Contributed by jose on from the ipsecadm--flush dept.
"I've been searching for configuration details about having an OpenBSD box operate as an IPSec gateway for multiple mobile users with dynamic IP's who connect to services located on internal networks behing the IPSec VPN gateway. i.e.Priv. Nw Roaming ISP NW ======== ============== Host A --- VPNGW --- Internet --- Mobile User A Host B -| |- Mobile User B Host C - - Mobile User CAll I have been able to locate are the same question asked tens of times on multiple mailing lists and forums, but no one has been able to provided a comprehensive explanation on how to accomplish this.
What I found was that everyone who has tried to do this has stumbled at one point or another and the dynamic endpoint support seems fairly unstable in OpenBSD's IPSec implementation.I have also had some difficulty in getting the myriad of IPsec options configured correctly. The documentation is fair, but does requrie a bit of time for a full understanding. Does anyone have anything better?There seems to be two main types of problems:
1) Inability to get isakmpd work with anything other than manual keying and static IP addresses
and
2) Problems in accepting the SSH Communications Sentinel client authentication with isakmpd.
Do you have any success stories about implementing this functionality? How about writing a howto documenting such project? "
(Comments are closed)
By Michael Anuzis () michael_anuzis@hotmail.com on http://www.anuzisnetworking.com
This is the way I've used many times. It works quite well.
PGP is free, OpenBSD is free, it's all free.
Whenever I'm out in public with my laptop the first thing I do is re-establish the VPN to my gateway at home. You can have it set to do it automatically whenever a connection is made to a target on the VPN gateway or within the VPN, or you can re-enable the VPN manually with two clicks of the mouse button.
Hope this helps. --Michael
By Rafael Coninck Teigao () rafael@safecore.net on http://SafeCore.NET
I don't know exactly what issues are you running into with Sentinel, but for me it worked as a charm.
I've sent someone on misc@openbsd.org the step-by-step .jpg's for Sentinel (unfortunately, I'm away from my computer, and can't access the .jpg's now.)
BUT I haven't tried it with certificates, maybe here's where you're having some problems. You can send me an email after August 20th (when I'll be back home) and we can try it togheter.
Best regards,
RCT.
By Anonymous Coward () on
Basically, you don't specify any Phase 2 stuff and simply let the client specify it. This works quite well and is ultimatly flexible (of course flexibility means you'll want to make sure your isakmpd.policy and pf.conf are solid).
I have not had any problems with dynamic IPs on the clients nor SSH Sentinal.
I have though had problems with OpenBSD's isakmpd on a client with a dynamic IP, however.
By Scott Augustus () scott@augustus.ca on mailto:scott@augustus.ca
I implemented this type of config some time ago now. First arising from my own desire to VPN in to the office from my high speed DHCP cable connection at home. After much searching, I found the way to do it and it worked beautifully. We then realiezed the full power of this for remote users and I spent weeks trying to find a Win client that would allow remote users to connect to isakmpd via a DHCP'd dial up connection (we're talking 2+ years ago now!!!)
My initial luck was with Raptor Mobile but have since switched to BorderWare's IPsec client and it's fantastic.
So... to answer your questions:
1) Manual keying isn't necessary... using isakmpd and isakmpd.conf works great. DHCP is not a problem. What is key to DHCP is that your Win client supports *Aggressive Mode*. If so, you'll need entries in your isakmpd.conf that look like this:
[Phase 1]
Nothing needed for the DHCP clients
[Phase 2]
IPsec-local-user
##############################
# ISAKMP Phase 1 peer sections
##############################
[ISAKMP-peer-default]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
# Dial-in VPN Accounts
[user@domain]
Phase= 1
Transport= udp
Configuration= Default-aggressive-mode
Authentication= somepassphrase
[IPsec-local-user]
Phase= 2
ISAKMP-peer= user@domain
Configuration= Default-quick-mode
Local-ID= Net-local
Remote-ID= Net-remote
[Net-local]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[Net-remote]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168..2.0
Netmask= 255.255.255.0
2) I have no experience with Sentinel but have heard of success so it's something you're not doing correctly :-( One thing that is very important is to ensure all the Group Description, Life and Encryption_Algorithms match between your Win client and isakmpd.
When I was doing my work on this, I found the docs by Patrick Ethier very useful, particularly the Troubleshoot section. This is linked to in the FAQ on openbsd.org.
Good Luck!
~S~
By Anonymous Coward () on
got ur id from the web and sorry to bother u
I am exactly trying to achive what u had asked for earlier
Priv. Nw Roaming ISP NW
======== ==============
Host A --- VPNGW --- Internet --- Mobile User A
Host B -| (OpenBsd ried with PGPNET cleint i am able to reach the server but not able to get a local ip assigned thru the dhcp to access machines behind the tunnel
did u achive if so pls send me the howtos
regards
chandru
By s.chandrasekar () schandrasekar@calsoft.co.in on mailto:schandrasekar@calsoft.co.in
got ur id from the web and sorry to bother u
I am exactly trying to achive what u had asked for earlier
Priv. Nw Roaming ISP NW
======== ==============
Host A --- VPNGW --- Internet --- Mobile User A
Host B -| (OpenBsd ried with PGPNET cleint i am able to reach the server but not able to get a local ip assigned thru the dhcp to access machines behind the tunnel
did u achive if so pls send me the howtos
regards
chandru