Hi,
Host OpenBSD WAN IP = 1.2.3.4
Host OpenBSD VPN Subnet = 10.0.5.0/24
IKED responder (passive)
Remote OpenBSD WAN IP = Dynamic
Remote OpenBSD Internal LAN = 10.99.1.0/24
IKED Initiator (active)
I have an OpenBSD server hosted at Vultr running as an iked server.
It has a static public IP. I can use my iPhone and connect via iked
perfectly and my phone will have the public IP of the server. I can
browse the internet using my phone when connected via the VPN.
Now I would like to establish a VPN using an OpenBSD system located
at a remote site and be an iked initiator (Client). I cannot get
any flows to establish. I have read the OpenBSD VPN FAQ document and
also browsed past questions relating to "iked" on this mailing list.
I have tried some configurations but no success.
I have tried to debug iked by using "iked -dvv". But I can't understand
what is going on with all the output provided.
Both OpenBSD systems are running v6.5 with all patches installed via
"syspatch" I am seeking some suggestions please as to where I am going
wrong?
I have configure the interface "enc0" so I can use the IP address
with unbound and provide DNS via the VPN to end users.
** Server hostname.enc0
inet 10.0.5.1 255.255.255.0 10.0.5.255
---------------------------------------
** Server iked.conf
ikev2 "inet" passive esp \
from 0.0.0.0/0 to 10.0.5.0/24 \
local egress peer any \
psk "-----------" \
config protected-subnet 0.0.0.0/0 \
config address 10.0.5.0/24 \
config name-server 10.0.5.1 \
tag "IKED"
---------------------------------------
** Server pf.conf
# Some options
set skip on {lo enc}
set block-policy return
set loginterface egress
set reassemble yes
# Macros
trusted_ip = "{4.5.6.7}"
web_ports = "{80 443}"
iked_ports = "{500 4500}"
icmp_types = "{echoreq unreach}"
# Tables
table <rfc1918> const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
# Scrub option
match in all scrub (no-df random-id max-mss 1440)
# NAT Rule
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# Drop urpf-failed packets, add label uRPF
block in quick log from urpf-failed label uRPF
# Block bad IP addresses
block quick log from <shithole> label "BAD-IPs"
# Antispoof
antispoof quick for egress
# Block RFC1918 non-routable addresses
block in quick on egress from {no-route <rfc1918>}
# Allow ping
pass in quick inet proto icmp icmp-type $icmp_types keep state label "ICMP-IN"
# Allow SSH
pass in quick log on egress proto tcp from $trusted_ip to egress port 22 label
"SSH-IN-TRUSTED"
# Allow web
pass in quick log on egress proto tcp from $trusted_ip to egress port
$web_ports label "WEB-IN"
# Allow iked
pass in quick log on egress proto esp from any to egress
pass in quick log on egress proto udp from any to egress port $iked_ports
# Block all
block all
# Pass out all
pass out
---------------------------------------
** Remote OpenBSD pf.conf
# Macros
ext_if = "em0"
int_if = "em1"
icmp_types = "{echoreq unreach}"
# Tables
table <martians> const {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
# Options
set block-policy drop
set loginterface egress
set skip on {lo enc}
# Scrub rule
match in all scrub (no-df random-id max-mss 1440)
# NAT Rule
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# AntiSpoof and block martians rule
antispoof quick for { egress $int_if }
block in quick on egress from <martians> to any
# Allow ping
pass in quick inet proto icmp icmp-type $icmp_types keep state label "ICMP-IN"
# Need to comment out the following rule due to double NAT (Telstra 4G MBB)
# block return out quick on egress from any to <martians>
# Default block all
block log all
# Pass traffic out
pass out quick inet
pass in on { $int_if } inet
---------------------------------------
** Remote OpenBSD iked.conf
# macros
remote_gw = "1.2.3.4"
ikev2 "remote" active esp \
from 10.0.5.0/24 to 10.99.1.0/24 \
peer $remote_gw \
psk "-----------"
