OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

Andre Ruppert-2
Hello @misc,

I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain"
ISAKMPD/ipsec.

The peering vpn gateways have different brandings from OpenBSD, linux,
cisco to watchguard appliances etc...

Interoperability works most like a charm and is a no-brainer in most cases.

I have only access to the OpenBSD peering gateways, but most other
brands belong to partners / customers.

Sometimes I first have problems with some of these peering boxes and
only partial tunnels came up (only phase 1 or - more bad - phase 1 only
partial).

Then I check the logs and - if I got wrong credentials or parameters
from the peering partner - I change the configs on my side.
It needs mostly much less time than to discuss with the technicians from
the peering partners - their problems have to te solved by them by
clicking somewhere in a webinterface *sigh*.

Ok, back to _my_ problem:

If a ipsec tunnel is running with phase 1 and 2, I can stop it with
"ipsecctl -d -f <configfile>". Works.

If the ipsec tunnel is only partial working, I can delete it by using
the fifo mechanism. Sometimes.

(
I got the tips from this 2013 undeadly.org article:
Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
https://undeadly.org/cgi?action=article&sid=20131125041429
)

But I have always problems if only a part of phase 1 came up.

1.) sh -c "echo S > /var/run/isakmpd.fifo"

2.) less /var/run/isakmpd.result
...
SA name: <unnamed> (Phase 1/Responder)
src: <my_gateway_ip> dst: <peering_gateway_ip>
Flags 0x00000000
icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec
...


Feeding the fifo with
sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo"
only deletes phase 2.

But I didn't have an SA name at this time... ??

Question to the community: how is it possible to reliable stop partial
tunnels without restarting isakmpd/ipsec (e.g. disturbing all other
running tunnels)?

I'm clueless....

Best regards
Andre

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

Andre Ruppert
Remark below...



Am 14.05.18 um 13:38 schrieb Andre Ruppert:

> Hello @misc,
>
> I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain"
> ISAKMPD/ipsec.
>
> The peering vpn gateways have different brandings from OpenBSD, linux,
> cisco to watchguard appliances etc...
>
> Interoperability works most like a charm and is a no-brainer in most cases.
>
> I have only access to the OpenBSD peering gateways, but most other
> brands belong to partners / customers.
>
> Sometimes I first have problems with some of these peering boxes and
> only partial tunnels came up (only phase 1 or - more bad - phase 1 only
> partial).
>
> Then I check the logs and - if I got wrong credentials or parameters
> from the peering partner - I change the configs on my side.
> It needs mostly much less time than to discuss with the technicians from
> the peering partners - their problems have to te solved by them by
> clicking somewhere in a webinterface *sigh*.
>
> Ok, back to _my_ problem:
>
> If a ipsec tunnel is running with phase 1 and 2, I can stop it with
> "ipsecctl -d -f <configfile>". Works.
>
> If the ipsec tunnel is only partial working, I can delete it by using
> the fifo mechanism. Sometimes.
>
> (
> I got the tips from this 2013 undeadly.org article:
> Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
> https://undeadly.org/cgi?action=article&sid=20131125041429
> )
>
> But I have always problems if only a part of phase 1 came up.
>
> 1.) sh -c "echo S > /var/run/isakmpd.fifo"
>
> 2.) less /var/run/isakmpd.result
> ...
> SA name: <unnamed> (Phase 1/Responder)
> src: <my_gateway_ip> dst: <peering_gateway_ip>
> Flags 0x00000000
> icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec
> ...
>
>
> Feeding the fifo with
> sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo"
> only deletes phase 2.
>
> But I didn't have an SA name at this time... ??
>
> Question to the community: how is it possible to reliable stop partial
> tunnels without restarting isakmpd/ipsec (e.g. disturbing all other
> running tunnels)?
>
> I'm clueless....
>
> Best regards
> Andre
>
...and
sh -c "echo 't main <peering-gateway-ip>' > /var/run/isakmpd.fifo"
doesn't work either ...

/var/log/daemon reports "...ui_teardown: teardown connection
"<peering-gateway-ip>", phase 1
but that doesn't do anything.

Man isakmpd reads for fifo using:
"t [phase] name"
     Tear down the named connection, if active. For name, the tag
     specified in isakmpd.conf(5) or the IP address of the remote host
     can be used.
     ....


Hm.
Again clueless...

Best regards
Andre


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

Philipp Buehler
In reply to this post by Andre Ruppert-2
Hello Andre,

Am 14.05.2018 13:38 schrieb Andre Ruppert:
> I got the tips from this 2013 undeadly.org article:
> Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
> https://undeadly.org/cgi?action=article&sid=20131125041429

Apparently I wrote that article, and I feel your pain :-)

> 2.) less /var/run/isakmpd.result
> ...
> SA name: <unnamed> (Phase 1/Responder)
> src: <my_gateway_ip> dst: <peering_gateway_ip>
> Flags 0x00000000
> icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec
> ...
>
>
> Feeding the fifo with
> sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo"
> only deletes phase 2.
>
> But I didn't have an SA name at this time... ??

The problem here is you only have an 'unnamed' SA, indeed; but
you have cookies..
What you can do - found that a bit later after the undeadly article:
echo 'd 9f5bf7497f0ebe108a6c7b1b1f5923ec -' > isakmpd.fifo
which is "d $icookie$rcookie -" (no space between the cookie values).

