On Sun, Dec 10, 2006 at 01:11:52AM -0500, tournavis wrote: > Ok, so in pursuit of some form of testing, I'm trying to get IPSEC to > connect to a Cisco IOS using isakmpd and ipsecctl (with ipsec.conf). > There are multiple OpenBSD clients with dynamic IP addresses and one > fixed-IP address Cisco router. This shouldn't be THAT difficult, no? > > Has anyone tread down this road before with any measurable amount of success > or might see where I'm going wrong with this configuration?
I'm using L2TP over IPSEC between various different clients and Cisco IOS 12.4. Using a Windows XP or 2000 client, it works with both pre-shared key and certificate authentication. With OpenBSD I've only tried pre-shared key. Specific devices used: 7204 running 12.4(7) 7301 with VAM2+ running 12.4(2)T5 However I've not used RSA authentication which is what you appear to be using, and also where the error seems to occur. Perhaps you would be better off setting up a small manual CA and using that instead: for example http://www.intrusion-lab.net/roca/ which is basically a Knoppix CD plus TinyCA. I expect that IOS CA operation has been much more widely tested and hence better debugged. Alternatively you could use pre-shared key, either just for testing or in production. (Despite what people say about pre-shared key being "less secure", I would argue that for a point-to-point link, theft of a pre-shared key is just the same as the theft of a private/public key pair, certainly at the OpenBSD end. Of course, the Cisco may make it harder for you to extract the RSA private key from a running device than to extract a pre-shared key. However, unless the Cisco is genuinely tamper-proof then that's just security through obscurity.) > Eyes are greatly appreciated, sample configs, even sample OpenBSD, Racoon, > OpenSWAN/et al configurations if I can figure out what's going on. I'm just > looking for a relatively simple (yet somewhat secure) way to connect > multiple OpenBSD clients with Dynamic IPs to a fixed-IP Cisco IOS device > (with the proper IOS image, i.e. K9). Well, here's an L2TP/IPSEC pre-shared key sample for the IOS side. 1.1.1.1 is the Cisco's address. virtual-profile virtual-template 1 vpdn enable vpdn multihop vpdn authen-before-forward vpdn session-limit 8000 ! vpdn-group 1 ! vpdn-group L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 lcp renegotiation on-mismatch l2tp tunnel hello 300 no l2tp tunnel authentication ! virtual-template 1 pre-clone 100 ! crypto keyring L2TP-0 local-address 1.1.1.1 pre-shared-key address 0.0.0.0 0.0.0.0 key mysecretkey ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp keepalive 3600 ! crypto ipsec transform-set TS1 esp-3des esp-sha-hmac mode transport crypto ipsec transform-set TS2 esp-3des esp-md5-hmac mode transport ! crypto dynamic-map DYN_MAP 10 set nat demux set transform-set TS1 TS2 match address 102 ! crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP ! interface Loopback0 ip address 1.2.0.1 255.255.255.255 ! interface GigabitEthernet0/1 ip address 1.1.1.1 255.255.255.0 ip access-group 100 in ip access-group 101 out crypto map CRYP_MAP ! interface Virtual-Template1 ip unnumbered Loopback0 no logging event link-status load-interval 30 no snmp trap link-status ntp disable peer default ip address pool POOL no keepalive ppp mtu adaptive ppp authentication pap chap mytunnel ppp authorization mytunnel ppp accounting mytunnel ppp ipcp dns 1.1.1.10 1.1.1.11 ! ip local pool POOL 1.2.0.2 1.2.255.254 ! access-list 100 permit ip any any access-list 101 permit ip any any access-list 102 permit udp host 1.1.1.1 eq 1701 any (You need a RADIUS setup too, but that's only for the PPP termination; that isn't relevant to the IPSEC setup. You can tighten up access-lists 100 and 101 to permit only isakmp, ESP, and the traffic of interest) Certificate authentication is almost the same. In fact if you add these extra policies then PSK and certificate authentication work at the same time. crypto isakmp policy 3 encr 3des group 2 lifetime 28800 ! crypto isakmp policy 4 encr 3des hash md5 group 2 lifetime 28800 Then you have to sort out getting the certificates in, including your own CA root certificate if you're running your own CA. The following example is using manual enrolment of foo.example.com, and your certificate authority's certificate is ca.example.com hostname foo ip domain-name example.com crypto pki trustpoint ca.example.com enrollment terminal pem revocation-check none fqdn foo.example.com subject-name C=XX,O=Foo Systems Ltd,OU=networks,CN=foo.example.com crypto ca authenticate ca.example.com ... (paste in the PEM root certificate) ... (confirm the hash is correct) foo(config)#crypto ca enroll ca.example.com % Start certificate enrollment .. % The subject name in the certificate will include: C=XX,O=Foo Systems Ltd,OU=networks,CN=foo.example.com % The subject name in the certificate will include: foo.example.com % Include the router serial number in the subject name? [yes/no]: yes % The serial number in the certificate will be: 12345678 % Include an IP address in the subject name? [no]: no Display Certificate Request to terminal? [yes/no]: yes Certificate Request follows: -----BEGIN CERTIFICATE REQUEST----- ... snip ... -----END CERTIFICATE REQUEST----- ---End - This line not part of the certificate request--- Redisplay enrollment request? [yes/no]: no foo(config)# Now copy-paste this request across to the CA, sign it, and bring back the signed certificate. foo(config)#crypto ca import ca.example.com certificate Enter the base 64 encoded certificate. End with a blank line or the word "quit" on a line by itself -----BEGIN CERTIFICATE----- ... snip ... -----END CERTIFICATE----- % Router Certificate successfully imported On the OpenBSD side I've been using isakmpd.conf directly, but something like this in /etc/ipsec.conf should do (assuming 1.2.3.4 is the OpenBSD machine's IP address) ike esp transport proto udp from 1.2.3.4 to 1.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk "mysecretkey" Now, of course, if you want this to be useful you'll also want an L2TP client for OpenBSD. I had a hack at porting rp-l2tp but it doesn't work well; I have a pty problem and I asked here for some help, but none was forthcoming. However I've had Linux clients (using rp-l2tp and racoon from ipsec-tools) working successfully. Otherwise, perhaps you can take some ideas from the above for using either pre-shared-key or certificate authentication. HTH, Brian.
