<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Wednesday, January 14, 2009

OpenBSD IPSEC Config

This is from notes I had jotted down for IPSEC lan-to-lan config with OpenBSD 3.9. It's mostly the same process now.


OpenBSD 3.9 IPSEC Config

Machine A Machine B
--------- ----------
IP 1.2.3.4 5.6.7.8
Network 10.1.1.0/24 10.2.2.0/24

pf.conf (non-NAT)
ext_if = "fxp1"
int_if = "fxp0"
set skip on { lo $int_if enc0 }
scrub in
block in
pass quick on $ext_if from 5.6.7.8 (1.2.3.4 on machine B)
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

Machine A ipsec.conf
ike passive esp from 10.1.1.0/24 to 10.2.2.0/24 peer 5.6.7.8
ike passive esp from 1.2.3.4 to 10.2.2.0/24 peer 5.6.7.8
ike passive esp from 1.2.3.4 to 5.6.7.8

Machine B ipsec.conf
ike esp from 10.2.2.0/24 to 10.1.1.0/24 peer 1.2.3.4
ike esp from 5.6.7.8 to 10.1.1.0/24 peer 1.2.3.4
ike esp from 5.6.7.8 to 1.2.3.4

Copy keys:

Machine A: copy from firewall B /etc/isakmpd/local.pub to
/etc/isakmpd/pubkeys/ipv4/5.6.7.8
Machine B: copy from firewall A /etc/isakmpd/local.pub to
/etc/isakmpd/pubkeys/ipv4/1.2.3.4

Start IPSEC:
isakmpd -K
ipsecctl -f /etc/ipsec.conf

enable IP forwarding in /etc/sysctl.conf:
net.inet.ip.forwarding = 1