OpenBSD Journal

Zero to IPSec in 4 minutes

Contributed by grey on from the I was beginning to wonder if SF would ever publish this dept.

Thanks to Jacob for submitting the following:

This short article posted on Security Focus from Dragos Ruiu looks at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD installations in about four minutes flat.

This is a great exposition on how OpenBSD's improvements with the new ipsecctl(8) are even making the beast that is IPSec easy to use.

(Comments are closed)

  1. By bentman78 ( on

    Cool tutorial. I wonder how this could be changed to allow road warriors.
    I am certainly no IPSEC expert.

    1. By Anonymous Coward ( on

      Speaking of which, is there any way when the server has dynmaic IP allocation, ie home DSL/Cable line...

      1. By Chad Loder ( on

        As long as you have a way of determining the IP address, it's not a problem for isakmpd. Just take the "Listen-on" out of the isakmpd.conf and then use dhclient-script to sighup isakmpd every time a new lease is obtained.

        1. By Anonymous Coward ( on

          Could you explain this a littlebit more please?

          Lets make ane xample:

          You`ve a fix Server
          - FIX IP, does not reboot
          You`ve a DSL-Line with a reconnect every 23h59m
          - Lets say you`ve 3 PCs in your LAN

          So how would your OpenBSD-Router at home does a "reconnect" to the Server if it gets a new IP each reconnect (to the Server)?

          Well I also thought about using DHCP but I`m not that IPSec-Expert so how do you solve this problem if you`ve no DHCP but a simple pppD for pppoe (or if you use the Kernel-ppp).

          That would be interesting how you would solve this because I didn`t found any HowTos for multible Client with multible non-fixed IPs and a fix Server with a fix IP.

      2. By grey ( on

        From the article:

        The reader should note that while this configuration uses numeric IP addresses, the configuration can also be done with fully qualified domain names. To use domain names, simply copy the keys into the /etc/isakmpd/pubkeys/fqdn directory, and use srcid and dstid keywords in you /etc/ipsec.conf flow specifications

        So yes, I would imagine one could just specify a fqdn and then use a dynamic dns provider for the host that has a changing IP, there are several free ones even (e.g.

        I am actually wrestling with a parallel frustration at work at the moment, where I am using a soekris with an evdo card for internet access, and then am trying to get working an IPSec tunnel back to a Cisco 3020. The *nix side of things is fine, however the Cisco 3020 requires a static IP address for the LAN-to-LAN endpoint configuration, it throws an error when you attempt to specify via hostname. Getting an EVDO card with a static IP (through Verizon) I've been told costs $500 (!!!?). The headaches one deals with when using commercial vendors, when more flexible free solutions exist never cease to amaze.

    2. By sng ( on

      I don't know about Windows. But OS X's IPSEC client will happily connect to a an OpenBSD server and "do the right thing". You have to do some configuration, of course, but it's all pretty well covered in the man pages.

      1. By Anonymous Coward ( on

        Really? I got it working with windows without too much trouble, but I couldn't get my Mac to play nice.

        1. By bentman78 ( on

          useing window's native IPSEC client? Please tell me how I've been trying to get it to work.

            1. By bentman78 ( on

              cool thanks...I wonder if this would work for a DHCP setup. My firewall at home runs on Comcrap with a DHCP setup.

        2. By Bryan Inderhees ( on

          Any particular issues you had? I managed to get it to work without too much brain damage. I made a write-up about it, which may or may not be helpful (it's mostly just for my own reference). References included at the end.

          1. By Anonymous Coward ( on

            It's been a while, I forget the specific issues, but I remember thinking that I was doing something wrong with racoon. Thanks for the great write-up! It looks straight forward. I'll try it out tonight. I sure appreciate folks like you and the ones that did the nice windows write-ups. It helps those of us with too much brain damage already ;)

  2. By Anonymous Coward ( on

    This is great imo ease-of-use of the security features of OpenBSD has its benefits. There are so many intricate details one could get into when securing a system but why delve into a myriad of technical details about all the different security protocols and software that exist unneccessarily?


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]