3 Replies Latest reply on Aug 30, 2010 7:53 PM by 807567

    How to setup a IPsec VPN between Solaris 10 and OpenBSD 4.7

    807567
      Dear all,

      I try without siccess to setup an IPsec VPN between Solaris 10 and OpenBSD.
      My Solaris 10 config is:
      # cat /etc/inet/ipsecinit.conf
      ...
      {tunnel ip.tun1 negotiate transport} ipsec {encr_algs aes encr_auth_algs sha1 sa shared}
      ...

      # cat /etc/hostname.ip.tun1
      192.168.147.1 10.143.200.1 tsrc 213.xxx.xxx.147 tdst xxx.xxx.141.98 router up

      # cat /etc/inet/ike/config
      ## Global parameters
      #
      ## Phase 1 transform defaults
      p1_lifetime_secs 14400
      p1_nonce_len 40
      #
      ## Defaults that individual rules can override.
      p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
      p2_pfs 2
      #
      ...
      {
      label "myConfig"
      local_addr xxx.xxx.19.147
      remote_addr xxx.xxx.141.98
      p1_xform
      { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes }
      p2_pfs 5
      }


      # cat /etc/inet/secret/ike.preshared
      {       localidtype IP
      localid xxx.xxx.19.147
      remoteidtype IP
      remoteid xxx.xxx.141.98
      # common shared key in hex (192 bits)
      key f47cb0f432e14480951095f82b735ba80a9467d08f92c88068b6a40e
      }


      Thank,
      any help will be appreciable!
      Olivier
        • 1. Re: How to setup a IPsec VPN between Solaris 10 and OpenBSD 4.7
          807567
          Here is a part of in.iked deamon log:

          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          in.iked: IKE library: Using default remote port for NAT-T, if active.
          Before call, nego = 9b0b8.
          in.iked: New incoming phase 1 (pm_info = 0x9aba0).
          in.iked: NAT-T state 0 (INIT)
          in.iked: Creating receiver phase1 structure for P1 SA negotiation.
          in.iked: Examining rule list.
          in.iked: rule 'myConfig' 256;
          in.iked: local addr xxx.xxx.19.146[56776];
          in.iked: remote addr xxx.xxx.141.98[56776]
          in.iked: [match]
          After call.
          in.iked: Notifying library that P2 SA is freed.
          in.iked: Local IP = xxx.xxx.19.146, Remote IP = xxx.xxx.141.98,
          in.iked: Finishing P1 negotiation: NAT-T state 0 (INIT)
          in.iked: Phase 1 negotiation error: code 4 (Invalid Cookie).
          in.iked: Deleting local phase 1 instance.
          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          in.iked: IKE library: Using default remote port for NAT-T, if active.
          Before call, nego = 9b0b8.
          in.iked: New incoming phase 1 (pm_info = 0xa7cf0).
          in.iked: NAT-T state 0 (INIT)
          in.iked: Creating receiver phase1 structure for P1 SA negotiation.
          in.iked: Examining rule list.
          in.iked: rule 'myConfig' 256;
          in.iked: local addr xxx.xxx.19.146[56776];
          in.iked: remote addr xxx.xxx.141.98[56776]
          in.iked: [match]
          After call.
          in.iked: Notifying library that P2 SA is freed.
          in.iked: Local IP = xxx.xxx.19.146, Remote IP = xxx.xxx.141.98,
          in.iked: Finishing P1 negotiation: NAT-T state 0 (INIT)
          in.iked: Phase 1 negotiation error: code 4 (Invalid Cookie).
          in.iked: Deleting local phase 1 instance.
          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          Before call, nego = 9b0b8.
          in.iked: New incoming phase 1 (pm_info = 0x9aba0).
          in.iked: NAT-T state 0 (INIT)
          in.iked: Creating receiver phase1 structure for P1 SA negotiation.
          in.iked: Examining rule list.
          in.iked: rule 'myConfig' 256;
          in.iked: local addr xxx.xxx.19.146[56776];
          in.iked: remote addr xxx.xxx.141.98[56776]
          in.iked: [match]
          After call.
          in.iked: Vendor ID from peer:
          in.iked: 0x6c0dcd481deae8ae0b0a68384b3072f9
          in.iked: Could not find VID description
          in.iked: Vendor ID from peer:
          in.iked: 0x90cb80913ebb696e086381b5ec427b1f
          in.iked: NAT-Traversal (draft-ietf-ipsec-nat-t-ike-02 (Draft RFC md5sum))
          in.iked: Vendor ID from peer:
          in.iked: 0x7d9419a65310ca6f2c179d9215529d56
          in.iked: NAT-Traversal (draft-ietf-ipsec-nat-t-ike-03)
          in.iked: Vendor ID from peer:
          in.iked: 0x4a131c81070358455c5728f20e95452f
          in.iked: NAT-Traversal (RFC 3947)
          in.iked: Using NAT-D (RFC 3947 VID)
          in.iked: Vendor ID from peer:
          in.iked: 0xafcad71368a1f1c96b8696fc77570100
          in.iked: Could not find VID description
          in.iked: Selecting transform from inbound SA...
          in.iked: pm_info = 0x9aba0, NAT-T state 1 (VID)
          in.iked: Checking P1 transform from remote initiator!
          in.iked: NAT-T state 1 (VID)
          in.iked: P1 Transform check
          Rule "myConfig", transform 0:
          auth_method = 1 (Pre-shared)
          hash_alg = 2 (sha1)
          encr_alg = 7 (aes-cbc)
          keysizes = 128..256 bits
          oakley_group = 5
          in.iked: P1 Transform check:
          Peer Proposal: transform 0

