Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Zero to IPSec in 4 minutes
Dragos Ruiu

This short article looks at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD installations in about four minutes flat.

Comments Mode:
Zero to IPSec in 4 minutes 2006-03-01
Ron W. Szpak (1 replies)
Dragos??Brilliant!!!

?Proof Points? such as this article illustrate the ?pure? value proposition of secure ultra reliable open source gateways.

Thank-you and the OpenBSD team for your unrelenting, hard-headed focused work ethic and the constant pursuit of digital perfection.

Best regards,

...

[ more ]  [ reply ]
Re: Zero to IPSec in 4 minutes 2007-02-24
Reza A.
it doesn't get any easier than www.pfsense.com...

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-01
Anonymous
One teeny-tiny nitlet in an otherwise very nice article: you shouldn't edit /etc/rc.conf, you should instead put any changes into /etc/rc.conf.local, they'll override what's in /etc/rc.conf....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-01
Anonymous (1 replies)
racoon configuration is just as simple. OBSD is behind the curve in this aspect IMO.

...

[ more ]  [ reply ]
Re: Zero to IPSec in 4 minutes 2006-03-02
Nate
I have to disagree with you there ipsec-tools is nowhere near as clean nor easy to use as the OpenBSD implementation....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-01
Anonymous
Woah. Talk about a no-brainer IPSEC VPN. Time to donate some more to OpenBSD......

[ more ]  [ reply ]
pf.conf typo? 2006-03-01
Will B (1 replies)
pf.conf might have a typo on the nat line.

ftom? Should that be from?...

[ more ]  [ reply ]
Re: pf.conf typo? 2006-03-01
Kelly Martin
Thanks Will for catching that, it's been corrected......

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-02
Anonymous (1 replies)
Nice article, thanks.

But (correct me if I'm wrong) this is still essentially the same symmetric situation that all of the previous IPSec examples in (eg the KAME documentation) have described.

Most people (myself included) need a way to connect to corporate, proprietary IPSec VPN systems such as ...

[ more ]  [ reply ]
Re: Zero to IPSec in 4 minutes 2006-03-09
Anonymous
to connect to a Cisco VPN Concentrator use

vpnc from the OpenBSD Ports.

Kind regards...

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-02
Anonymous
To answer my previous comment about Cisco IPSec VPN setup: the FreeBSD port security/vpnc seems to work very nicely indeed. Top stuff....

[ more ]  [ reply ]
editing rc.conf 2006-03-02
marco
you might suggest putting the changes in rc.conf.local instead...

[ more ]  [ reply ]
rc.conf typo? 2006-03-06
nikns
There should be

isakmpd_flags="-K"

instead of isakmpd="-K", since

# grep isakmpd /etc/rc

# $isakmpd_flags is imported from /etc/rc.conf;

# If $isakmpd_flags == NO, isakmpd isn't run.

if [ X"${isakmpd_flags}" != X"NO" ]; then

echo 'starting isakmpd'; isakmpd ${isakmpd_flags}

...

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-07
NGardner
Has anyone seen a good article on the how to set up an OpenBSD IPSec VPN that can be connected to via the native IPSec client on a Windows XP system (like a laptop or other remote box)? I'd like get an IPSec VPN connection through an OpenBSD firewall/NAT box from from Windows boxen at remote sites....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes -DHCP? 2006-03-20
JB (1 replies)
But what if one of the machines has to connect vi DHCP as many of us do from home?...

[ more ]  [ reply ]
Re: Zero to IPSec in 4 minutes -DHCP? 2007-02-17
Anonymous
How 'boat openvpn.net. a good, easy and simply... SSL-VPN-solution....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-03-20
Anonymous (1 replies)
Well you sure can get a setup working like the paper says BUT both the paper and the man page for ipsec.conf blithely state that you can do FQDN setups by using srcid fqdn and dstid fqdn and leave it at that without an example or any BNF so can see HOW you use those keywords.

