OpenBSD Journal

VPN experience?

Contributed by jose on from the ipsec dept.

chester_b writes:
"I've been trying to set up a vpn with a friend of mine for a while. We've gone through serveral docs but we are still unsuccessful. For those who have attempted to set up a VPN between two OpenBSD machines, what experiences have you had?

How did you test the vpn? Can you test it within a local network?

How did you debug it? I only know how to look at tcpdump. What about the million messages output from isakmpd?

Where there any gotchas or things to look for? Did you have a checklist to make sure you didn't forget anything?"

The docs on VPN troubleshooting are pretty slim. Anyone have anything for debugging the setup?

(Comments are closed)


Comments
  1. By David Jobes () djobes@xscanners.org on http://www.xscanners.org

    Try this site, it is run by a freind of mine, good info, and some config examples


    http://www.etla.net/~willey/projects/vpn/

    Comments
    1. By Anonymous Coward () on

      /usr/share/ipsec/rc.vpn

      I believe that's the path, but I'm absolute sure of the file name.

      It's a very simple script for manual keying. Create and distribute auth and enc keys (easily made with dd if=/dev/urandom bs=1024k count=1 |sha) and run it. Piece of cake.

      IKE is a horribly messy experience.

      Comments
      1. By kremlyn () on

        In my experience, rc.vpn "didn't work" (tm).

        This was on OpenBSD 3.1

        //kremlyn

      2. By Shane J Pearson () on

        Create and distribute auth and enc keys (easily made with dd if=/dev/urandom bs=1024k count=1 |sha) and run it. Piece of cake.

        Are the keys case sensitive? (I'm rushing off to a client, no time to check) If they are, I like to use this to get alpha's that are mixed case...

        dd if=/dev/urandom|tr -cd "[:alnum:]"|dd bs=1024 count=1>key.txt

        BTW, 1024k is a Meg. Did you mean that?

        Comments
        1. By Dennis Oelkers () dennisNOSPAM@sgi-powered.de on mailto:dennisNOSPAM@sgi-powered.de

          from the dd manpage:
          bs=n Set both the input and output block size to n bytes

          -> 1024 bytes = 1 kbyte

          Comments
          1. By Anonymous Coward () on

            from the dd manpage:
            bs=n Set both the input and output block size to n bytes
            -> 1024 bytes = 1 kbyte


            Thus, 1024 k is 1 mega byte exactly.

            from the dd manpage:
            Where sizes are specified, a decimal number of bytes is expected. If the number ends with a `b', `k', `m', or `w', the number is multiplied by 512, 1024 (1K), 1048576 (1M), or the number of bytes in an integer, respectively.

            1024x1024=1048576bytes or 1MB.

      3. By Anonymous Coward () on

        Yes. IPsec is over complicated. Especially IKE is much too complicated. But you don't really want to use IPsec w/o IKE.

    2. By jaeger () alderon90@hotmail.com on mailto:alderon90@hotmail.com

      isakmpd works just fine
      i have setup openbsd gateways for clients no problems
      to test from one gateway run tcpdump -i etho src host and dst host
      examp..
      # tcpdump -i etho src host 192.168.0.1 and dst host 216.212.44.1
      you should see ESP encrypted traffic
      also please include error messages next time
      a million messages from isakmpd does not provide the proper amount of data to assist you resolving your
      problem

      jaeger

  2. By kremlyn () on

    http://www.allard.nu/openbsd

    This is an excellent resource. Absolutely awesome. There's even a mailing list; too good!

    Also, FAQ 13 is brilliant..

    //kremlyn

  3. By blkwolf () blkwolf@bigfoot.com on mailto:blkwolf@bigfoot.com

    Personally I use OpenVPN from http://openvpn.sourceforge.net/

    It's extremly portable, a ton easier to setup than ipsec etc, and works great on OpenBSD

    Comments
    1. By littletmix () on

      Sorry but..which software do you use for your NO unix machines?

      Comments
      1. By blkwolf () on

        Currently I just use OpenVPN between *nix firewalls and havn't had a need yet for Windows workstation -> OBSD router connection etc.

        That said, OpenVPN has allready been ported to Cygwin/Windows and they are working on a tun/tap driver for cygwin so that it will work.

    2. By Zaihan () zaihan@celestgate.com on mailto:zaihan@celestgate.com

      OpenVPN is easier to configure because it is written in userspace rather than the kernel, therefore performance achieved using KAME (www.kame.net) which has been implemented to opensource *BSD variants is far better than using OpenVPN (although OpenVPN may be easier than KAME)

      Comments
      1. By Anonymous Coward () on

        OpenBSD doesn't use the kame IPSec stack nor their isakmpd implimentation. quote crypto.html "OpenBSD was the first operating system to ship with an IPsec stack. We've been including IPsec since the OpenBSD 2.1 release in 1997. Our fully conformant in-kernel IPsec stack, with hardware acceleration based on a number of cards, and our own free ISAKMP daemon, is used as one of the machines in the IPsec conformance testbed run by VPNC."

    3. By Zaihan () zaihan@celestgate.com on mailto:zaihan@celestgate.com

      OpenVPN is easier to configure because it is written in userspace rather than the kernel, therefore performance achieved using KAME (www.kame.net) which has been implemented to opensource *BSD variants is far better than using OpenVPN (although OpenVPN may be easier than KAME)

      Comments
      1. By Anonymous Coward () on

        OpenBSD doesn't use the KAME IPsec implementation.

        Comments
        1. By Anonymous Coward () on

          check http://www.kame.net

          it says that the KAME code is implemented on OpenBSD 2.7 and above. :)

          Comments
          1. By Dries Schellekens () on

            So?

            OpenBSD uses KAME's IPv6 implementation, but has its own IPsec implementation. So it doesn't use the KAME IPsec code.

            Read www.openbsd.org/crypto.html

  4. By Håkan Olsson () ho@openbsd.org on mailto:ho@openbsd.org

    To answer your questions, in order:

    Testing the VPN is usually as easy as trying to ping something on the other side. tcpdump will show encrypted (assuming ESP is used) packets. For more info - check the FAQ.

    Testing a VPN within a local network: yes, that's no problem. IPSec is "simply" another IP layer, so everything you'd expect to work, will work. The exception is NAT.

    Debug: the OpenBSD FAQ, ch 13. http://www.allard.nu/openbsd, etc. There are quite a few examples available.

    The "million" messages from isakmpd are *debug* messages, since you started it with debugging active. IKE is a (too) complex protocol, there are lots of things to check for. If you do not run with debugging, you'll only see (real) errors.
    Useful "full" debugging is '-DA=90', not '-DA=99'.

    Gotcha's/checklist: Again, the FAQ will help. The manual pages contain examples and all the info you need to setup a working VPN. (Did you check vpn(8)?).

    Also check /usr/share/ipsec/isakmpd/ for some sample files. (For example, with the VPN-3way-template.conf you'll should have a VPN running in 15-20m or so...)

    /H

    Comments
    1. By Justin () on

      Listen to Hakan, he knows what he is talking about! Hey Hakan, keynote(4) should be listed somewhere more obviously as the man page to reference for the isakmpd.policy file imo.

      To the original poster, you should add a little more details on what you are having problems. What docs have you read? what keying method are you trying? Are you using NAT? are you using ESP, AH or both? re-read the openbsd FAQ of course.

      g'luck

  5. By Vig () on

    If you don't mind manual key you can use can plug your settings into /usr/share/ipsec/rc.vpn on each side and run that script on both machines at startup (or manually whenever you wish to establish the connection). If you look at the bottom of this script you will see the commands that are being used to setup the connection.

    FAQ 13 on www.openbsd.org (specifically section 13.10) has info on troubleshooting the link.

    -Vig


    Comments
    1. By ArSa () on

      i used rc.vpn and it "just worked"
      the only tricky part is generating keys, for that you have to read vpn faq on openbsd.org , not an easy read...

      however, that is "static" vpn, what about VPN where you can issue certificates to clients like PGPNet?

  6. By oli () oli_freyrSP@Mhotmail.com on mailto:oli_freyrSP@Mhotmail.com

    I've been looking into IPsec a while ago. I tried setting up isakmpd with e-mail certificates (UFQDN) for the clients, but the freeware version of PGPNet couldn't connect. I ran out of time and haven't revisited the effort since. Some time later I found out that the freeware version has some issues (or should I say "no support") with tunneling and certificates...

    As you can see I haven't even gotten to the debugging part ;)

    What is the best win client to use?
    For someone without a bundle of cash or daddys credit card ;)

    Can you give pointers to a "howto"/FAQ kind of document for that specific client?

    Thanks
    Oli

  7. By Anonymous Coward () on

    http://www.freeswan.org also has some info about IPsec and debugging at 'helping out'

    It, and OpenVPN, can be used in combination with OpenBSD + ISAKMP, right? Because both use the same protocol.

    Comments
    1. By Anonymous Coward () on

      FreeSWAN implements IPsec, but OpenVPN does not.

  8. By chester_b () chester_b@ithryn.net on mailto:chester_b@ithryn.net

    For of all, thanks to all who posted (and to deadly.org for posing :))


    I have got a lot of info from your postings. I was unaware of rc.vpn, i'll look into that. I had seen OpenVPN, but i wasn't sure how well it worked on OpenBSD, and how it related to OpenBSD. It seems that people from the posts have been using this to set up their VPN. I'll look into this further. Also i will go back and re-read FAQ13.

    Someone asked about windows clients to a VPN. This is a really good question. Has anyone found a windows client to work with openBSD's vpn? If so what are the conditions needed (will it work with OpenVPN or just the tools native to OpenBSD)?

    Typically when i try to setup a vpn, i start a few sessions tcpdump, each session looking at different kinds of traffic (my friend also starts tcpdump). I start isakmpd (watching tcpdump), then my friend starts isakmpd (watching tcpdump). We look at netstat to see if any entries appeare in the Encap section. We then try to look for errors in tcpdump, and then try to sift through the output of isakmpd. We my try to modify isakmpd.conf and start again.


    To Posters who asked my questions:

    Jaeger asked about the 'millions of messages'. When i run isakmpd -d -DA=99 i get a few hundred messages every few seconds(is this true for everyone else?). I'm sure most of that i can ignore. I was curious to hear from other people what messages i chould pay attention to. I constantly get messages like this:


    112819.912859 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:PRF
    112819.913478 Misc 70 attribute_set_constant: no PRF in the 3DES-SHA section
    112819.914324 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:KEY_LENGTH
    112819.914959 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:FIELD_SIZE
    112819.915823 Misc 95 conf_get_str: configuration value not found [3DES-SHA]:GROUP_ORDER


    These kind of look like errors, but i'm not sure. Perhaps they are falling back on default values or something.


    Justin asked what docs i was using. Here's a quick list
    http://www.secureops.com/vpn/ipsecvpn.html
    isakmpd.conf(5)
    vpn(8)
    examples from /usr/share/ipsec/isakmpd/


    Key method: I'm not sure, i'm using a passphrase in the isakmpd.policy file.


    Using NAT? The oBSD machine is running NAT for machines on the local network. I'm not trying to setup the VPN through NAT. The setup is that i have a network with an oBSD machine as a firewall/gateway, my friend has the same. We're setting up a VPN so that my local network (192.168.1.0) can talk to his local network (192.168.2.0).


    ESP, AH, both? I'm sure i'm using esp. I don't think i'm using AH, but i have them both enabled in sysctl.


    Thanks to everyone again!

    Comments
    1. By Anonymous Coward () on

      Discussion is much easier if you just use the OpenBSD mailing lists. Mail your configuration (e.g. isakmpd.conf, isakmpd error messages) to misc@openbsd.org. Håkan Olsson will probably tell you what you're doing wrong.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]