Hi misc@, I've got a relatively small IPSEC project I am undertaking and prefer to use OpenBSD for the 'client-side' to connect to an IOS-based Cisco router on the 'server-side'. I'll try to be as concise as possible without overbearing details. - The AS5350 is co-located with a fixed IP address via FastEthernet and connected to eight E1s with MFC-R2 signalling for voice. - The clients are small remote offices whose internet-facing addresses are dynamic public addresses or private addresses behind a NAT router whose public interface is unknown (or dynamic). - The VoIP components behind the client routers must be able to connect to the AS5350 untranslated (via loopback or tunnel or virtual-template or dialer, etc). - The VoIP components behind the client routers must be able to connect to each other, between office networks, untranslated
While I recognize that there may be better solutions, this is the hand I've been dealt. - I cannot co-locate additional hardware (I have 1U of co-located rack space) - The underlying VoIP topology is not something I can modify without massive expense; hence, it must remain untouched - I prefer to use OpenBSD 4.0 for client routers because of a robust featureset, ease of installation/upgrade/maintenance/debugging, licensing, reliability and security.. And just because I like OpenBSD. Here are the components: Cisco Router (AS5350, connected to the internet via ethernet, eight E1s using MFC-R2 signalling for voice) - Fa0/0 IP: 38.16.60.10/24 - Default route: 38.16.60.254 Client Routers: - All client routers are preferred to be OpenBSD 4.0 - As many as 200 client networks of varying types (dynamic public IP, dynamic private IP, rarely a fixed public IP) - Fixed /24 private network for each client network, allocated from a 10/16 address space - Client routers can be shipped with an almost cloned ipsec.conf and isakmpd.conf and certificates to 'just work' in remote locations via DHCP Scenario 1: Suppose PersonA (ClientA) places a call destined for PersonB (ClientB). Its signalling will terminate to the AS5350 which will make some call routing decisions. Once connected (PersonA and PersonB) the RTP media stream will flow directly between clients (strictly from a routing topology) through the AS5350's IPSEC tunnels between clients. Scenario 2: A call with a fixed DID is incoming on a MFC-R2 channel. That call is then routed to the remote client destinations based on call-routing decisions through the IPSEC tunnel. Scenario 3: PersonA makes a call destined to his parents in New Zealand, the AS5350 makes a routing decision to send the call to an external VoIP provider who can then place the call to NZ, thus proxying the RTP media stream and translating both the protocol (H323 to SIP) and the media stream (from a private IP to the external public IP of the AS5350). I would like to be able to authenticate the clients based on PKI, all contained within the AS5350 with massive amounts of Flash (I'm aware of the performance hit). Am I barking up the wrong tree with OpenBSD for certain aspects of this project? I have read the ipsec.conf(5), isakmpd(8), isakmpd.conf (5), isakmpd.policy(5), ipsecctl(8) man pages and have a decent grasp of ipsec and isakmp having configured between fixed IP Cisco and OpenBSD systems in the past with plain PSKs; however, I'm at a loss for a grasp of the underlying routing topology for what happens from routing and authentication perspectives when dynamic client addresses are used in conjunction with a fixed-address Cisco peer and client-side NAT (potentially). Is it possible to run a routing daemon between the client and Cisco routers to advertise availability of a private network upon VPN connection? How will the Cisco know to route a particular network to a particular gateway without an interface to route through? Would that require a particular crypto map entry or flow per client? Before I proceed with the mechanics of testing and debugging, I suppose I am [p|tr]olling for opinion (public or private) to gauge the feasibility of my desired combination WRT isakmpd, ipsec.conf/ipsecctl, and a PKI infrastructure managed by an ordinary (Security/K9) Cisco IOS. Thanks for your thoughts, ideas, inspiration, perspiration and general flames. I'm open to suggestion, although I'm certain some will fall outside of the scope of my requirements.
