OpenBSD IPSEC Config

This is from notes I had jotted down for IPSEC lan-to-lan config with OpenBSD 3.9. It's mostly the same process now.

OpenBSD 3.9 IPSEC Config

Machine A  Machine B
---------  ----------
IP 1.2.3.4  5.6.7.8
Network 10.1.1.0/24 10.2.2.0/24

pf.conf (non-NAT)
 ext_if = "fxp1"
 int_if = "fxp0"
 set skip on { lo $int_if enc0 }
 scrub in
 block in
 pass quick on $ext_if from 5.6.7.8  (1.2.3.4 on machine B)
 pass out keep state
 pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

Machine A ipsec.conf
 ike passive esp from 10.1.1.0/24 to 10.2.2.0/24 peer 5.6.7.8
 ike passive esp from 1.2.3.4 to 10.2.2.0/24 peer 5.6.7.8
 ike passive esp from 1.2.3.4 to 5.6.7.8

Machine B ipsec.conf
 ike esp from 10.2.2.0/24 to 10.1.1.0/24 peer 1.2.3.4
 ike esp from 5.6.7.8 to 10.1.1.0/24 peer 1.2.3.4
 ike esp from 5.6.7.8 to 1.2.3.4

Copy keys:

Machine A: copy from firewall B /etc/isakmpd/local.pub to
  /etc/isakmpd/pubkeys/ipv4/5.6.7.8
Machine B: copy from firewall A /etc/isakmpd/local.pub to
  /etc/isakmpd/pubkeys/ipv4/1.2.3.4

Start IPSEC:
 isakmpd -K
 ipsecctl -f /etc/ipsec.conf

enable IP forwarding in /etc/sysctl.conf:
 net.inet.ip.forwarding = 1