This short article looks at how to get a fully functional IPSec VPN up and running between two fresh OpenBSD installations in about four minutes flat.
Expand all |
Post comment
Zero to IPSec in 4 minutes
2006-03-20
Anonymous (1 replies)
Anonymous (1 replies)
All machines are running OpenBSD 4.0 release version.
My test net looks like this:
(a 192.168.2.5)<->(192.168.2.8 b 192.168.3.8) <-> (192.168.3.7 c 192.168.4.7) <-> (192.168.4.9 d)
The two nets to link are 192.168.2 and 192.168.4
"a" and "d" are client machines.
"b" and "c" are the vpn machines.
The ipsec.conf on "b" is:# cat /etc/isakmpd/ipsec.conf
ike esp from 192.168.3.8 to 192.168.3.7
ike esp from 192.168.2.8 to 192.168.4.0/24 peer 192.168.3.7
ike esp from 192.168.2.0/24 to 192.168.4.0/24 peer 192.168.3.7
The ipsec.conf on "c" is:# cat /etc/isakmpd/ipsec.conf
ike esp from 192.168.3.7 to 192.168.3.8
ike esp from 192.168.3.7 to 192.168.2.0/24 peer 192.168.3.8
ike esp from 192.168.4.0/24 to 192.168.2.0/24 peer 192.168.3.8
Ping from 192.168.4.7 to 192.168.2.8 works only if the tunnel is up.
Ping from 192.168.2.8 to 192.168.4.7 works only if the tunnel is up.
The bad part:
ping from 192.168.2.5 (a) to any 192.168.4 fails
ping from 192.168.4.9 (d) to any 192.168.2 fails
On "a", the route to 192.168.4 is via 192.168.2.8
On "d", the route to 192.168.2 is via 192.168.4.7
pf is NOT running on b,c,and d
pf has "skip on {dc0, dc1}" which include 192.168.2.5
Any clues? Any suggestions on what to try? Have I left out any essential information?
Thanks 1000x!
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/infocus/1859/774#774