<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/plusone.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d14658917\x26blogName\x3dWhat+Would+You+Say+It+Is+You+Do+Here?\x26publishMode\x3dPUBLISH_MODE_HOSTED\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttp://blog.vitriol.net/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttp://blog.vitriol.net/\x26vt\x3d-1706885970164302789', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe" }); } }); </script>

Wednesday, January 14, 2009

OpenBSD IPSEC Config

This is from notes I had jotted down for IPSEC lan-to-lan config with OpenBSD 3.9. It's mostly the same process now.


OpenBSD 3.9 IPSEC Config

Machine A Machine B
--------- ----------
IP 1.2.3.4 5.6.7.8
Network 10.1.1.0/24 10.2.2.0/24

pf.conf (non-NAT)
ext_if = "fxp1"
int_if = "fxp0"
set skip on { lo $int_if enc0 }
scrub in
block in
pass quick on $ext_if from 5.6.7.8 (1.2.3.4 on machine B)
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

Machine A ipsec.conf
ike passive esp from 10.1.1.0/24 to 10.2.2.0/24 peer 5.6.7.8
ike passive esp from 1.2.3.4 to 10.2.2.0/24 peer 5.6.7.8
ike passive esp from 1.2.3.4 to 5.6.7.8

Machine B ipsec.conf
ike esp from 10.2.2.0/24 to 10.1.1.0/24 peer 1.2.3.4
ike esp from 5.6.7.8 to 10.1.1.0/24 peer 1.2.3.4
ike esp from 5.6.7.8 to 1.2.3.4

Copy keys:

Machine A: copy from firewall B /etc/isakmpd/local.pub to
/etc/isakmpd/pubkeys/ipv4/5.6.7.8
Machine B: copy from firewall A /etc/isakmpd/local.pub to
/etc/isakmpd/pubkeys/ipv4/1.2.3.4

Start IPSEC:
isakmpd -K
ipsecctl -f /etc/ipsec.conf

enable IP forwarding in /etc/sysctl.conf:
net.inet.ip.forwarding = 1

1 Comments:

Blogger Xavier said...

Hi!

Thank you for post, but i have some errors:


I have 2 interfaces configured:

xl0: external 10.72.151.51
sk0: internal 192.168.2.51/24


the error is:
222412.573590 Default m_priv_bind: bind(6,0x7fb630e0,16) returned -1: Address already in use [priv]
222412.574059 Default udp_make: bind (8, 127.0.0.1, 4): Address already in use
222412.574279 Default virtual_bind_if: failed to create a socket on 127.0.0.1
222412.575119 Default m_priv_bind: bind(6,0x81f930a0,28) returned -1: Address already in use [priv]
222412.575348 Default udp_make: bind (8, ::1, 4): Address already in use
222412.575484 Default virtual_bind_if: failed to create a socket on ::1
222412.576281 Default m_priv_bind: bind(6,0x81f93020,28) returned -1: Address already in use [priv]
222412.576510 Default udp_make: bind (8, fe80:5::1, 4): Address already in use
222412.576646 Default virtual_bind_if: failed to create a socket on fe80:5::1
222412.577685 Default m_priv_bind: bind(6,0x7fb63030,16) returned -1: Address already in use [priv]
222412.577920 Default udp_make: bind (8, 192.168.2.51, 4): Address already in use
222412.578056 Default virtual_bind_if: failed to create a socket on 192.168.2.51
222412.578865 Default m_priv_bind: bind(6,0x81f93180,28) returned -1: Address already in use [priv]
222412.579091 Default udp_make: bind (8, fe80:1::213:46ff:fe64:e274, 4): Address already in use
222412.579237 Default virtual_bind_if: failed to create a socket on fe80:1::213:46ff:fe64:e274
222412.580058 Default m_priv_bind: bind(6,0x7fb63110,16) returned -1: Address already in use [priv]
222412.580268 Default udp_make: bind (8, 10.72.152.51, 4): Address already in use
222412.580401 Default virtual_bind_if: failed to create a socket on 10.72.152.51
222412.581204 Default m_priv_bind: bind(6,0x81f930c0,28) returned -1: Address already in use [priv]
222412.581434 Default udp_make: bind (8, fe80:3::2b0:d0ff:febb:2da3, 4): Address already in use
222412.581580 Default virtual_bind_if: failed to create a socket on fe80:3::2b0:d0ff:febb:2da3
222412.581721 Default virtual_init: could not bind the ISAKMP port(s) on all interfaces: Address already in use

3:43 PM  

Post a Comment

<< Home