In Part 2 of the tutorial, I took you through the configuration of files for the ISAKMPD daemon. Now, all that’s left to do is edit our Packet Filter rules so that the VPN traffic can pass through. I’ll assume we are starting from a blank rule set. We only allow traffic to pass from one gateway to the other, not to any hosts on the internet. All traffic between the two private networks and the two gateways needs to be passed; this will be on device enc0 (IPsec tunnel). UDP traffic between the two gateways will be allowed on port 500 (the key exchange) and encrypted data will need to be passed between the two gateways (ESP protocol).

pf.conf for vpnA:

GATEWAY_A = “20.1.1.1”
GATEWAY_B = “20.1.1.2”
NETWORK_A = “10.1.1.0/24”
NETWORK_B = “10.2.1.0/24”

int_if=”le1″
ext_if=”le2″

# default deny
# $ext_if is the only interface going to the outside.
block log on { enc0, $ext_if } all

# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_B to $GATEWAY_A
pass out proto esp from $GATEWAY_A to $GATEWAY_B

# Need to allow ipencap traffic on enc0.
pass in on enc0 proto ipencap from $GATEWAY_B to $GATEWAY_A

# Pass traffic to/from the designated subnets.
pass in on enc0 from $NETWORK_B to $NETWORK_A
pass out on enc0 from $NETWORK_A to $NETWORK_B

# Pass isakmpd(8) traffic to/from the security gateways
pass in on $ext_if proto udp from $GATEWAY_B port = 500 to $GATEWAY_A port = 500
pass out on $ext_if proto udp from $GATEWAY_A port = 500 to $GATEWAY_B port = 500

pf.conf for vpnB:

GATEWAY_A = “20.1.1.1”
GATEWAY_B = “20.1.1.2”
NETWORK_A = “10.1.1.0/24”
NETWORK_B = “10.2.1.0/24”

int_if=”le1″
ext_if=”le2″

# default deny
# $ext_if is the only interface going to the outside.
block log on { enc0, $ext_if } all

# Pass encrypted traffic to/from security gateways
pass in proto esp from $GATEWAY_A to $GATEWAY_B
pass out proto esp from $GATEWAY_B to $GATEWAY_A

# Need to allow ipencap traffic on enc0.
pass in on enc0 proto ipencap from $GATEWAY_A to $GATEWAY_B

# Pass traffic to/from the designated subnets.
pass in on enc0 from $NETWORK_A to $NETWORK_B
pass out on enc0 from $NETWORK_B to $NETWORK_A

# Pass isakmpd(8) traffic to/from the security gateways
pass in on $ext_if proto udp from $GATEWAY_A port = 500 to $GATEWAY_B port = 500
pass out on $ext_if proto udp from $GATEWAY_B port = 500 to $GATEWAY_A port = 500

Ok that’s the firewall sorted out. One more edit, and we should be done. We want to add a route from network 10.1.1.x to 10.2.1.x and vice-versa, and we want this to happen automatically each time the host is rebooted. To make sure this happens, we need to add the command to /etc/rc.local.

For vpnA:

route add –net 10.2.1 10.1.1.1

For vpnB:

route add –net 10.1.1 10.2.1.1

Right, that should cover everything.  Reboot both gateways and you should be able to ping the opposing network:

Don’t forget, if you don’t want to use OpenBSD as your main gateway, but you would like to use it for VPN tunnelling, this should not pose a problem. Simply make sure the correct port redirections are made on your firewall and put a route for the remote network on your current gateway which points to the OpenBSD host.

It would be great to hear if anyone found this guide useful.  If so then I will also write a guide to getting other essential services like PPTP, DNS and DHCP running on the OpenBSD platform.