OpenBSD 5.8 ikev2 road warrior setup with various clients

Tue, 16 Feb 2016 02:03:09 -0800 

Hi all!
I'm trying to configure an ikev2 VPN gateway on my OpenBSD 5.8 box to allow remote access to my local network from various, road-warrior client "types" (MS Windows, Linux's, BSD's). My example local network is 10.0.0.0/24 and my public IP (egress) is 1.2.3.4. 


I've read various guides on the Internet regarding analogous setups, but 
all of them were discussing about MS Windows clients. I'm trying to test 
my setup with an OpenBSD 5.8 client but I fail, and next I'd like to 
test it with a FreeBSD and a Linux client to see if it works.


My /etc/iked.conf looks like this:

ikev2 passive esp \
from 10.0.0.0/24 to 10.10.10.0/24 local 1.2.3.4 peer any \
psk mypass  \
config address 10.10.10.5

My client's /etc/iked.conf looks like this:

ikev2 active esp \
from 10.10.10.0/24 to 10.0.0.0/24 peer 1.2.3.4 \
psk lala123


which is based on an old email of this list (at around 2012), and as I 
explained earlier, it doesn't work. What happens is that when I try to 
access 10.0.0.1 from my client, the specific traffic is not passing from 
enc0 but is rather passing directly from the egress interface to its 
default route. Now, as it seems, this is a routing/flows issue, but I am 
unsure as to how to address it.


ipsecctl -sa on both machines looks good (or at least I think it does):

server:
# ipsecctl -sa
FLOWS:

flow esp in from 10.10.10.0/24 to 10.0.0.0/24 peer 5.6.7.8 srcid 
FQDN/1.2.3.4 dstid FQDN/5.6.7.8 type use
flow esp out from 10.0.0.0/24 to 10.10.10.0/24 peer 5.6.7.8 srcid 
FQDN/1.2.3.4 dstid FQDN/5.6.7.8 type require

flow esp out from ::/0 to ::/0 type deny

SAD:

esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x3ebcc647 auth hmac-sha2-256 enc 
aes-256
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x736c382f auth hmac-sha2-256 enc 
aes-256


client:
# ipsecctl -sa
FLOWS:

flow esp in from 10.0.0.0/24 to 10.10.10.0/24 peer 1.2.3.4 srcid 
FQDN/5.6.7.8 dstid FQDN/1.2.3.4 type use
flow esp out from 10.10.10.0/24 to 10.0.0.0/24 peer 1.2.3.4 srcid 
FQDN/5.6.7.8 dstid FQDN/1.2.3.4 type require

flow esp out from ::/0 to ::/0 type deny

SAD:

esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x3ebcc647 auth hmac-sha2-256 enc 
aes-256
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x736c382f auth hmac-sha2-256 enc 
aes-256



As inferred, my client's public IP is 5.6.7.8, and on both machines ip 
forwarding is enabled (pf allows all traffic as well).



Any help would be greatly appreciated, and directions towards an 
analogous, working, client setup for FreeBSD and Linux would be equally 
appreciated.


Thanks all in advance,

George.























					Reply via email to