Networking

Setting up VPN tunnels with OpenBSD: Tutorial 2


In part

1 of this tutorial on setting up VPN tunnels with OpenBSD, I went over

authenticating the gateways with automatic (or manual) keying, began editing

some of the files that need to modified, and enabling the ISAKMPD daemon.

Now, let's configure ISAKMPD to set up our VPN tunnels. This is a little more

complex than the previous steps. It's quite important that you understand what's

going on at this point. Two files need to be created/modified at this point. They

are /etc/isakmpd/isakmpd.conf

and /etc/isakmpd/isakmpd.policy,

click on the links to view the full man page for these files. Basically isakmpd.conf is the general

configuration file for the ISAKMPD daemon; isakmpd.policy

sets the acceptable security policy for key exchange.

Let's first look at /etc/isakmpd/isakmpd.policy.

The contents of this file will be the same on both gateway machines. Here are

the contents of this file:

Keynote-version: 2
Authorizer: "POLICY"
Conditions: app_domain

== "IPsec policy" &&
esp_present

== "yes" &&
esp_enc_alg

!= "null" -> "true";


Now we can consider /etc/isakmpd/isakmpd.conf,

this will be different on both gateway machines. This file contains

instructions on which IP address the daemons should listen on, VPN end points,

internal network details for each end, encryption types, and of course, a pre-shared

key which will be used to authorize the remote gateway.

Here are the contents of /etc/isakmpd/isakmpd.conf for vpnA:

# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.
[General]
Listen-On=              20.1.1.1
# Incoming phase 1 negotiations are multiplexed on the
# source IP address. Phase 1 is used to set up a protected
# channel just between the two gateway machines.
# This channel is then used for the phase 2 negotiation
# traffic (i.e. encrypted & authenticated).
[Phase 1]
20.1.1.2=           vpnB
# 'Phase 2' defines which connections the daemon
# should establish. These connections contain the actual
# "IPsec VPN" information.
[Phase 2]
Connections=            VPN-A-B
# ISAKMP phase 1 peers (from [Phase 1])
[vpnB]
Phase=                  1
Transport= udp
Address= 20.1.1.2
Configuration= Default-main-mode
Authentication= aaf5dc2122288ff01485329b2f51902d63874a9c
# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase=                  2
ISAKMP-peer= vpnB
Configuration= Default-quick-mode
Local-ID= vpnA-internal-network
Remote-ID= vpnB-internal-network
# ID sections (as used in [VPN-A-B])
[vpnA-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network= 10.1.1.0
Netmask= 255.255.255.0
[vpnB-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network= 10.2.1.1
Netmask= 255.255.255.0
# Main and Quick Mode descriptions
# (as used by peers and connections).
[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

And for vpnB:

# Filter incoming phase 1 negotiations so they are only
# valid if negotiating with this local address.
[General]
Listen-On=              20.1.1.2
# Incoming phase 1 negotiations are multiplexed on the
# source IP address. Phase 1 is used to set up a protected
# channel just between the two gateway machines.
# This channel is then used for the phase 2 negotiation
# traffic (i.e. encrypted & authenticated).
[Phase 1]
20.1.1.1=           vpnA
# 'Phase 2' defines which connections the daemon
# should establish. These connections contain the actual
# "IPsec VPN" information.
[Phase 2]
Connections=            VPN-B-A
# ISAKMP phase 1 peers (from [Phase 1])
[vpnA]
Phase= 1
Transport= udp
Address= 20.1.1.1
Configuration= Default-main-mode
Authentication= aaf5dc2122288ff01485329b2f51902d63874a9c
# IPSEC phase 2 connections (from [Phase 2])
[VPN-B-A]
Phase=                  2
ISAKMP-peer= vpnA
Configuration= Default-quick-mode
Local-ID= vpnB-internal-network
Remote-ID= vpnA-internal-network
# ID sections (as used in [VPN-B-A])
[vpnA-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network= 10.1.1.0
Netmask= 255.255.255.0
[vpnB-internal-network]
ID-type=                IPV4_ADDR_SUBNET
Network= 10.2.1.1
Netmask= 255.255.255.0
# Main and Quick Mode descriptions
# (as used by peers and connections).
[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA,BLF-SHA
[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE


Now these are in place, we need to change the permissions

and owner/group. If we don't do this, then the daemon will refuse to read the

configuration files. The following commands will do the trick:

> chown root:wheel /etc/isakmpd/isakmpd.conf
> chmod 0600 /etc/isakmpd/isakmpd.conf
> chown root:wheel /etc/isakmpd/isakmpd.policy
> chmod 0600 /etc/isakmpd/isakmpd.policy

In the next and final instalment, I'll go over editing the Packet Filter rules.

0 comments

Editor's Picks