On Tue, Apr 18, 2017 at 01:35:58PM +0200, Markus Rosjat wrote:
> Hi there,
>
> since my attempt with ikev2 failed I thought I go back to ikev1 but it seems
> since the last time I used it something has changed with that too.
>
> I simply try to set up a site to site tunnel with a PSK
>
> here is the ipsec.conf on the openbsd machine
>
> ike from {10.10.10.0/24} to 10.10.15.0/24 \
You need to add "peer AA.BB.CC.DD" here.
> main auth hmac-sha1 enc blowfish group modp1024\
> quick auth hmac-sha1 enc blowfish group modp1024\
> psk "my_psk"
>
If you control both ends of the VPN I recommend you choose stronger
cyphers. Check the defaults of OpenBSD or the recommendation of ENISA:
https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014
How do you start isakmpd? This should configure your system to start
isakmpd and load the ipsec rules during boot:
# rcctl enable isakmpd
# rcctl set isakmpd flags -vK
# rcctl enable ipsec
> and here is the pf.conf
Add the log keyword to your pf rules. Without that it's hard to debug.
Also check man ipsec.conf for a full example.
>
> ### define networks ##########
> tun_in="10.10.15.0/24"
> tun_end="{10.10.10.0/24}"
>
> # simple ipsec
> pass in proto { esp ah } to ($ext_if)
> pass in on $ext_if proto udp from any to port {500 4500} keep state
>
> pass in on enc0 proto ipencap
> pass in on enc0 from {$tun_in} to $tun_end
>
> pass out proto {esp ah}
> pass out on enc0 from $tun_end to {$tun_in}
>
> this works at least for a openbsd 5.6 and a srewsoft client (this is
> basically my other endpoint).
>
> with this setup Im not able to connect to a openBSD 6.1 and the logs don't
> show anything helpfull
>
> so the question is where do I need to do the rewriting and is there some
> example beside the ipsec.conf in /etc/examples ?
>
> Regards
>
> --
> Markus Rosjat fon: +49 351 8107223 mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220 fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you
> print it, think about your responsibility and commitment to the ENVIRONMENT
