IPsec: Off the Map with Key Expiration

Fri 23 December 2005

Filed under Sec.

Tags IPsec Lamer Moments

I think that IPsec tunnels are cool. COOL. Managing them SUCKS. I have been through the ringer this week. Three Ciscos, one Linux box, four Watchguards, two Netopias, a dash of Netgear switches, a 3com switch, several T-1s and two ISP. If you can say that ten times real fast you still have a crisis.

Along the way what did we see?

  • Random Packet Loss
  • TCP Connection Difficulty (Read: w/o the Tunnel here.)
  • Tunnel Lock up
  • Raccoon (IPsec-tools) Lockup
  • Cisco Hangs
  • Cisco Mysteriofscking IOMEM boot-back-to-previous-IOS problems
  • Interactive, interspersed tunnel-based TCP connection resets.
  • MTU related problems.
  • Cisco config magic witchcraft.
  • The Cisco admin going on vacation.
  • Cisco config butchery.
  • KByte based key-expiration.
  • Key-logger password compromise and subsequent SSH hackery by a script-kiddie - resulting in the reinstall of a terminal server, my mail server and my jabber server. (*sniff* Jabber is still down.)

Did I forget anything? I think I did, but to be honest, I can't imagine bitching about this too much more. The bottom line is OMGWTFBBQ.

Remove the Ciscos: Remove the latency, and the non-tunnel TCP resets.{WTF}

Remove the key expiration after 8 megs: remove the (tunnel-based) TCP disconnects, tunnel crashes, and other hangs.

No, I still am not happy with Cisco or the CCNA "Cisco to Cisco doesn't have these problems, Cisco does that, Cisco is dipped in gold and ready to make your life better, just pay at the coffer.... {insert foul language here}".

Netopias: Cheap, simple, and if you just need to handle traffic for a T1 w/o inspection or intelligence: perfect. (read: I hate them, but I can't fault them for being Cisco^H^H^H^H^Hbroken.)

The Watchguards have been very nice this trip around. Apart from the expense and the limits of their lesser OS versions. , inability to shape traffic, complete lack of diagnostic tools, etc. Perfect, perfect indeed. Oh well.

Linux was Linux. Killer, functional, and totally lacking in kernel-based IPsec policy matching for Netfilter (read: no good firewall support for IPsec), no way to tell if the tunnel is up or down, etc, etc, etc.


Up To Something © Joshua M Schmidlkofer Powered by Pelican and Twitter Bootstrap. Icons by Font Awesome and Font Awesome More