I'd love to see the...

[ more ]  [ reply ]
Re: Zero to IPSec in 4 minutes 2006-05-04
hackmann (1 replies)
It's actually as simple as they said. ipsec.conf even has this sample:

# Set up two tunnels using automatic keying with isakmpd(8):

#

# First between the networks 10.1.1.0/24 and 10.1.2.0/24,

# second between the machines 192.168.3.1 and 192.168.3.2.

# Use FQDNs as IDs.

ike esp from 10.1.1...

[ more ]  [ reply ]
Re: Re: Zero to IPSec in 4 minutes 2007-10-13
Anonymous
What is the point of this, if you still need to know the IP addresses?

If you can either use the address, or the address AND fqn, why type the extra?

I guess what I was hoping for was a solution between two dynamic IP DSL setups, without a lot if ifup/down toying....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-09-17
Dale
As I am new to configuring VPNs, could you clarify why one of the VPN nodes is supposed to be set up in passive mode. I don't think that this is what you are saying but from reading your example I get that if one end is set up as passive that you can only reach network A from B and not reach networ...

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2006-12-02
Anonymous
The article is very helpful... but I'm dense, and can't get from external-net-a to external-net-b.

All machines are running OpenBSD 4.0 release version.

My test net looks like this:

(a 192.168.2.5)<->(192.168.2.8 b 192.168.3.8) <-> (192.168.3.7 c 192.168.4.7) <-> (192.168.4.9 d)

The two ...

[ more ]  [ reply ]
IPSec LAN 2007-02-14
Bigg Scuza
Can you provide an example of IPSec NAT configuration? In other words, I want to configure IPSec to provide an encrypted Local Area Network.

If you can not provide an example configuration could you direct me to resources. I have searched the web extensively and read OBSD man pages, but did not...

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2007-08-08
Anonymous
Nice article for site-to-site VPN setup. A follow up article showing a "Road Warrior" configuration would also be nice. We use OpenBSD as our companys firewall/NAT box and would like to add IPSEC so that our traveling staff can connect remotely....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2007-09-27
Anonymous
iwan a information abt the way ...how to learn different algorithms n protocols of cisco networking tools....

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2008-01-04
Davan
Thank-you for this great article. However, we found that we needed a couple extra lines to get it working.

For Firewall A in /etc/ipsec.conf we needed:

ike esp from 10.1.1.0/24 to 5.6.7.8

And for Firewall B we similarily needed:

ike passive esp from 10.2.2.0/24 to 1.2.3.4

Thoughts/Idea...

[ more ]  [ reply ]
Need to enable ESP/AH 2008-03-01
Tom - lobato (at) tiencon.com (dot) br [email concealed]
Great article! I just have a complement and a suggestion.

on OpenBSD 4.0 (not tested on later versions) I had to enable ESP and AH to get IPsec working (I`ve not tried to enable each one only). Before it I got errors as below:

isakmpd: exchange_run: doi->initiator failed isakmpd: pf_key_v2_ge...

[ more ]  [ reply ]
Zero to IPSec in 4 minutes 2009-03-31
Anonymous (1 replies)
i have made exactly what the article says and it doesn't work (also tried with the corrections from the comments). i get the error "ENCRYPTION_ALGORITHM: got 3DES_CBC, expected AES_CBC" and i still don't know how to make it work.. i'll spend more time searching on google for hints and if i find out ...

[ more ]  [ reply ]
Re: Zero to IPSec in 4 minutes 2009-08-10
Anonymous
Double check your corrections. I just got it to work on OpenBSD 4.5 with the following in /etc/ipsec.conf

local_ip="1.2.3.4"

local_network="192.168.128.0/24"

remote_ip="5.6.7.8"

remote_network="172.16.2.0/24"

ike esp from { $local_ip $local_network } to { $remote_ip $remote_network } peer $...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus