Re: ipsec.conf question

[Marc Peters]

thx for your answer.

Reyk Floeter schrieb:
hi,
you have a main misunderstanding here because you're mixing up the
identities with the flows.

On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote:

i am using -current as of 24.02.2006 and made a realese for my other 
machines. i tried the ipsec tutorial which was posted on undeadly.org. i 
have to go with one gateway which has a dynamic ip because it is an 
adsl-connection which is disconnected after 24 hours. when i try to fire 
up the command "ipsecctl -f /etc/ipsec.conf" i get a syntax error for 
each line where i put in the fqdn of the remote host (which is dstid). i 
read the manpage of ipsec.conf(5) where it says

srcid <fqdn>
          This optional parameter defines a FQDN that will be used by
          isakmpd(8) as the identity of the local peer.

dstid <fqdn>
          Similar to srcid, this optional parameter defines a FQDN to
           be used by the remote peer.



and 

     from <src> to <dst> peer <remote>
           This rule applies for packets with source address <src> and desti-
           nation address <dst>.  All addresses are specified in CIDR nota-
           tion.  The keyword any will match any address (i.e. 0.0.0.0/0).
           The peer parameter specifies the address of the remote endpoint of
           this particular flow.  For host-to-host connections where <dst> is
           identical to <remote>, the peer specification can be left out.

the flows are used to determine which traffic should be encrypted and
the peer is the address of your vpn gateway. all addresses are
specified in CIDR notation.

the identity is an additional parameter which is used a simple
authentication string on the remote side, i.e. if you specify a "srcid
blablahblahblahblah" with RSA signatures (default in ipsecctl) the
remote side will lookup the client's RSA public key in
/etc/isakmpd/pubkeys/fqdn/blablahblahblahblah.


i tried this and get a syntax error.

my /etc/ipsec.conf looks like this:

# cat /etc/ipsec.co
ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer dstid \ 
full-qualified.domain.name

                                                          ^ this makes no sense

ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 dstid 
full-qualified.domain.name

okay, understanding this. in this coloumn i have internal adresses and 
ipsecctl needs a peer for this. but the peer is on a consumer adsl-line 
and therefore i need a fqdn for this because of the disconnection after 
24h. is there any possibility to get this working? or do i have to use 
"any" as the peer and just only set the dstid?



ike passive esp from XXX.XXX.XX.XXX/25 to XXX.XXX.XX.X/24 peer dstid \ 
full-qualified.domain.name
ike passive esp from XXX.XXX.XXX.XX to XXX.XXX.XX.X/24 peer dstid \ 
full-qualified.domain.name
ike passive esp from XXX.XXX.XXX.XX to dstid full-qualified.domain.name



dito


the output is the following:

# ipsecctl -nf /etc/ipsec.conf
/etc/ipsec.conf: 1: syntax error
/etc/ipsec.conf: 2: syntax error
/etc/ipsec.conf: 3: syntax error
/etc/ipsec.conf: 4: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded

on the other machine the config is similar and the error-message too 
(everywhere, i put a fqdn as srcid).

/etc/ipsec.conf:
ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer XXX.XXX.XXX.XX
ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.XXX/25 peer XXX.XXX.XXX.XX
ike esp from srcid fully-qualified.domain.name to 192.168.83.0/24 peer \ 
XXX.XXX.XXX.XX


               ^ this is wrong

ike esp from any to 192.168.83.0/24 peer XXX.XXX.XXX.XX srcid 
fully-qualified.domain.name


ike esp from srcid fully-qualified.domain.name to XXX.XXX.XX.XXX/25 \
peer XXX.XXX.XXX.XX
ike esp from srcid fully-qualified.domain.name to XXX.XXX.XXX.XX



dito


output:

# ipsecctl -f /etc/ipsec.conf
/etc/ipsec.conf: 3: syntax error
/etc/ipsec.conf: 4: syntax error
/etc/ipsec.conf: 5: syntax error
ipsecctl: Syntax error in config file: ipsec rules not loaded

can anyone point my in the correct direction, plz?

thx a lot

marc

dmesg:
OpenBSD 3.9-beta (GENERIC) #1: Wed Mar  8 10:23:11 CET 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class) 1.01 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 535318528 (522772K)
avail mem = 481447936 (470164K)
using 4278 buffers containing 26869760 bytes (26240K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x13d2
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0x5400
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Hub" rev 0x02: rng active, 
398Kb/sec
vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x02: aperture 
at 0xf8000000, size 0x4000000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x02
pci1 at ppb0 bus 1
xl0 at pci1 dev 9 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 11, 
address 00:04:76:9e:42:2a
exphy0 at xl0 phy 24: 3Com internal media interface
xl1 at pci1 dev 10 function 0 "3Com 3c905 100Base-TX" rev 0x00: irq 10, 
address 00:60:08:2d:35:8d
nsphy0 at xl1 phy 24: DP83840 10/100 PHY, rev. 1
ahc0 at pci1 dev 13 function 0 "Adaptec AIC-7899 U160" rev 0x01: irq 11
scsibus0 at ahc0: 16 targets
sd0 at scsibus0 targ 0 lun 0: <QUANTUM, ATLAS10K2-TY092L, DDD6> SCSI3 
0/direct fixed
sd0: 8759MB, 17338 cyl, 3 head, 344 sec, 512 bytes/sec, 17938985 sec total
ahc1 at pci1 dev 13 function 1 "Adaptec AIC-7899 U160" rev 0x01: irq 10
scsibus1 at ahc1: 16 targets
xl2 at pci1 dev 15 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 9, 
address 00:e0:18:05:10:1a
exphy1 at xl2 phy 24: 3Com internal media interface
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x02: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0: <PIONEER, DVD-ROM DVD-115, 1.11> SCSI0 
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x02: irq 7
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichiic0 at pci0 dev 31 function 3 "Intel 82801BA SMBus" rev 0x02: irq 15
iic0 at ichiic0
lm1 at iic0 addr 0x2d: AS99127F
uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x02: irq 9
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask ffe5 netmask ffe5 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
uhub2 at uhub1 port 2
uhub2: ALCOR Generic USB Hub, rev 1.10/1.00, addr 2
uhub2: 4 ports with 4 removable, self powered
ahc0: target 0 using 16bit transfers
ahc0: target 0 synchronous at 80.0MHz DT, offset = 0x7f
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a
rootdev=0x400 rrootdev=0xd00 rawdev=0xd02