OpenBSD IPsec Site-to-Site Quickstart Guide
Published: 09/05/2009
So the CEO is asking you to do "more with less." The budget is slashed, the staff over-worked. Your only solution is free crypto ... because offerings from Cisco, Juniper, Check Point, and the other big boys aren't cheap.
The following instructions are based on (the free) OpenBSD 4.5 release and designed to get you up and running as quickly as possible by copying and pasting everything. All admins are lazy, or at least they should be.
This article assumes a basic company network scenario with two offices which need to be connected by a site-to-site IPsec tunnel across the Internet. Each gateway has two interfaces. The internal is referred to as "dc0" and external as "dc1." For the sake of simplicity, "Office 1" has an addressing scheme based on "1" and "Office 2" is based on "2" (shown in the diagram below).
These VPN gateways are not assumed here to be the main front-facing firewall (default gateway) which LAN clients use to get out to the Internet. Instead, they are dedicated soley for site-to-site traffic relaying and encryption.
While the gateways do not require two interfaces, if they are connected directly to the Internet, then enabling the firewall (pf) is highly recommended for obvious reasons.
Anything in red from this point forward should be replaced by values reflecting your own networks.
Office 1 Gateway Configuration
More Information
Edit the file
/etc/ipsec.conf:
ike esp from 10.1.1.0/24 to 10.2.2.0/24 peer 22.22.22.1
ike esp from 11.11.11.1 to 10.2.2.0/24 peer 22.22.22.1
ike esp from 11.11.11.1 to 22.22.22.1
|
Lock down the permissions on the file. Otherwise, isakmpd will complain about the loose security:
$ sudo chmod 600 /etc/ipsec.conf
|
Uncomment the following line from /etc/sysctl.conf to enable routing:
From the Office 2 gateway, get the isakmpd public key file /etc/isakmpd/local.pub and copy the contents to the Office 1 gateway file /etc/isakmpd/pubkeys/ipv4/22.22.22.1. The contents may look similar to this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAugLM2ZE4iwEvo2GgEAJO
Kpj2++VuXV5fFBLhGFXl0qq0zD4xJyrUQMqMj/o4YK3EEPa84t1XoZZdbqx9KU+t
6iHx4ruvwDkCfLnXjWSmrrmsVoBYBan+F1lQaBRHl/JTiZrpFzhYEC73IzyaomZ9
p/0EhSQRUz8kXfHIUueKvWhOnHIzY7HwjcOmllwWSlDYtTZfU/BB6KYOOh86/VrI
RHWXpRyZ2/Y7O8HRzLFkNKUtCNlPigIeVfd0h3H3jSuboXYFVfqeeoqn0QgiEWDY
wS8DYSYfPa4I7EEI4G8K3sA3JBpEky8ETolzFVKhJjCTxJxg2J+TlONgF1rdZF9+
LwIDAQAB
-----END PUBLIC KEY-----
|
Add an entry into /etc/rc.local to add a static route to get to the Office 2 network and to initate IPsec during boot:
route add -net 10.2.2.0/24 10.1.1.254
ipsecctl -f /etc/ipsec.conf
|
Create an interface file for enc0 and set it to link-up automatically during boot by adding the word up into it:
$ sudo touch /etc/hostname.enc0
$ sudo chmod 640 /etc/hostname.enc0
$ sudo vi /etc/hostname.enc0
|
Add an entry into /etc/rc.conf.local to enable isakmpd and pf during boot:
isakmpd_flags="-K"
pf=YES
|
Comment everything out and add a few basic rules to /etc/pf.conf to allow traffic with the other gateway and allow outbound local client traffic through (these are obviously not very restrictive, so adjust later accordingly):
set require-order no
set skip on { lo dc0 enc0 }
scrub in
pass quick on dc1 from 22.22.22.1
|
Office 2 Gateway Configuration
More Information
Edit the file
/etc/ipsec.conf:
ike esp from 10.2.2.0/24 to 10.1.1.0/24 peer 11.11.11.1
ike esp from 22.22.22.1 to 10.1.1.0/24 peer 11.11.11.1
ike esp from 22.22.22.1 to 11.11.11.1
|
Lock down the permissions on the file. Otherwise, isakmpd will complain about the loose security:
$ sudo chmod 600 /etc/ipsec.conf
|
Uncomment the following line from /etc/sysctl.conf to enable routing:
From the Office 1 gateway, get the isakmpd public key file /etc/isakmpd/local.pub and copy the contents to the Office 2 gateway file /etc/isakmpd/pubkeys/ipv4/11.11.11.1. The contents may look similar to this:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ykOY3ZaRSIrbdUu2LHV
EscMINcTP/25Bowuy6Vm9NAOdaX3rN/lUpBOaUiGQhNJPrmFBK4+4/uUhc6zMJEB
P94Q9ki9bX3391P0wggbwRn9HGxJeV1pKkfCQzfNJ4cuFQkUQK/kmZqf04cpyRxs
gabGVmmF7SACt+YVx43ZcjrY2hDrQLc4m/jz2kpB/9KdubZ30FqYDVpmz7hvMMGC
NGDA6a595pS2cHMGZW8EN+VkaKj59erGV+t3OyLfqVXcf4iU+LdudN1dJxNxTEO9
22Iifv3GF+LD+CBMMYDTKPiI3awrO2pKzzyf0POD2mc5KlQcL8KG7YgBNlWezFrV
gQIDAQAB
-----END PUBLIC KEY-----
|
Add an entry into /etc/rc.local to add a static route to get to the Office 1 network and to initate IPsec during boot:
route add -net 10.1.1.0/24 10.2.2.254
ipsecctl -f /etc/ipsec.conf
|
Create an interface file for enc0 and set it to link-up automatically during boot by adding the word up into it:
$ sudo touch /etc/hostname.enc0
$ sudo chmod 640 /etc/hostname.enc0
$ sudo vi /etc/hostname.enc0
|
Add an entry into /etc/rc.conf.local to enable isakmpd and pf during boot:
isakmpd_flags="-K"
pf=YES
|
Comment everything out and add a few basic rules to /etc/pf.conf to allow traffic with the other gateway and allow outbound local client traffic through (these are obviously not very restrictive, so adjust later accordingly):
set require-order no
set skip on { lo dc0 enc0 }
scrub in
pass quick on dc1 from 11.11.11.1
|
A Few Final Steps...
