btw., On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: > i am using -current as of 24.02.2006 and made a realese for my other > machines. i tried the ipsec tutorial which was posted on undeadly.org. i > have to go with one gateway which has a dynamic ip because it is an > adsl-connection which is disconnected after 24 hours. when i try to fire
last week i commited two useful extensions to ipsecctl. - "ike dynamic esp" When active or dynamic is specified, negotiation will be started at once. The dynamic mode will additionally enable Dead Peer Detection (DPD) and use the local hostname as the identity of the local peer, if not specifed by the srcid parameter. dynamic mode should be used for hosts with dynamic IP addresses like road warriors or dialup hosts. The DPD option forces the dialup hosts to reconnect after a few seconds if they loose the IKE connection (i.e. in case of a provider-forced reconnect and a new IPv4 address). - "bypass" / "deny" flows bypass flow is used to specify a flow for which security processing will be bypassed: matching packets will not be processed by any other flows and handled in normal operation. A deny flow is used to drop any matching packets. The bypass flows are useful for VPN-subnets, see the examples below. This is a simplified example of a real-world scenario (sorry, I like ASCII art...): [ A-DSL ]-----------( ) ( Internet )---------[ VPN-Gateway ] [ A-DSL ]-----------( ) | (Laptops)---------------+ \_____________________________________________________/ VPN 172.16.0.0/16 1.) There are several A-DSL hosts with dynamic IPv4 addresses. 2.) The VPN-Gateway is an internet host with a fixed IPv4 address. 3.) The Laptops are using OpenSSH layer 3 VPN tunneling over TCP (works everywhere...) Configuration examples ([VPN-GATEWAY] is the IPv4 address of the gateway): 1.) Configuration and setup on the A-DSL Host "firsthost.my.domain" - Initial configuration (you could use keynote and isakmpd.conf, but it is not required) # rm /etc/isakmpd/isakmpd.* # scp [VPN-GATEWAY]:/etc/isakmpd/private/local.pub /etc/isakmpd/pubkeys/ipv4/[VPN-GATEWAY] # scp /etc/isakmpd/private/local.pub [VPN-GATEWAY]:/etc/isakmpd/pubkeys/fqdn/$(hostname) - The internal interface is attached to the local /24 network, set a route to the /16 VPN # cat /etc/hostname.xl0 inet 172.16.10.1 255.255.255.0 172.16.10.255 !route add 172.16.0.0/16 -iface 172.16.10.1 - ipsec configuration (that's all!) # cat /etc/ipsec.conf flow from 172.16.10.0/24 to 172.23.10.0/24 type bypass ike dynamic esp from 172.16.10.0/24 to 172.16.0.0/16 peer [VPN-GATEWAY] - Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...) - Start isakmpd # isakmpd -K && ipsecctl -f /etc/ipsec.conf 2.) Configuration on the VPN-Gateway - Initial configuration... # rm /etc/isakmpd/isakmpd.* - ipsec configuration # cat /etc/ipsec.conf ike passive esp from 172.16.10.0/24 to [VPN-GATEWAY] dstid firsthost.my.domain ike passive esp from 172.16.11.0/24 to [VPN-GATEWAY] dstid secondhost.my.domain ike passive esp from 172.16.12.0/24 to [VPN-GATEWAY] dstid thirdhost.my.domain - Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...) - Start isakmpd # isakmpd -K && ipsecctl -f /etc/ipsec.conf 3.) The laptops are using /30 subnets in the 172.16.0.0/16 range and they're reachable via the VPN. Have a look at ssh_config(5) or the src/usr.bin/ssh/README.tun file for details. SSH-VPN can be used almost everywhere (even with HTTP-proxies and CONNECT, that's a benefit of TCP over UDP or ESP) and it's the ideal solution for mobile users with temporary connections. and it just works... :) Currently, all the ipsec-hosts are running OpenBSD (what else?) and the Laptops are running OpenBSD, Linux and MacOS X 10.4. reyk -- /* .vantronix|secure systems - (research & development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */