Hallo,
ich habe versuch mir ein VPN mit OpenBSD aufzubauen. Aber es geht nicht :-(
Ich habe mir eine Konfiguration nach Kochbuch aufgebaut aber es geht nicht. Den Packetfilter und NAT habe ich disabled. ip.forwarding=1, das Routing auf meinen Client stimmt auch. Ich denke ISAKMPD funktioniert aber was ist der Fehler?
netstat -rn -f encap gibt kein Ergebnis zurück. Wenn ich es richt verstanden haben müsste ich doch nach dem starten des isakmpd einen Eintrag erhalten?
Wenn ich isakmpd mit -DA=99 laufen lasse erhalte ich folgenden output:
163020.636276 Misc 95 conf_get_str: [General]:retransmits->5
163020.636423 Trpt 30 transport_send_messages: message 0x3c12b300 scheduled for retransmission 5 in 15 secs
163020.636556 Timr 10 timer_add_event: event message_send_expire(0x3c12b300) added before connection_checker(0x3c1e70d0), expiration in 15s
163020.636683 Trpt 95 transport_release: transport 0x3c1e6300 had 4 references
163020.636804 Trpt 95 transport_release: transport 0x3c1e6240 had 2 references
---------------------------------------isakmpd.policy (auf beiden systemen)--------------
Keynote-Version: 2
#Comment: Authentication based on CA certificates
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
----------------------------------------isakmpd router1----------------------------------------
[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400
Listen-on=193.158.73.147
[Phase 1]
xxx.xxx.xxx.xxx=DA
xxx.xxx.xxx.xxx=MT
[Phase 2]
Connections= DAlan-MTlan,DAlan-MTgate
## ISAKMP Phase 1 peer sections for DA (using authentication-keys 1 & 2)
[MT]
Phase= 1
Transport= udp
Local-Address=xxx.xxx.xxx.xxx
Address= xxx.xxx.xxx.xxx
Configuration= Default-main-mode
Authentication= passwort1
## IPSEC Phase 2 sections
[DAgate-MTgate]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAgate
Remote-ID= MTgate
[DAgate-MTlan]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAgate
Remote-ID= MTlan
[DAlan-MTgate]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAlan
Remote-ID= MTgate
[DAlan-MTlan]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAlan
Remote-ID= MTlan
## Client ID sections
[DAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask= 255.255.255.0
[MTlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.110.0
Netmask= 255.255.255.0
[DAgate]
ID-type = IPV4_ADDR
Address = 192.168.100.1
[MTgate]
ID-type = IPV4_ADDR
Address = 192.168.110.1
## Mode Descriptions
[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5
[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE
## Main Mode Transforms
[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB
[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72
[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536
--------------------------router 2--------------------------------------------
[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400
Listen-on=xxx.xxx.xxx.xxx
[Phase 1]
xxx.xxx.xxx.xxx= MT
xxx.xxx.xxx.xxx= DA
[Phase 2]
Connections= MTlan-DAlan
## ISAKMP Phase 1 peer sections for MT (using authentication-keys 1 & 3)
[DA]
phase= 1
Transport= udp
Local-Address= xxx.xxx.xxx.xxx
Address= xxx.xxx.xxx.xxx
Configuration= Default-main-mode
Authentication= passwort2
## IPSEC Phase 2 sections
[MTgate-DAgate]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTgate
Remote-ID= DAgate
[MTgate-DAlan]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTgate
Remote-ID= DAlan
[MTlan-DAgate]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTlan
Remote-ID= DAgate
[MTlan-DAlan]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTlan
Remote-ID= DAlan
## Client ID sections
[MTlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.110.0
Netmask= 255.255.255.0
[DAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask= 255.255.255.0
## Mode Descriptions
[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5
[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE
## Main Mode Transforms
[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB
[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72
[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536
ich habe versuch mir ein VPN mit OpenBSD aufzubauen. Aber es geht nicht :-(
Ich habe mir eine Konfiguration nach Kochbuch aufgebaut aber es geht nicht. Den Packetfilter und NAT habe ich disabled. ip.forwarding=1, das Routing auf meinen Client stimmt auch. Ich denke ISAKMPD funktioniert aber was ist der Fehler?
netstat -rn -f encap gibt kein Ergebnis zurück. Wenn ich es richt verstanden haben müsste ich doch nach dem starten des isakmpd einen Eintrag erhalten?
