OpenBSD Journal

How should one configure an IPSec gateway?

Contributed by jose on from the ipsecadm--flush dept.

Raymond Causton writes :
"I've been searching for configuration details about having an OpenBSD box operate as an IPSec gateway for multiple mobile users with dynamic IP's who connect to services located on internal networks behing the IPSec VPN gateway. i.e.


Priv. Nw                          Roaming ISP NW
========                          ==============
Host A --- VPNGW --- Internet --- Mobile User A
Host B -|                      |- Mobile User B
Host C -                        - Mobile User C


All I have been able to locate are the same question asked tens of times on multiple mailing lists and forums, but no one has been able to provided a comprehensive explanation on how to accomplish this.

What I found was that everyone who has tried to do this has stumbled at one point or another and the dynamic endpoint support seems fairly unstable in OpenBSD's IPSec implementation.

There seems to be two main types of problems:

1) Inability to get isakmpd work with anything other than manual keying and static IP addresses

and

2) Problems in accepting the SSH Communications Sentinel client authentication with isakmpd.

Do you have any success stories about implementing this functionality? How about writing a howto documenting such project? "

I have also had some difficulty in getting the myriad of IPsec options configured correctly. The documentation is fair, but does requrie a bit of time for a full understanding. Does anyone have anything better?

(Comments are closed)


Comments
  1. By Michael Anuzis () michael_anuzis@hotmail.com on http://www.anuzisnetworking.com

    http://www.allard.nu/openbsd/

    This is the way I've used many times. It works quite well.

    PGP is free, OpenBSD is free, it's all free.

    Whenever I'm out in public with my laptop the first thing I do is re-establish the VPN to my gateway at home. You can have it set to do it automatically whenever a connection is made to a target on the VPN gateway or within the VPN, or you can re-enable the VPN manually with two clicks of the mouse button.

    Hope this helps. --Michael

  2. By Rafael Coninck Teigao () rafael@safecore.net on http://SafeCore.NET

    Hi.
    I don't know exactly what issues are you running into with Sentinel, but for me it worked as a charm.
    I've sent someone on misc@openbsd.org the step-by-step .jpg's for Sentinel (unfortunately, I'm away from my computer, and can't access the .jpg's now.)
    BUT I haven't tried it with certificates, maybe here's where you're having some problems. You can send me an email after August 20th (when I'll be back home) and we can try it togheter.

    Best regards,
    RCT.

  3. By Anonymous Coward () on

    This did it for me: http://www.sigmasoft.com/~openbsd/archive/openbsd-misc/200201/msg00892.html

    Basically, you don't specify any Phase 2 stuff and simply let the client specify it. This works quite well and is ultimatly flexible (of course flexibility means you'll want to make sure your isakmpd.policy and pf.conf are solid).

    I have not had any problems with dynamic IPs on the clients nor SSH Sentinal.

    I have though had problems with OpenBSD's isakmpd on a client with a dynamic IP, however.

  4. By Scott Augustus () scott@augustus.ca on mailto:scott@augustus.ca

    While I agree that finding the doco for this, which lays out the process line by line, is near impossible to find... it's not to say the answers aren't out there, you just have to look *really* hard and then put it all together :-(

    I implemented this type of config some time ago now. First arising from my own desire to VPN in to the office from my high speed DHCP cable connection at home. After much searching, I found the way to do it and it worked beautifully. We then realiezed the full power of this for remote users and I spent weeks trying to find a Win client that would allow remote users to connect to isakmpd via a DHCP'd dial up connection (we're talking 2+ years ago now!!!)

    My initial luck was with Raptor Mobile but have since switched to BorderWare's IPsec client and it's fantastic.

    So... to answer your questions:

    1) Manual keying isn't necessary... using isakmpd and isakmpd.conf works great. DHCP is not a problem. What is key to DHCP is that your Win client supports *Aggressive Mode*. If so, you'll need entries in your isakmpd.conf that look like this:

    [Phase 1]
    Nothing needed for the DHCP clients

    [Phase 2]
    IPsec-local-user

    ##############################
    # ISAKMP Phase 1 peer sections
    ##############################

    [ISAKMP-peer-default]
    Phase= 1
    Transport= udp
    Configuration= Default-aggressive-mode

    # Dial-in VPN Accounts

    [user@domain]
    Phase= 1
    Transport= udp
    Configuration= Default-aggressive-mode
    Authentication= somepassphrase

    [IPsec-local-user]
    Phase= 2
    ISAKMP-peer= user@domain
    Configuration= Default-quick-mode
    Local-ID= Net-local
    Remote-ID= Net-remote

    [Net-local]
    ID-type= IPV4_ADDR_SUBNET
    Network= 192.168.1.0
    Netmask= 255.255.255.0

    [Net-remote]
    ID-type= IPV4_ADDR_SUBNET
    Network= 192.168..2.0
    Netmask= 255.255.255.0

    2) I have no experience with Sentinel but have heard of success so it's something you're not doing correctly :-( One thing that is very important is to ensure all the Group Description, Life and Encryption_Algorithms match between your Win client and isakmpd.

    When I was doing my work on this, I found the docs by Patrick Ethier very useful, particularly the Troubleshoot section. This is linked to in the FAQ on openbsd.org.

    Good Luck!

    ~S~

  5. By Anonymous Coward () on

    Hi
    got ur id from the web and sorry to bother u
    I am exactly trying to achive what u had asked for earlier
    Priv. Nw Roaming ISP NW
    ======== ==============
    Host A --- VPNGW --- Internet --- Mobile User A
    Host B -| (OpenBsd ried with PGPNET cleint i am able to reach the server but not able to get a local ip assigned thru the dhcp to access machines behind the tunnel
    did u achive if so pls send me the howtos
    regards
    chandru

  6. By s.chandrasekar () schandrasekar@calsoft.co.in on mailto:schandrasekar@calsoft.co.in

    Hi
    got ur id from the web and sorry to bother u
    I am exactly trying to achive what u had asked for earlier
    Priv. Nw Roaming ISP NW
    ======== ==============
    Host A --- VPNGW --- Internet --- Mobile User A
    Host B -| (OpenBsd ried with PGPNET cleint i am able to reach the server but not able to get a local ip assigned thru the dhcp to access machines behind the tunnel
    did u achive if so pls send me the howtos
    regards
    chandru

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]