Hi all,
Lengthy message ahead!
Here's a rough sketch of the two networks I'm trying to connect with a
vpn.
subnet (192.168.0.0/24)
(openbsd and win xp)
|
|
(agampoka) openbsd firewall internal (192.168.0.1)
|
openbsd firewall external (216.67.187.228)
|
|
|
|
|
DSL from AOL (yuck)
|
|
Creative Broadxent "Broadband Blaster" Modem 8012U-V
|
|
Linksys Router Public IP (172.191.191.92, dynamic)
|
Linksys Router 192.168.1.1 (192.168.1.200 is in the DMZ)
|
OpenBSD (laramie)(192.168.1.200)-------------------Hub----Other Offices
Subnet
|
10.1.1.1
|
Switch
|
|
----------- Packet 8 phone (10.1.1.7)
|
|
------------Win XP (10.1.1.6)
Here's my ipsec.conf file from agampoka:
ike passive esp from 192.168.0.0/24 to 10.1.1.0/24 peer 172.191.191.92
ike passive esp from 216.67.187.228 to 10.1.1.0/24 peer 172.191.191.92
ike passive esp from 216.67.187.228 to 172.191.191.92
and from laramie:
ike dynamic esp from 10.1.1.0/24 to 192.168.0.0/24 peer 216.67.187.228
ike dynamic esp from 172.191.191.92 to 192.168.0.0/24 peer 216.67.187.228
ike dynamic esp from 172.191.191.92 to 216.67.187.228
pf.conf on both skips enc0 and passes in quick from the other network:
set skip on { lo $int_if enc0 }
pass quick on $ext_if from 216.67.187.228
Started everything up with isakmpd -K -d and ipsecctl -v -f
/etc/ipsec.conf on both.
From the following it looks like the routes and flows are set up
correctly:
[EMAIL PROTECTED]:/home/jross $ netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
172.191.191.92/32 0 192.168.0/24 0 0
172.191.191.92/esp/use/in
192.168.0/24 0 172.191.191.92/32 0 0
172.191.191.92/esp/require/out
172.191.191.92/32 0 216.67.187.228/32 0 0
172.191.191.92/esp/use/in
216.67.187.228/32 0 172.191.191.92/32 0 0
172.191.191.92/esp/require/out
10.1.1/24 0 192.168.0/24 0 0
172.191.191.92/esp/use/in
192.168.0/24 0 10.1.1/24 0 0
172.191.191.92/esp/require/out
and this on laramie:
[EMAIL PROTECTED]:/home/jross $ netstat -rn -f encap
Routing tables
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
216.67.187.228/32 0 172.191.191.92/32 0 0
216.67.187.228/esp/use/in
172.191.191.92/32 0 216.67.187.228/32 0 0
216.67.187.228/esp/require/out
192.168.0/24 0 172.191.191.92/32 0 0
216.67.187.228/esp/use/in
172.191.191.92/32 0 192.168.0/24 0 0
216.67.187.228/esp/require/out
192.168.0/24 0 10.1.1/24 0 0
216.67.187.228/esp/use/in
10.1.1/24 0 192.168.0/24 0 0
216.67.187.228/esp/require/out
Additionally, I see this on agampoka:
[EMAIL PROTECTED]:/home/jross $ sudo ipsecctl -s all
Password:
FLOWS:
flow esp in from 172.191.191.92 to 192.168.0.0/24 peer 172.191.191.92
srcid 216.67.187.228/32 dstid laramie.wykids.org type use
flow esp out from 192.168.0.0/24 to 172.191.191.92 peer 172.191.191.92
srcid 216.67.187.228/32 dstid laramie.wykids.org type require
flow esp in from 172.191.191.92 to 216.67.187.228 peer 172.191.191.92
srcid 216.67.187.228/32 dstid laramie.wykids.org type use
flow esp out from 216.67.187.228 to 172.191.191.92 peer 172.191.191.92
srcid 216.67.187.228/32 dstid laramie.wykids.org type require
flow esp in from 10.1.1.0/24 to 192.168.0.0/24 peer 172.191.191.92 srcid
216.67.187.228/32 dstid laramie.wykids.org type use
flow esp out from 192.168.0.0/24 to 10.1.1.0/24 peer 172.191.191.92 srcid
216.67.187.228/32 dstid laramie.wykids.org type require
SADB:
esp tunnel from 216.67.187.228 to 172.191.191.92 spi 0xba72e151 auth
hmac-sha2-256 enc aes \
authkey
0x0d1c887a24545b3984708c13b6775db09e778a0c676a82d5aeb17153e70ed917 \
enckey 0xf90f461776be158ab26fd3cb23ebaced
esp tunnel from 216.67.187.228 to 172.191.191.92 spi 0x9dddd1ff auth
