IPSEC VPN + OpenBSD 3.3 + NetScreen =================================== Shanker Balan http://shankerbalan.com/ Overview ======== Netscreen makes some very expensive featureful firewall and standards based IPSEC VPN products which are beyond the reach of the average Indian IT shop. Infact, this little experiment came about exaclty for this reason alone when a client wanted to replace his end of the VPN tunnel which an open source solution due to cost concerns - A Netscreen box costs $22000 (as told to me) with a $5000 annual maintenance contract. Why OpenBSD? My previous (In the year two thousand) experience with Linux FreeSWAN IPSEC implementation was not exactly pleasing since it was not part of the stock kernel and the system had to be patched brutally to get the whole thing setup. And this alone was not guaranteed to work, a lil bit of black magic was also required. ObenBSD on the other hand was ready out-of-the box to do my bidding. Kernel IPSEC support, IKE daemon and a more than capable packet filtering mechanism quickly made this find BSD distribution a perfect choice as a VPN gateway. The generally feeling that the OpenBSD IPSEC implementation "just worked" gave me enough courage to to actually attempt this task. Googled around for people who have replaced Netscreen-to-Netscreen VPNs with OpenBSD-to-Netscreen was not exaclty fruitful. However, I did find one HOWTO which described how to set up an OpenBSD mobile IPSEC client against the Netscreen. Using that as a reference, I set about to replace one end of the VPN tunnel with OpenBSD 3.3. A Mobile VPN configuration using OpenBSD and ScreenOS: http://www.mindshadow.net/defcon/10/CD/dc10-eldridge-mobilevpn/obsd_ns_vpn.html CONFIGURATION ============= The VPN is between the subnet 192.168.80.0/24 and 2 hosts 172.16.254.2 and 172.16.254.3 sitting behind the Netscreen box. 192.168.80.0/24 ---> OpenBSD (O.O.O.O) <---> IPSEC <---> (N.N.N.N) Netscreen ---> 172.16.254.2/32 192.168.80.0/24 ---> OpenBSD (O.O.O.O) <---> IPSEC <---> (N.N.N.N) Netscreen ---> 172.16.254.3/32 OpenBSD Public IP: O.O.O.O Netscreen Public IP: N.N.N.N Netscreen End ------------- The Netscreen end which was managed externally had been configured as follows: Phase I: ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Phase II: EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE Policy: Source Port Destination Port ==================================================== 192.168.80.0/24 Any 172.16.254.2/32 Any 192.168.80.0/24 Any 172.16.254.3/32 Any OpenBSD Configuration --------------------- ### ### /etc/isakmpd/isakmpd.conf ### [General] Shared-SADB= Defined Retransmits= 5 Exchange-max-time= 120 Check-interval= 60 Default-phase-1-lifetime= 3600,60:86400 Default-phase-2-lifetime= 1200,60:86400 [Phase 1] N.N.N.N= ISAKMP-peer-netscreen Default= ISAKMP-peer-netscreen [ISAKMP-peer-netscreen] Phase= 1 Local-address= O.O.O.O Address= N.N.N.N Configuration= Default-main-mode Authentication= secret [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= Default-phase-1-lifetime [Phase 2] Connections= IPsec-openbsd-netscreen-1, IPsec-openbsd-netscreen-2 [IPsec-openbsd-netscreen-1] Phase= 2 ISAKMP-peer= ISAKMP-peer-netscreen Configuration= Default-quick-mode Local-ID= Net-openbsd Remote-ID= Net-netscreen-1 [IPsec-openbsd-netscreen-2] Phase= 2 ISAKMP-peer= ISAKMP-peer-netscreen Configuration= Default-quick-mode Local-ID= Net-openbsd Remote-ID= Net-netscreen-2 [Net-openbsd] ID-type= IPV4_ADDR_SUBNET Network= 192.168.80.0 Netmask= 255.255.255.0 [Net-netscreen-1] ID-type= IPV4_ADDR Address= 172.16.254.2 [Net-netscreen-2] ID-type= IPV4_ADDR Address= 172.16.254.3 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE ### ### /etc/isakmpd/isakmpd.policy ### KeyNote-Version: 2 Authorizer: "POLICY" Comment: This policy accepts ESP SAs from a remote that uses the right password Licensees: "passphrase:secret" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg == "3des" && esp_auth_alg == "hmac-sha" -> "true"; Start IKE Daemon ================ root# isakmpd -d -DA=90 This runs it in full debug mode. See isakmpd manpage for debugging the various stages. root# netstat -rn -f encap # netstat -rn -f encap Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 172.16.254.3/32 0 192.168.80/24 0 0 N.N.N.N/50/use/in 172.16.254.2/32 0 192.168.80/24 0 0 N.N.N.N/50/use/in 192.168.80/24 0 172.16.254.3/32 0 0 N.N.N.N/50/require/out 192.168.80/24 0 172.16.254.2/32 0 0 N.N.N.N/50/require/out # ipsecadm show sadb_dump: satype unspec vers 2 len 39 seq 1 pid 22435 sa: spi 0x807c9428 auth hmac-sha1 enc 3des-cbc state larval replay 0 flags 4 lifetime_cur: alloc 0 bytes 13360 add 1066114320 first 1066114320 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: O.O.O.O address_dst: N.N.N.N key_auth: bits 160: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX key_encrypt: bits 192: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX identity_src: type prefix id 0: O.O.O.O/32 identity_dst: type prefix id 0: N.N.N.N/32 sadb_dump: satype unspec vers 2 len 39 seq 1 pid 22435 sa: spi 0x1f9b6614 auth hmac-sha1 enc 3des-cbc state larval replay 0 flags 4 lifetime_cur: alloc 0 bytes 13984 add 1066113544 first 1066113549 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: N.N.N.N address_dst: O.O.O.O key_auth: bits 160: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX key_encrypt: bits 192: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX identity_src: type prefix id 0: N.N.N.N/32 identity_dst: type prefix id 0: O.O.O.O/32 sadb_dump: satype unspec vers 2 len 39 seq 1 pid 22435 sa: spi 0x67b29852 auth hmac-sha1 enc 3des-cbc state larval replay 0 flags 4 lifetime_cur: alloc 0 bytes 788744 add 1066114320 first 1066114320 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: N.N.N.N address_dst: O.O.O.O key_auth: bits 160: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX key_encrypt: bits 192: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX identity_src: type prefix id 0: N.N.N.N/32 identity_dst: type prefix id 0: O.O.O.O/32 sadb_dump: satype unspec vers 2 len 39 seq 1 pid 22435 sa: spi 0x807c9427 auth hmac-sha1 enc 3des-cbc state larval replay 0 flags 4 lifetime_cur: alloc 0 bytes 2872 add 1066113544 first 1066113649 lifetime_hard: alloc 0 bytes 0 add 1200 first 0 lifetime_soft: alloc 0 bytes 0 add 1080 first 0 address_src: O.O.O.O address_dst: N.N.N.N key_auth: bits 160: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX key_encrypt: bits 192: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX identity_src: type prefix id 0: O.O.O.O/32 identity_dst: type prefix id 0: N.N.N.N/32 NOTES ===== - I have found this solution to be rock solid handlink ISP outtages gracefully. The key exchange and session handling works wihout a hitch. - Initially, the Netscreen to Netscreen VPN policy was as follows: Source Port Destination Port =================================================================== 192.168.80.0/24 ICMP 172.16.254.2/32 ICMP 192.168.80.0/24 http 172.16.254.2/32 http 192.168.80.0/24 cvspserver 172.16.254.2/32 cvspserver 192.168.80.0/24 ICMP 172.16.254.3/32 ICMP 192.168.80.0/24 http 172.16.254.3/32 http 192.168.80.0/24 cvspserver 172.16.254.3/32 cvspserver The above was the policy before the migration. However, this policy failed during Phase II negotiations probably because I did not know how to handle multiple policies per host in isakmpd.conf. Since time was of essence, the Netscreen admin on the other end agreed to change the ports to "any" which worked with my existing isakmpd.conf. - Routing problem on the Netscreen end. Once the policy was changed to "port any", Phase II clicked and the security assosiations were established. Packets were going across the tunnel (confirmed using tcpdump -i enc0) and the Netscreen admin was seeing it arrive on his end too. But nothing was coming back - the Netscreen firewall was cribbing about "spoofed packets" coming from our end of the LAN. The Netscreen sysadmin fixed this in an hour's time and gave a vague description on how he fixed it. My guess was that it was a screw up at his end. - During the same time while we were trying to migrate to OpenBSD, the inhouse sysadmins with help of a "Cisco expert from Hyderabad" were trying to get their existing PIX firewall to work with the Netscreen box (as a backup in case we failed) without much success - Phase II just would not negotiate. What can I say??? OpenBSD rulez! :) Changelog ========= * Tue Oct 14 11:25:11 IST 2003 - First Cut