OpenBSD isakmpd
Contents
- 1 Platform Notes
- 2 Version History
- 3 Backoff Pattern
- 4 Vendor IDs
- 5 Authentication Methods
- 6 ISAKMP SA Lifetime
- 7 Transform ordering and rewriting
- 8 Aggressive Mode
- 9 Response to non-compliant and malformed packets
- 10 Nat Traversal
- 11 IKEv2
- 12 Remote Access VPN Client
- 13 Other Interesting Behaviour
- 14 Default Configuration
- 15 Discovered Vulnerabilities
Platform Notes
isakmpd is the OpenBSD IKE daemon. It runs on other systems as well, including FreeBSD, NetBSD and Linux. It was originally written by Niklas Hallqvist and Niels Provos, funded by Ericsson Radio Systems AB.
isakmpd is available under the BSD license. The source location is in the OpenBSD main source tree under src/sbin/isakmpd.
On OpenBSD, isakmpd does not start by default. You need to enable isakmpd in /etc/rc.conf by changing NO to "", and create the configuration files isakmpd.conf and policy file isakmpd.policy.
Version History
isakmpd versions are generally referred to by date, for example 20041012 for 12th October 2004.
Backoff Pattern
isakmpd has the four-packet default backoff pattern:
0, 7, 9, 11
Here is an example from OpenBSD 3.9:
$ ike-scan -M --showbackoff 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=62c6b3b6ad0047bc)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
IKE Backoff Patterns:
IP Address No. Recv time Delta Time
172.16.3.29 1 1173090825.797097 0.000000
172.16.3.29 2 1173090832.815713 7.018616
172.16.3.29 3 1173090841.857950 9.042237
172.16.3.29 4 1173090852.848407 10.990457
172.16.3.29 Implementation guess: FreeBSD/OpenBSD-isakmpd
isakmpd is one of the few implementations that allows the number of retransmissions to be configured by the user. For example, the following section in isakmpd.conf sets the number of retransmissions to five, which results in a total of six packets being returned (the first response plus five re-transmissions):
[general] Retransmits=5
The formula used to calculate the delay for each packet is:
5 + 2*<retrans#>
The code that implements this is in the file transport.c around line 360:
expiry = msg->xmits * 2 + 5; expiration.tv_sec += expiry;
Vendor IDs
OpenBSD 3.9 returns the following Vendor IDs:
- draft-ietf-ipsec-nat-t-ike-02\n (90cb80913ebb696e086381b5ec427b1f)
- draft-ietf-ipsec-nat-t-ike-03 (7d9419a65310ca6f2c179d9215529d56)
- RFC 3947 NAT-T (4a131c81070358455c5728f20e95452f)
- Dead Peer Detection v1.0 (afcad71368a1f1c96b8696fc77570100)
Authentication Methods
isakmpd supports pre-shared key and RSA Signature authentication methods. The default authentication method is pre-shared key. RSA signature is selected by appending -RSA_SIG to the phase-1 transform specification in the configuration file. For example, the following transform specification would use pre-shared key authentication:
Transforms=AES-SHA,3DES-SHA
and these specifications would use RSA signature authentication:
Transforms=AES-SHA-RSA_SIG,3DES-SHA-RSA_SIG
Here is an example of pre-shared key and RSA signature responses from OpenBSD 3.9.
$ ike-scan -M --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=79385adedb7b6ec2)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan -M --trans=5,2,3,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=c407f03e5fdd6e53)
SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
ISAKMP SA Lifetime
Lifetime in seconds
By default, isakmpd will accept either no lifetime at all or a lifetime in the range 60 to 86,400 seconds inclusive. It will not respond to values outside that range.
The Phase-1 lifetime can be configured with the Default-phase-1-lifetime configuration command. The configuration excerpt below shows the default configuration.
Default-phase-1-lifetime=3600,60:86400
The examples below illustrate this behaviour.
$ ike-scan -M --lifetime=none --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=f13393957f19ff6c)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan -M --lifetime=0 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
$ ike-scan -M --lifetime=1 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
$ ike-scan -M --lifetime=60 --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=9cef41f99b349ba1)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x0000003c)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan -M --lifetime=86400 --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=241db30b30af7b11)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00015180)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan -M --lifetime=86401 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.435 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Lifetime in Kilobytes
isakmpd does not support a lifetime in kilobytes for IKE Phase-1.
$ ike-scan -M --lifetime=none --lifesize=1000 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Transform ordering and rewriting
isakmpd generally returns the transform attributes in the order that they are supplied by the initiator.