If I am changing a peer configuration, I also block 500/udp for the
time being to avoid these 'Responder' SAs altogether. Think along
pf.conf:pass in proto udp from <vpn_peers> to $myself port 500
pfctl -T delete -t vpn_peers $thatpeer
pfctl -k $thatpeer
ipsecctl -d -f $thatpeer.conf
vi $thatpeer.conf
ipsecctl -f $thatpeer.conf
pfctl -T add -t vpn_peers $thatpeer

HTH,
--
pb

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

Andre Ruppert
Hello Philipp,

sorry for the late answer....

Thanks for the hint with the cookies.

Works in my environment....

I'm much happier now ;-)

Best regards
Andre

Am 15.05.18 um 05:15 schrieb Philipp Buehler:

> Hello Andre,
>
> Am 14.05.2018 13:38 schrieb Andre Ruppert:
>> I got the tips from this 2013 undeadly.org article:
>> Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
>> https://undeadly.org/cgi?action=article&sid=20131125041429
>
> Apparently I wrote that article, and I feel your pain :-)
>
>> 2.) less /var/run/isakmpd.result
>> ...
>> SA name: <unnamed> (Phase 1/Responder)
>> src: <my_gateway_ip> dst: <peering_gateway_ip>
>> Flags 0x00000000
>> icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec
>> ...
>>
>>
>> Feeding the fifo with
>> sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo"
>> only deletes phase 2.
>>
>> But I didn't have an SA name at this time... ??
>
> The problem here is you only have an 'unnamed' SA, indeed; but
> you have cookies..
> What you can do - found that a bit later after the undeadly article:
> echo 'd 9f5bf7497f0ebe108a6c7b1b1f5923ec -' > isakmpd.fifo
> which is "d $icookie$rcookie -" (no space between the cookie values).
>
> If I am changing a peer configuration, I also block 500/udp for the
> time being to avoid these 'Responder' SAs altogether. Think along
> pf.conf:pass in proto udp from <vpn_peers> to $myself port 500
> pfctl -T delete -t vpn_peers $thatpeer
> pfctl -k $thatpeer
> ipsecctl -d -f $thatpeer.conf
> vi $thatpeer.conf
> ipsecctl -f $thatpeer.conf
> pfctl -T add -t vpn_peers $thatpeer
>
> HTH,


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD 6.2: how to tear down partial ipsec tunnels without restarting ipsec/isakmpd?

Andre Ruppert
In reply to this post by Philipp Buehler
Hello Philipp,
hello @misc

I thought the problems were gone, but often deleting an unmamed phase 1
SA didn't work with the "cookie method" at least with 6.3/amd64.

My way:

1.)
# sh -c "echo S > /var/run/isakmpd.fifo"
# less /var/run/isakmpd.result

--> identify the dead phase 1 SA

SA name: <unnamed> (Phase 1/Responder)
src: <here> dst: <there>
Lifetime: 28800 seconds
Flags 0x00000000
icookie 7e0aab1278867246 rcookie f26398203e60007f

2.)
try to delete the unnamed SA with your method:

# sh -c "echo 'd 7e0aab1278867246f26398203e60007f -' \
         > /var/run/isakmpd.fifo"

results mostly in:
ui_delete: command "d 7e0aab1278867246f26398203e60007f -" found no SA

3.)
collateral problem:
I'm not able to accept a new connection by the remote peer (with a new
cookie) because isakmpd logs:

transport_send_messages: giving up on exchange peer-<there>, no response
from peer <there>.

With tcpdump I can see that isakmpd refuses to answer peer <there>
requests 'till lifetime end or the crippled phase 1 is totally dropped...

Resarting isakmpd is not advised 'cause of a lot of other active vpn
sessions.

The question: isakmpd bug or may brain incapabillities?

Best regards
Andre


Am 15.05.18 um 05:15 schrieb Philipp Buehler:

> Hello Andre,
>
> Am 14.05.2018 13:38 schrieb Andre Ruppert:
>> I got the tips from this 2013 undeadly.org article:
>> Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
>> https://undeadly.org/cgi?action=article&sid=20131125041429
>
> Apparently I wrote that article, and I feel your pain :-)
>
>> 2.) less /var/run/isakmpd.result
>> ...
>> SA name: <unnamed> (Phase 1/Responder)
>> src: <my_gateway_ip> dst: <peering_gateway_ip>
>> Flags 0x00000000
>> icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec
>> ...
>>
>>
>> Feeding the fifo with
>> sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo"
>> only deletes phase 2.
>>
>> But I didn't have an SA name at this time... ??
>
> The problem here is you only have an 'unnamed' SA, indeed; but
> you have cookies..
> What you can do - found that a bit later after the undeadly article:
> echo 'd 9f5bf7497f0ebe108a6c7b1b1f5923ec -' > isakmpd.fifo
> which is "d $icookie$rcookie -" (no space between the cookie values).
>
> If I am changing a peer configuration, I also block 500/udp for the
> time being to avoid these 'Responder' SAs altogether. Think along
> pf.conf:pass in proto udp from <vpn_peers> to $myself port 500
> pfctl -T delete -t vpn_peers $thatpeer
> pfctl -k $thatpeer
> ipsecctl -d -f $thatpeer.conf
> vi $thatpeer.conf
> ipsecctl -f $thatpeer.conf
> pfctl -T add -t vpn_peers $thatpeer
>
> HTH,


smime.p7s (5K) Download Attachment