Things I'd do if I ever have time

Wish list

Please help a man further his career by donating expensive hardware. Cash works too.

IPsec with OpenBSD

Published: 06/12/2010

Reference trace file:


As shown in the article OpenBSD IPsec Site-to-Site Quickstart Guide, configuring an OpenBSD machine as an IPsec office gateway for secure connections to other branch offices is quite easy, and most important of all, free. We can thank the inclusion of isakmpd in the operating system for performing all the work automatically (after initially configuring it, of course). Here we replicate a site-to-site connection between two offices and look at the IPsec connection forming between them. This is what the basic setup looks like:

The gateway for Office 1 has an external interface address of while Office 2's gateway has Both gateways were configured per the article referenced above. I started a tcpdump capture on the first gateway as the second gateway was booting and coming online.

IPsec, form thyself...

In the first packet, Gateway2 sends out an IKE initiation. It proposes Main Mode and a single transform policy: AES-CBC / SHA using RSA signature authentication and DH Group 2.

   Show packet content

Gateway1 then responds:

   Show packet content

At packet 3, Gateway 2 sends over its Diffie-Hellman public key information:

   Show packet content

The fourth packet is where Gateway1 sends over its DH key and is the last in the six-packet Main Mode exchange where the information is delivered to the other end unencrypted.

   Show packet content

In the final two packets of Main Mode, each side validates the other's identity. Each gateway had the peer's public key information already added into /etc/isakmpd/pubkeys/ipv4/. Since the key agreement was established via DH after packet 4 but before packet 5, all traffic starting at packet 5 is encrypted. After packet 6 is sent, the two sides form their IKE Security Association and are ready to engage into IKE phase 2.

From packet 7 through 15, both sides go through IPsec Quick Mode and determine their IPsec Security Associations. The information within these packets are protected by the encryption parameters agreed upon in IKE phase 1.

By the time we reach packet 12, roughly twelve seconds into the trace, some ESP traffic goes out. This is most likely me sending ICMP packets from one side to the other via the private address ranges behind each gateway. I also send out some ICMP requests from the other side as well over the next minute. You'll notice that there are only two SPI (Security Parameter Index) values within the whole trace, each specific to the originating gateway.

Closed for the day

At packet 100, I decided to power off Gateway 2, at which point it immediately sends four ISAKMP Informational packets to the other side. A few seconds later, Gateway 1 tries to start another IPsec session by sending out a couple of Main Mode initiations, but alas, Gateway 2 has checked out for the day because it thinks it has done its eight-hour shift.

Go back to the main articles list.