hmac-sha2-256 enc aes \
authkey
0xc231811607a2b7ec0cb6e1613fe25999e5d910492eafdef6ec6f03defa9ce317 \
enckey 0x56bad5568b1be1a99cc3b54badd83a10
esp tunnel from 216.67.187.228 to 172.191.191.92 spi 0x61df99ce auth
hmac-sha2-256 enc aes \
authkey
0x64d9a21f70ccaf9d148b157b057586df889e0f76c52df3002707a2cd1dfd57f1 \
enckey 0x5993a98da6443ddc4ba68c2cf1c64751
esp tunnel from 172.191.191.92 to 216.67.187.228 spi 0x538f5300 auth
hmac-sha2-256 enc aes \
authkey
0xd55fca43ed2c8072b00a9331873fbc5b4002cbdb9186ce24f54da1593fb073f0 \
enckey 0xcfbe56fad086502dc0263642efd6233e
esp tunnel from 172.191.191.92 to 216.67.187.228 spi 0xf94a7832 auth
hmac-sha2-256 enc aes \
authkey
0x8904a8210b2d82a666d051663770c54620ba02e450c1e9bc30f38b73c6d1b37b \
enckey 0x8dbb130887d1fa91b8a83c6a8e6c5e4d
esp tunnel from 172.191.191.92 to 216.67.187.228 spi 0x9b0bc6f2 auth
hmac-sha2-256 enc aes \
authkey
0xec495c480c35527b5cb152222e5ad1217e069f990dd0bcfd174fbc5576e819ae \
enckey 0x0cda390249b106748c600ce24131af50
and this on laramie
[EMAIL PROTECTED]:/home/jross $ sudo ipsecctl -s all
Password:
FLOWS:
flow esp in from 216.67.187.228 to 172.191.191.92 peer 216.67.187.228
srcid laramie.wykids.org dstid 216.67.187.228/32 type use
flow esp out from 172.191.191.92 to 216.67.187.228 peer 216.67.187.228
srcid laramie.wykids.org dstid 216.67.187.228/32 type require
flow esp in from 192.168.0.0/24 to 172.191.191.92 peer 216.67.187.228
srcid laramie.wykids.org dstid 216.67.187.228/32 type use
flow esp out from 172.191.191.92 to 192.168.0.0/24 peer 216.67.187.228
srcid laramie.wykids.org dstid 216.67.187.228/32 type require
flow esp in from 192.168.0.0/24 to 10.1.1.0/24 peer 216.67.187.228 srcid
laramie.wykids.org dstid 216.67.187.228/32 type use
flow esp out from 10.1.1.0/24 to 192.168.0.0/24 peer 216.67.187.228 srcid
laramie.wykids.org dstid 216.67.187.228/32 type require
SADB:
esp tunnel from 192.168.1.200 to 216.67.187.228 spi 0xf94a7832 auth
hmac-sha2-256 enc aes \
authkey
0x8904a8210b2d82a666d051663770c54620ba02e450c1e9bc30f38b73c6d1b37b \
enckey 0x8dbb130887d1fa91b8a83c6a8e6c5e4d
esp tunnel from 192.168.1.200 to 216.67.187.228 spi 0x538f5300 auth
hmac-sha2-256 enc aes \
authkey
0xd55fca43ed2c8072b00a9331873fbc5b4002cbdb9186ce24f54da1593fb073f0 \
enckey 0xcfbe56fad086502dc0263642efd6233e
esp tunnel from 216.67.187.228 to 192.168.1.200 spi 0x9dddd1ff auth
hmac-sha2-256 enc aes \
authkey
0xc231811607a2b7ec0cb6e1613fe25999e5d910492eafdef6ec6f03defa9ce317 \
enckey 0x56bad5568b1be1a99cc3b54badd83a10
esp tunnel from 216.67.187.228 to 192.168.1.200 spi 0x61df99ce auth
hmac-sha2-256 enc aes \
authkey
0x64d9a21f70ccaf9d148b157b057586df889e0f76c52df3002707a2cd1dfd57f1 \
enckey 0x5993a98da6443ddc4ba68c2cf1c64751
esp tunnel from 216.67.187.228 to 192.168.1.200 spi 0xba72e151 auth
hmac-sha2-256 enc aes \
authkey
0x0d1c887a24545b3984708c13b6775db09e778a0c676a82d5aeb17153e70ed917 \
enckey 0xf90f461776be158ab26fd3cb23ebaced
esp tunnel from 192.168.1.200 to 216.67.187.228 spi 0x9b0bc6f2 auth
hmac-sha2-256 enc aes \
authkey
0xec495c480c35527b5cb152222e5ad1217e069f990dd0bcfd174fbc5576e819ae \
enckey 0x0cda390249b106748c600ce24131af50
Running tcpdump on both machines I get lots of traffic of this type:
12:49:22.567949 agampoka.wykids.net.ipsec-nat-t >
192.168.1.200.ipsec-nat-t:udpencap: esp agampoka.wykids.net >
192.168.1.200 spi 0xBA72E151 seq 65 len 116
0000: 4500 0090 e7f6 0000 2f11 4cce d843 bbe4 E...../.LC
0010: c0a8 01c8 1194 1194 007c 0000 ba72 e151 ......|..rQ
0020: 0000 0041 480a cdb6 3407 3fd4 c6e1 c0c2 ...AH.4.?
