Hi


Well, basically I'm attempting to set up a VPN between an OpenBSD server box
(apparently the safest linux flavoured firewall) and windows remote users
(roaming or static).

I have played around with ISAKMPD, SSH Sentinel, and even CIPE.
I was beginning to take an interest in PopTop when, all dressed up and ready
to go, I thought it would be a good idea to check out what people were
saying about it, perfomance-wise.

That's when I came across OpenVPN.
So here I am, trying to get a Windows XP box installed with OpenVPN 1.5b6
(also tried b7 this morning).

I have included copies of my config files.

I know that my packets are getting through because when in 'verb 9' mode, I
detect the arrival of my pings at the other end.

Unfortunately, I don't get any reply (either way).
What's more, the OpenBSD can't ping his own TUN1 interface - I got around
this by running a couple of ifconfig statements.

The Windows setup seems to work just fine.

When I launch [openvpn --config office-static.conf] however, the [up
office.up] line isn't understood, so I have to manually run a [route add]
from the cmdline afterwards, as I do under Windows.

Am I going in the wrong direction ?
Can OpenVPN get a Windows workstation to communicate to a remote LAN via an
OpenBSD OpenVPN server box ?

Thanks for your reply.

YSH



================================================== ==

OpenVPN office config file :
----------------------------------------
dev tun1
# 172.16.0.10 is our local VPN endpoint (office).
# 172.16.0.9 is our remote VPN endpoint (home).
ifconfig 172.16.0.10 172.16.0.9
#up /etc/openvpn/office.up
# manually run from cmdline
# Our pre-shared static key
secret /etc/openvpn/key.txt
port 5000
; user nobody
; group nobody
#comp-lzo
# installed but left off for now
; ping 15
verb 3
#Auth MD5
#cipher DES-CBC

================================================== ==

OpenVPN home (W2K) config file :
---------------------------------------------------
remote xxx.xxx.xxx.xxx
port 5000
dev tap
dev-node my-tap
secret "C:\program files\OpenVPN\config\key.txt"
ping 10
# comp-lzo
verb 9
mute 10
#auth MD5
#cipher DES-CBC

================================================== =

Office.up :
---------------
#!/bin/bash
route add -net 192.168.0.0/24 -interface 172.16.0.10

================================================== ==

OpenVPN startup :
----------------------------
# openvpn --config static-office.conf &
[1] 5284
# Sat Aug 30 18:01:41 2003 0: OpenVPN 1.5-beta6 i386-unknown-openbsd3.2
[SSL] [LZO] built on Aug 22 2003
Sat Aug 30 18:01:41 2003 1: WARNING: file '/etc/openvpn/key.txt' is group or
others accessible
Sat Aug 30 18:01:41 2003 2: Static Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Sat Aug 30 18:01:41 2003 3: Static Encrypt: Using 160 bit message digest
'SHA1' for HMAC authentication
Sat Aug 30 18:01:41 2003 4: Static Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Sat Aug 30 18:01:41 2003 5: Static Decrypt: Using 160 bit message digest
'SHA1' for HMAC authentication
Sat Aug 30 18:01:41 2003 6: Data Channel MTU parms [ link_mtu=1300
extra_frame=44 extra_buffer=0 extra_tun=0 ]
Sat Aug 30 18:01:41 2003 7: /sbin/ifconfig tun1 delete
Sat Aug 30 18:01:41 2003 8: NOTE: Tried to delete pre-existing tun
instance -- No Problem if failure
Sat Aug 30 18:01:41 2003 9: /sbin/ifconfig tun1 172.16.0.10 172.16.0.9 mtu
1256 netmask 255.255.255.255 up
Sat Aug 30 18:01:41 2003 10: TUN/TAP device /dev/tun1 opened
Sat Aug 30 18:01:41 2003 11: UDPv4 link local (bound): [undef]:5000
Sat Aug 30 18:01:41 2003 12: UDPv4 link remote: [undef]
# Sat Aug 30 18:01:51 2003 13: Peer Connection Initiated with
XXX.XXX.XXX.XXX:5000

petermatulis@NO_SPAMyahoo.ca (mr_scary) wrote in message news:<3f53f6da.10462714@news21.qc.aira.com>...
> On Sat, 30 Aug 2003 17:47:59 +0200, "shx" <shukor@wanadoo.fr> said the
> following:
>
> >Well, basically I'm attempting to set up a VPN between an OpenBSD server box
> >(apparently the safest linux flavoured firewall)
>
> How, pray tell, is OpenBSD a "linux flavoured firewall". That doesn't
> make any sense at all.

Obviously he doens't know yet... Give the guy some slack...


I suspect that what you are trying to do is to set up VPN through NAT,
and apparently that is hard.

I am investigating at the moment, I will let you know what I find.

Um, there is one thing though. It should be pretty clear that BSD
is *NOT* linux by now. There are a few similarities, but just
because they are both free OSes doesn't mean that they are both linux.
BSD is quite a deal older (and obviously more mature) than linux,
for a start....