          in.iked: auth_method = 1 (Pre-shared)
          hash_alg = 2 (sha1)
          encr_alg = 7 (aes-cbc)
          key_length = 128 bits
          oakley_group = 5
          in.iked: Rule "myConfig" matches proposal.
          in.iked: Selected Proposal Transform 0.
          in.iked: Sending selected SA with transforms_index 0 to library.
          in.iked: Sending out Vendor IDs, if needed: NAT-T state 1 (VID)
          in.iked: Phase 1 info, pm_info structure == 9aba0.
          in.iked: IKE library: Using default remote port for NAT-T, if active.
          in.iked: IKE library: NAT-Discovery - not a NAT-T connection
          in.iked: Determining P1 nonce data length.
          in.iked: NAT-T state -1 (NEVER)
          in.iked: Finding preshared key...
          in.iked: IKE library: Using default remote port for NAT-T, if active.
          in.iked: IKE error: type 1 (Invalid payload type), decrypted 0, received 1
          in.iked: Finishing P1 negotiation: NAT-T state -1 (NEVER)
          in.iked: Phase 1 negotiation error: code 1 (Invalid payload type).
          in.iked: Notifying library that P2 SA is freed.
          in.iked: Local IP = xxx.xxx.19.146, Remote IP = xxx.xxx.141.98,
          Before call, nego = 9a280.
          in.iked: New incoming phase 1 (pm_info = 0xa01b0).
          in.iked: NAT-T state 0 (INIT)
          in.iked: Creating receiver phase1 structure for P1 SA negotiation.
          in.iked: Examining rule list.
          in.iked: rule 'myConfig' 256;
          in.iked: local addr xxx.xxx.19.146[56776];
          in.iked: remote addr xxx.xxx.141.98[56776]
          in.iked: [match]
          After call.
          in.iked: Notifying library that P2 SA is freed.
          in.iked: Local IP = xxx.xxx.19.146, Remote IP = xxx.xxx.141.98,
          in.iked: Finishing P1 negotiation: NAT-T state 0 (INIT)
          in.iked: Phase 1 negotiation error: code 8 (Invalid flags).
          in.iked: Deleting local phase 1 instance.
          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          in.iked: IKE library: Using default remote port for NAT-T, if active.
          Before call, nego = 9a280.
          in.iked: New incoming phase 1 (pm_info = 0xa8f38).
          in.iked: NAT-T state 0 (INIT)
          in.iked: Creating receiver phase1 structure for P1 SA negotiation.
          in.iked: Examining rule list.
          in.iked: rule 'myConfig' 256;
          in.iked: local addr xxx.xxx.19.146[56776];
          in.iked: remote addr xxx.xxx.141.98[56776]
          in.iked: [match]
          After call.
          in.iked: Notifying library that P2 SA is freed.
          in.iked: Local IP = xxx.xxx.19.146, Remote IP = xxx.xxx.141.98,
          in.iked: Finishing P1 negotiation: NAT-T state 0 (INIT)
          in.iked: Phase 1 negotiation error: code 4 (Invalid Cookie).
          in.iked: Deleting local phase 1 instance.
          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          in.iked: Deleting local phase 1 instance.
          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          in.iked: IKE library: Using default remote port for NAT-T, if active.
          in.iked: IKE error: type 1 (Invalid payload type), decrypted 0, received 1
          in.iked: Deleting local phase 1 instance.
          in.iked: Looking for xxx.xxx.19.146[0] in IKE daemon context...
          • 2. Re: How to setup a IPsec VPN between Solaris 10 and OpenBSD 4.7
            807567
            Your config seems sensible, but your logfiles aren't showing anything interesting. It looks to me like you edited out the good stuff.