0030: 3a8e 474c b5b2 ee5d c8b5 f3cf 64f1 98c0 :.GL]d.
0040: b08a 2018 8d49 ecbd c6ee d4d6 9542 9a73 . ..I.B.s
0050: b226 3d9a 7f58 e20b 6e72 105c c37d bd20 &=..X.nr.\}
0060: 851f c364 e81d ec91 96bc 0b00 ea0f 2c9a ..d......,.
0070: 0397 df49 078a 088a d294 d3b8 fe66 f18d ..I.....f.
0080: c22f 9b31 82a9 7eed 02d9 0e5b f8af 3e68 /.1.~..[>h
12:49:27.038740 192.168.1.200.ipsec-nat-t >
agampoka.wykids.net.ipsec-nat-t:udpencap: isakmp v1.0 exchange INFO
encrypted
cookie: 1981f1b9cc6c6056->66b746a6e8514f71 msgid: 856985cf len: 92
0000: 4500 007c 32a2 0000 4011 f136 c0a8 01c8 E..|[EMAIL PROTECTED]
0010: d843 bbe4 1194 1194 0068 637e 0000 0000 C.....hc~....
0020: 1981 f1b9 cc6c 6056 66b7 46a6 e851 4f71 ..l`VfFQOq
0030: 0810 0501 8569 85cf 0000 005c ea41 9ec6 .....i....\A.
0040: 79d9 e2c2 6815 2d6a 4e54 1f8b e58b ddac yh.-jNT...
0050: b400 584d a694 4421 bb5b f999 2c90 e313 .XM.D![.,..
0060: 1b9f 69d3 4a0a 6050 4222 7973 f518 9879 ..iJ.`PB"ys..y
0070: d1d1 4f59 a209 4c9c 5dd7 9da1 OY.L.].
12:49:27.197373 agampoka.wykids.net.ipsec-nat-t >
192.168.1.200.ipsec-nat-t:udpencap: isakmp v1.0 exchange INFO encrypted
cookie: 1981f1b9cc6c6056->66b746a6e8514f71 msgid: c2eeaf30 len: 92
0000: 4500 007c e6b7 0000 2f11 4e21 d843 bbe4 E..|../.N!C
0010: c0a8 01c8 1194 1194 0068 4bf4 0000 0000 ......hK....
0020: 1981 f1b9 cc6c 6056 66b7 46a6 e851 4f71 ..l`VfFQOq
0030: 0810 0501 c2ee af30 0000 005c 92b3 204c ....0...\. L
0040: 62d1 ed00 bc40 6d80 ce45 c48e ed0c 0573 [EMAIL PROTECTED]
0050: 00f8 9683 6db9 41b0 aa00 5ca0 0015 e9d2 ...mA.\..
0060: 5ee9 af60 8521 cbc6 c3a8 ee07 e5a1 239e ^`.!.#.
0070: e97c 095f 02a6 8a0d e0b9 38fb |._...8
So, if I read this correctly, I've got something established between
agampoka and laramie. Indeed, I can now ping laramie.wykids.org with its
172.191.191.92 public address from agampoka which I was not able to do
before the vpn was established. (I'm not able to ping that address from
any other computer on any other network, either--my guess is that AOL is
silently dropping the pings.)
But, (there had to be a but after all of the above ;-), I cannot ping
10.1.1.6 from any of the 192.168.0.0/24 addresses, nor can I ssh to
laramie from my openbsd workstation using any either its 192.168.1.200 of
172.191.191.92 addresses. From laramie I am unable to ping agampoka by
either of its addresses.
Am I running afoul of the double nat here? It might be possible
to eliminate the linksys entirely if I can find docs for the Creative
Broadband Blaster and get it to do the authentication (if it is even
required by AOL).
Clues or clue by fours greatly appreciated!
Jeff