And it is way cooler, too.

I mean.... a Penguin? LOL



googleboy

On Sat, 30 Aug 2003 17:47:59 +0200, "shx" <shukor@wanadoo.fr> wrote:

>That's when I came across OpenVPN.
>So here I am, trying to get a Windows XP box installed with OpenVPN 1.5b6
>(also tried b7 this morning).
>
>I have included copies of my config files.
>
>I know that my packets are getting through because when in 'verb 9' mode, I
>detect the arrival of my pings at the other end.
>
>Unfortunately, I don't get any reply (either way).
>What's more, the OpenBSD can't ping his own TUN1 interface - I got around
>this by running a couple of ifconfig statements.

You mix up tun and tap devices. Windows can only use tap devices (encapsulated
ethernet), OpenBSD only ships with tup devices (encapsulated IP - no ethernet
header). So both ends don't understand each other.

Solution: Get the OpenBSD tap driver (ask Google for URL) and make a new kernel
(see OpenBSD faq), and use tap devices on BOTH (!!!) ends.


Mit freundlichen Grüßen

Dipl.-Ing. Frank-Christian Krügel
IstDa Kommunikationssysteme

I have a running config of isakmpd that I have tried with OpenBSD, Linux and
Win32 peers.
You could try this config. Isakmpd will accept connections from anyone that
knows the pre-shared secret. It allows traffic host-lan and lan-lan
depending on what's on the other end.
Running ssh sentinel I have succesfully established a connection to this
host both from behind another OpenBSD gateway (nat) and linux gateway (nat).
Ssh sentinel must be in legacy mode, 3des and sha1.
Depending on your OpenBSD version, isakmpd may need a patch avalible on
www.ipsec.com. I'm running 3.3 and don't need this patch. Earlier I did need
it.

# cat /etc/isakmpd/isakmpd.conf
[Phase 1]
Default= ISAKMP-clients

[Phase 2]
Passive-Connections= IPsec-clients

[ISAKMP-clients]
Phase= 1
Configuration= Default-main-mode
Authentication= some-secret-passphrase

[IPsec-clients]
Phase= 2
Configuration= Default-quick-mode
Local-ID= Local-net
Remote-ID= Remote-host

[Local-net]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0

[Remote-host]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0


[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOID= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Transforms= 3DES-SHA
Suites= QM-ESP-3DES-SHA-PFS-SUITE

# cat /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";

Hope this helps.

Frank-Christian Kruegel wrote:
> On Sat, 30 Aug 2003 17:47:59 +0200, "shx" <shukor@wanadoo.fr> wrote:
>
>
>>That's when I came across OpenVPN.
>>So here I am, trying to get a Windows XP box installed with OpenVPN 1.5b6
>>(also tried b7 this morning).
>>
>>I have included copies of my config files.
>>
>>I know that my packets are getting through because when in 'verb 9' mode, I
>>detect the arrival of my pings at the other end.
>>
>>Unfortunately, I don't get any reply (either way).
>>What's more, the OpenBSD can't ping his own TUN1 interface - I got around
>>this by running a couple of ifconfig statements.
>
>
> You mix up tun and tap devices. Windows can only use tap devices (encapsulated
> ethernet), OpenBSD only ships with tup devices (encapsulated IP - no ethernet
> header). So both ends don't understand each other.
>
> Solution: Get the OpenBSD tap driver (ask Google for URL) and make a new kernel
> (see OpenBSD faq), and use tap devices on BOTH (!!!) ends.
>
>
> Mit freundlichen Grüßen
>
> Dipl.-Ing. Frank-Christian Krügel
> IstDa Kommunikationssysteme
Yes,

The problem is the TUN vs. TAP device issue. I arrived at the same
place about the same time. I did forge ahead and managed to create a
kernel that supported TAP devices....but now am at a loss as to how to
create the correct device files for a /dev/tapX device under OpenBSD. I
tried various incarnations based on a Linux and FreeBSD without success
(I am more than a bit out of my element here - do the Major device
numbers indicate certain functionality or are they just a unique
identifier?).

From Linux
mknod /dev/tap0 c 36 0
or
mknod /dev/tap0 c 36 16

and from FreeBSD

mknod /dev/tap0 c 200 0


I also installed vtun from ports because its documentation mentioned
TUN/TAP devices....however I don't think it adds any TAP functionality
to OpenBSD. Correct me if I am wrong.

Note that under OpenBSD 3.3 the 2001 timeframe if_tap.c file will cause
a 3.3 kernel to fail to build with an unresolved symbol _tapkqfilter. I
reviewed the if_tun.c file and added the following:

/* Does not currently work */

int
tapkqfilter(dev_t dev,struct knote *kn)
{
return (1);
}


to if_tap.c , inserting it just before tapifstart(ifp) ... She built
fine. But without and TAP pseudo devs or actual device files....i added
4 TAP pseudo devs but again couldn't get the device files correct.

Scott Donaldson