On Fri, Dec 4, 2009 at 6:27 PM, Paul <pa...@rawbw.com> wrote:
>> ipsec.conf server in my place.org:
>> ike passive esp from myplace.org to 0.0.0.0/0 peer 0.0.0.0/0
>> Client (anywhere outside):
>> ike esp from 0.0.0.0/0 to myplace.org peer 192.168.2.2
>>
>
> In the above to lines, the peer keyword/values are superflous since they are
identical to the destination specified by the 'to' keyword (if I correctly
understand what you are trying to do).
>
>> How to declare 0.0.0.0/0 and/or any; into /etc/isakmpd/pubkeys? and where?
>
> Have the client (your laptop) use a srcid of type UFQDN rather than a
default IPv4 address. On the gateway (myplace.org), put the client's public
key in /etc/isakmpd/pubkeys/ufqdn/$UFQDN
>
> This config works for me. On the roaming client I specify a srcid of
paulx200.com in ipsec.conf. A copy of the public key is stored on the gateway
in /etc/isakmpd/pubkeys/ufqdn/p...@x200.com
>
> ipsec.conf on roaming client:
>
> ike dynamic esp tunnel from egress to $gateway srcid p...@x200.com
>
> ipsec.conf on gateway:
>
> ike passive esp tunnel from $gateway to any
>
> pf.conf on roaming client:
>
> pass in on $wifi_if proto esp from $gateway
> pass out on $wifi_if proto esp to $gateway
>
> pass out on $wifi_if inet proto udp from $wifi_if to $gateway port {
500, 4500 }
> pass in on $wifi_if inet proto udp from $gateway to $wifi_if port {
500, 4500 }
>
> pass in on enc0 from $gateway to $wifi_if keep state (if-bound)
> pass out on enc0 from $wifi_if to $gateway keep state (if-bound)
>
> pf.conf on gateway:
>
> pass in on { $ext_if, enc0 } proto esp
> pass out on { $ext_if, enc0 } proto esp
>
> pass in on $ext_if inet proto { udp } from any to $ext_if port { 500,
4500 }
> pass out on $ext_if inet proto { udp } from $ext_if to any port {
500, 4500 }
>
> pass out on enc0 from $ext_if to any keep state (if-bound)
> pass in on enc0 from any to $ext_if keep state (if-bound)
>
>
Hey all,
At long last, I have had success.
My network, to reiterate:
Host-only
(192.168.120.0/24)
/|\
|
\|/
obsd-ipsec-left
(192.168.120.130/
10.255.255.5)
/|\
|
\|/
10.255.255.0/30
/|\
|
\|/
obsd-ipsec-right
(192.168.33.7/
10.255.255.6)
/|\
|
\|/
Host-only
(192.168.33.0/24)
1) copy /etc/isakmpd/local.pub from left side to
/etc/isakmpd/pubkeys/ipv4/10.255.255.6 on right
2) copy /etc/isakmpd/local.pub from right side to
/etc/isakmpd/pubkeys/ipv4/10.255.255.5 on left
3) on left side:
cat >/etc/ipsec.conf <<EOF
local_ip="10.255.255.5"
local_network="192.168.120.0/24"
remote_ip="10.255.255.6"
remote_network="192.168.33.0/24"
ike esp from { \$local_ip \$local_network } to \
{ \$remote_ip \$remote_network } peer $remote_ip
ike esp from \$local_ip to \$remote_ip
EOF
4) on right side:
cat >/etc/ipsec.conf <<EOF
local_ip="10.255.255.6"
local_network="192.168.33.0/24"
remote_ip="10.255.255.5"
remote_network="192.168.120.0/24"
ike esp from { \$local_ip \$local_network } to \
{ \$remote_ip \$remote_network } peer $remote_ip
ike esp from \$local_ip to \$remote_ip
EOF
5) To test, run "isakmpd -K -d", then "ipsecctl -f /etc/ipsec.conf" on
each side.
6) Route each network to the other side's gateway, eg:
obsd-ipsec-left# route add -net 192.168.33/24 10.255.255.6
obsd-ipsec-right# route add -net 192.168.120/24 10.255.255.5
7) Ping each side.
8) Fire up 'tcpdump -ni enc0' and ping each side again. If you get
output, then we have succeeded.
9) Make ISAKMPD and IPSec start on boot (both machines):
# sed -e 's/^isakmpd_flags=NO/isakmpd_flags="-K"/' -e
's/^ipsec=NO/ipsec=YES/' /etc/rc.conf
10) Make the route setting permanent:
obsd-ipsec-left# echo '!route add -net 192.168.33/24 10.255.255.6' >>
/etc/hostname.vic1
obsd-ipsec-right# echo '!route add -net 192.168.120/24 10.255.255.5'
>> /etc/hostname.vic1
11) Reboot
12) ...
13) Profit!
Blog'd @
http://thirdwheel-wanders.blogspot.com/2009/12/openbsd-ipsec-made-easy.html
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