In the example below, we specify the four mandatory transform attributes in order Enc, Hash, Auth, Group and then in reverse order Group, Auth, Hash, Enc, and observe that in both cases the target returns the attributes in the same order as the initiator specified them.
$ ike-scan -M --trans="(1=5,2=2,3=1,4=2)" 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=35cb73924619e6cb)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
$ ike-scan -M --trans="(4=2,3=1,2=2,1=5)" 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=368c15ab0c774bde)
SA=(Group=2:modp1024 Auth=PSK Hash=SHA1 Enc=3DES)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Here is another example, this time including a lifetime in seconds and using the variable keylength AES encryption algorithm with a keylength of 128 bits. Again, the attributes are returned in the same order that the initiator sent them.
$ ike-scan -M --trans="(14=128,11=1,12=123,4=2,3=1,2=2,1=7)" 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=bd718e1a5a6e8847)
SA=(KeyLength=128 LifeType=Seconds LifeDuration=123 Group=2:modp1024 Auth=PSK Hash=SHA1 Enc=AES)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Aggressive Mode
isakmpd supports aggressive mode. Aggressive mode is selected by the following configuration option:
EXCHANGE_TYPE=AGGRESSIVE
Here is an example of isakmpd responding to aggressive mode:
$ ike-scan -M -A --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Aggressive Mode Handshake returned
HDR=(CKY-R=3e3b8d9c974d3f60)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
KeyExchange(128 bytes)
Nonce(20 bytes)
ID(Type=ID_IPV4_ADDR, Value=172.16.3.29)
Hash(20 bytes)
Response to non-compliant and malformed packets
The responses below are from OpenBSD 3.9 unless indicated otherwise.
isakmpd never sends a notify response. It doesn't respond at all to packets that it considers to be invalid.
No acceptable transforms
No response from OpenBSD 3.9.
$ ike-scan -M --trans=1,1,1,1 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Bad IKE version
No response from OpenBSD 3.9.
$ ike-scan -M --headerver=0x30 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.440 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
$ ike-scan -M --headerver=0x11 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Invalid DOI
$ ike-scan -M --doi=2 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Invalid Situation
$ ike-scan -M --situation=2 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.435 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Invalid Initiator Cookie
$ ike-scan -M --cookie=0000000000000000 --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=0500a3ddcc5f73ea)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Invalid Flags
$ ike-scan -M --hdrflags=255 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Invalid Protocol
$ ike-scan -M --protocol=2 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.439 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Invalid SPI
$ ike-scan -M --spisize=32 --trans=5,2,1,2 172.16.3.29
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
172.16.3.29 Main Mode Handshake returned
HDR=(CKY-R=66b7ad127a8df1a0)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n)
VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03)
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)
VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Non-Zero Reserved Fields
$ ike-scan -M --mbz=255 --trans=5,2,1,2 172.16.3.29 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Nat Traversal
isakmpd supports NAT Traversal. However, it does not respond to ike-scan with the --nat-t option because it uses source port 500 for the response packet rather than using the actual source port. Here is a tcpdump trace which shows this behaviour.
12:40:51.440283 192.168.124.7.4500 > 172.16.3.29.4500: udpencap: isakmp v1.0 exchange ID_PROT
cookie: 8f145f939575517b->0000000000000000 msgid: 00000000 len: 356 (DF)
12:40:51.444030 172.16.3.29.500 > 192.168.124.7.4500: isakmp v1.0 exchange ID_PROT
cookie: 8f145f939575517b->a09326b83442f935 msgid: 00000000 len: 164
IKEv2
isakmpd does not support IKEv2 as of OpenBSD 3.9.
Remote Access VPN Client
Other Interesting Behaviour
Default Configuration
OpenBSD 3.9 has a default configuration file /usr/share/ipsec/isakmpd/VPN-default.conf, which can be copied to the live configuration file /etc/isakmpd/isakmpd.conf. The contents of this default template is:
[Phase 1] Default= any [any] Phase= 1 Configuration= Default-main-mode Authentication= mekmitasdigoat [Default-main-mode] EXCHANGE_TYPE= ID_PROT Transforms= AES-SHA,3DES-SHA
This template allows the following transform attributes. Note that all three keylengths for AES are supported:
| Encryption | 3DES, AES-128, AES-192 and AES-256 |
|---|---|
| Hash | SHA1 |
| Authentication | Pre-Shared Key |
| DH Group | 2 |
The syntax for the Transforms configuration option that defines the acceptable attributes is shown below. This also shows the supported values for the attributes.
{DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-RSA_SIG]
