question. Has anyone found a windows client to work with openBSD's vpn? If so what are the conditions needed (will it work with OpenVPN or just the tools native to OpenBSD)?
Typically when i try to setup a vpn, i start a few sessions tcpdump, each session looking at different kinds of traffic (my friend also starts tcpdump). I start isakmpd (watching tcpdump), then my friend starts isakmpd (watching tcpdump). We look at netstat to see if any entries appeare in the Encap section. We then try to look for errors in tcpdump, and then try to sift through the output of isakmpd. We my try to modify isakmpd.conf and start again.
To Posters who asked my questions:
Jaeger asked about the 'millions of messages'. When i run isakmpd -d -DA=99 i get a few hundred messages every few seconds(is this true for everyone else?). I'm sure most of that i can ignore. I was curious to hear from other people what messages i chould pay attention to. I constantly get messages like this:
112819.912859 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:PRF
112819.913478 Misc 70 attribute_set_constant: no PRF in the 3DES-SHA section
112819.914324 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:KEY_LENGTH
112819.914959 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:FIELD_SIZE
112819.915823 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:GROUP_ORDER
These kind of look like errors, but i'm not sure. Perhaps they are falling back on default values or something.
Justin asked what docs i was using. Here's a quick list
http://www.secureops.com/vpn/ipsecvpn.html
isakmpd.conf(5)
vpn(8)
examples from /usr/share/ipsec/isakmpd/
Key method: I'm not sure, i'm using a passphrase in the isakmpd.policy file.
Using NAT? The oBSD machine is running NAT for machines on the local network. I'm not trying to setup the VPN through NAT. The setup is that i have a network with an oBSD machine as a firewall/gateway, my friend has the same. We're setting up a VPN so that my local network (192.168.1.0) can talk to his local network (192.168.2.0).
ESP, AH, both? I'm sure i'm using esp. I don't think i'm using AH, but i have them both enabled in sysctl.
Thanks to everyone again!
Comments
By Anonymous Coward () on