            Use a file attachment if you must, but attach the whole log between when your peer attempts and when it fails. BTW, is this S10u7 or higher?
            • 3. Re: How to setup a IPsec VPN between Solaris 10 and OpenBSD 4.7
              807567
              Log file attachment here

              It is an old version !
              # cat /etc/release | grep Solaris
              Solaris 10 8/07 s10s_u4wos_12b SPARC
              # uname -a
              SunOS mrs22 5.10 Generic_120011-14 sun4u sparc SUNW,UltraAX-i2

              I have updated my config to disable DF bit with this command
              ndd -set /dev/ip ip_path_mtu_discovery 0
              and forcing to only aes128 and p1_lifetime_secs to 3600
              # cat /etc/inet/ike/config
              ## Global parameters
              #
              ## Phase 1 transform defaults
              p1_lifetime_secs 3600
              p1_nonce_len 40
              #
              ## Defaults that individual rules can override.
              p1_xform
              { auth_method preshared oakley_group 5 auth_alg sha encr_alg des }
              p2_pfs 2
              #
              ...
              {
              label "myConfig"
              local_addr xxx.xxx.19.147
              remote_addr xxx.xxx.141.98
              p1_xform
              { auth_method preshared oakley_group 5 auth_alg sha1 encr_alg aes(128..128) }
              p2_pfs 5
              }

              ikeadm dump rule

              ...
              GLOBL: Label 'myConfig', key manager cookie 2
              GLOBL: local_idtype=<unknown 0>, ike_mode=any mode
              GLOBL: p1_nonce_len=40, p2_nonce_len=32, p2_pfs=true (group 5)
              GLOBL: p2_lifetime=28800 seconds, p2_softlife=25920 seconds
              GLOBL: p2_lifetime_kb=0 seconds, p2_softlife_kb=0 seconds
              LOCIP: IP address range(s):
              LOCIP: xxx.xxx.19.146
              REMIP: IP address range(s):
              REMIP: xxx.xxx.141.98
              XFRMS: Available Transforms:
              XF 0: Authentication method: pre-shared key
              XF 0: Encryption alg: aes-cbc; Authentication alg: hmac-sha1
              XF 0: PRF: <unknown>; Oakley Group: 1536-bit MODP
              XF 0: Phase 2 PFS is required (Oakley Group: 1536-bit MODP)
              XF 0: Lifetime limits:
              XF 0: 3600 seconds; 0 kbytes protected; 0 keymat provided.

              Completed dump of policy rules

              Edited by: Oli013 on 30 août 2010 20:52