More Information
The default routers in each office will need to know the proper route to get to the other office since LAN clients will initially attempt to forward requests through the default path rather the the VPN gateway. If the default gateway knows that the proper route to get to the other office is through the connection provided by the local VPN gateway, it sends an ICMP Type 5 Redirect message back to the LAN client telling it that the right place to forward these requests is to the VPN gateway instead. Going forward, the LAN client forwards all packets destined for the other office network to the MAC address of the VPN server.
To add a static route in a BSD router, add the line into /etc/rc.local and reboot:
route add -net 10.2.2.0/24 10.1.1.254
|
or for the Office 2 default gateway:
route add -net 10.1.1.0/24 10.2.2.254
|
Once each office's default gateway is configured, reboot both VPN gateway machines, then check /var/log/messages for any isakmpd errors. Verify that isakmpd is running:
Check current IPsec flows and Security Association database:
$ sudo ipsecctl -sa
FLOWS:
flow esp in from 10.2.2.0/24 to 11.11.11.1 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type use
flow esp out from 11.11.11.1 to 10.2.2.0/24 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type require
flow esp in from 22.22.22.1 to 11.11.11.1 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type use
flow esp out from 11.11.11.1 to 22.22.22.1 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type require
flow esp in from 10.2.2.0/24 to 10.1.1.0/24 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type use
flow esp out from 10.1.1.0/24 to 10.2.2.0/24 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type require
flow esp in from 22.22.22.1 to 10.1.1.0/24 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type use
flow esp out from 10.1.1.0/24 to 22.22.22.1 peer 22.22.22.1 srcid 11.11.11.1/32 dstid 22.22.22.1/32 type require
SAD:
esp tunnel from 22.22.22.1 to 11.11.11.1 spi 0x0bd1f19b auth hmac-sha2-256 enc aes
esp tunnel from 11.11.11.1 to 22.22.22.1 spi 0x29a73b4a auth hmac-sha2-256 enc aes
esp tunnel from 11.11.11.1 to 22.22.22.1 spi 0x8fbd877a auth hmac-sha2-256 enc aes
esp tunnel from 22.22.22.1 to 11.11.11.1 spi 0x98ab0418 auth hmac-sha2-256 enc aes
esp tunnel from 22.22.22.1 to 11.11.11.1 spi 0xa7fa7b40 auth hmac-sha2-256 enc aes
esp tunnel from 22.22.22.1 to 11.11.11.1 spi 0xad921426 auth hmac-sha2-256 enc aes
esp tunnel from 11.11.11.1 to 22.22.22.1 spi 0xae79c901 auth hmac-sha2-256 enc aes
esp tunnel from 11.11.11.1 to 22.22.22.1 spi 0xc4a16192 auth hmac-sha2-256 enc aes
|
tcpdump can also be used to verify traffic on the external interface (dc1):
$ sudo tcpdump -nttvi dc1 port 500 or 4500
|
Optionally, if something doesn't seem to working, manually debug as a foreground process (after killing the existing one) by running:
At this point, a client in Office 1 should be able to ping a client in Office 2 through the magic of advanced mathematics which we all take for granted.
And don't forget to harden your pf rules!.
Congratulations, your 15 minutes are up.
Installing OpenBSD from CD media should take less than 10 minutes. Configuring it to do IPsec tunneling should take another 5. If your copying / pasting skills are strong, then you should already be exchanging RIAA-approved MP3 files with your impatient co-workers at the other office. Tell the boss you'll need to spend the rest of the day fine-tuning the firewall rules, then go to your private fridge and break out a cold one.
Go back to the main articles list.