Wenn ich isakmpd mit -DA=99 laufen lasse erhalte ich folgenden output:
163020.636276 Misc 95 conf_get_str: [General]:retransmits->5
163020.636423 Trpt 30 transport_send_messages: message 0x3c12b300 scheduled for retransmission 5 in 15 secs
163020.636556 Timr 10 timer_add_event: event message_send_expire(0x3c12b300) added before connection_checker(0x3c1e70d0), expiration in 15s
163020.636683 Trpt 95 transport_release: transport 0x3c1e6300 had 4 references
163020.636804 Trpt 95 transport_release: transport 0x3c1e6240 had 2 references
---------------------------------------isakmpd.policy (auf beiden systemen)--------------
Keynote-Version: 2
#Comment: Authentication based on CA certificates
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
----------------------------------------isakmpd router1----------------------------------------
[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400
Listen-on=193.158.73.147
[Phase 1]
xxx.xxx.xxx.xxx=DA
xxx.xxx.xxx.xxx=MT
[Phase 2]
Connections= DAlan-MTlan,DAlan-MTgate
## ISAKMP Phase 1 peer sections for DA (using authentication-keys 1 & 2)
[MT]
Phase= 1
Transport= udp
Local-Address=xxx.xxx.xxx.xxx
Address= xxx.xxx.xxx.xxx
Configuration= Default-main-mode
Authentication= passwort1
## IPSEC Phase 2 sections
[DAgate-MTgate]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAgate
Remote-ID= MTgate
[DAgate-MTlan]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAgate
Remote-ID= MTlan
[DAlan-MTgate]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAlan
Remote-ID= MTgate
[DAlan-MTlan]
Phase= 2
ISAKMP-peer= MT
Configuration= Default-quick-mode
Local-ID= DAlan
Remote-ID= MTlan
## Client ID sections
[DAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask= 255.255.255.0
[MTlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.110.0
Netmask= 255.255.255.0
[DAgate]
ID-type = IPV4_ADDR
Address = 192.168.100.1
[MTgate]
ID-type = IPV4_ADDR
Address = 192.168.110.1
## Mode Descriptions
[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5
[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE
## Main Mode Transforms
[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB
[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72
[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536
--------------------------router 2--------------------------------------------
[General]
Retransmits= 5
Exchange-max-time= 120
Default-phase-1-lifetime= 600,60:86400
Default-phase-2-lifetime= 200,60:86400
Listen-on=xxx.xxx.xxx.xxx
[Phase 1]
xxx.xxx.xxx.xxx= MT
xxx.xxx.xxx.xxx= DA
[Phase 2]
Connections= MTlan-DAlan
## ISAKMP Phase 1 peer sections for MT (using authentication-keys 1 & 3)
[DA]
phase= 1
Transport= udp
Local-Address= xxx.xxx.xxx.xxx
Address= xxx.xxx.xxx.xxx
Configuration= Default-main-mode
Authentication= passwort2
## IPSEC Phase 2 sections
[MTgate-DAgate]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTgate
Remote-ID= DAgate
[MTgate-DAlan]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTgate
Remote-ID= DAlan
[MTlan-DAgate]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTlan
Remote-ID= DAgate
[MTlan-DAlan]
Phase= 2
ISAKMP-peer= DA
Configuration= Default-quick-mode
Local-ID= MTlan
Remote-ID= DAlan
## Client ID sections
[MTlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.110.0
Netmask= 255.255.255.0
[DAlan]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.100.0
Netmask= 255.255.255.0
## Mode Descriptions
[Default-main-mode]
DOI= IPSEC
Exchange_Type= ID_PROT
Transforms= BLF-MD5
[Default-quick-mode]
DOI= IPSEC
Exchange_Type= QUICK_MODE
Suites= QM-ESP-BLF-MD5-SUITE
## Main Mode Transforms
[BLF-MD5]
Encryption_Algorithm= BLOWFISH_CBC
Key_Length= 128,96:192
Hash_Algorithm= MD5
Authentication_Method= pre_shared
Group_Description= EC2N_155
Life= LIFE_60_SECS,LIFE_1000_KB
[LIFE_60_SECS]
Life_Type= seconds
Life_Duration= 60,45:72
[LIFE_1000_KB]
Life_Type= kilobytes
Life_Duration= 1000,768:1536