btw.,
On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote:
> i am using -current as of 24.02.2006 and made a realese for my other
> machines. i tried the ipsec tutorial which was posted on undeadly.org. i
> have to go with one gateway which has a dynamic ip because it is an
> adsl-connection which is disconnected after 24 hours. when i try to fire
last week i commited two useful extensions to ipsecctl.
- "ike dynamic esp"
When active or dynamic is specified, negotiation will be started at
once. The dynamic mode will additionally enable Dead Peer Detection
(DPD) and use the local hostname as the identity of the local peer, if
not specifed by the srcid parameter. dynamic mode should be used for
hosts with dynamic IP addresses like road warriors or dialup hosts.
The DPD option forces the dialup hosts to reconnect after a few
seconds if they loose the IKE connection (i.e. in case of a
provider-forced reconnect and a new IPv4 address).
- "bypass" / "deny" flows
bypass flow is used to specify a flow for which security processing
will be bypassed: matching packets will not be processed by any other
flows and handled in normal operation. A deny flow is used to drop
any matching packets.
The bypass flows are useful for VPN-subnets, see the examples below.
This is a simplified example of a real-world scenario (sorry, I like ASCII
art...):
[ A-DSL ]-----------( )
( Internet )---------[ VPN-Gateway ]
[ A-DSL ]-----------( )
|
(Laptops)---------------+
\_____________________________________________________/
VPN 172.16.0.0/16
1.) There are several A-DSL hosts with dynamic IPv4 addresses.
2.) The VPN-Gateway is an internet host with a fixed IPv4 address.
3.) The Laptops are using OpenSSH layer 3 VPN tunneling over TCP (works
everywhere...)
Configuration examples ([VPN-GATEWAY] is the IPv4 address of the gateway):
1.) Configuration and setup on the A-DSL Host "firsthost.my.domain"
- Initial configuration (you could use keynote and isakmpd.conf, but it is not
required)
# rm /etc/isakmpd/isakmpd.*
# scp [VPN-GATEWAY]:/etc/isakmpd/private/local.pub
/etc/isakmpd/pubkeys/ipv4/[VPN-GATEWAY]
# scp /etc/isakmpd/private/local.pub
[VPN-GATEWAY]:/etc/isakmpd/pubkeys/fqdn/$(hostname)
- The internal interface is attached to the local /24 network, set a route to
the /16 VPN
# cat /etc/hostname.xl0
inet 172.16.10.1 255.255.255.0 172.16.10.255
!route add 172.16.0.0/16 -iface 172.16.10.1
- ipsec configuration (that's all!)
# cat /etc/ipsec.conf
flow from 172.16.10.0/24 to 172.23.10.0/24 type bypass
ike dynamic esp from 172.16.10.0/24 to 172.16.0.0/16 peer [VPN-GATEWAY]
- Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...)
- Start isakmpd
# isakmpd -K && ipsecctl -f /etc/ipsec.conf
2.) Configuration on the VPN-Gateway
- Initial configuration...
# rm /etc/isakmpd/isakmpd.*
- ipsec configuration
# cat /etc/ipsec.conf
ike passive esp from 172.16.10.0/24 to [VPN-GATEWAY] dstid firsthost.my.domain
ike passive esp from 172.16.11.0/24 to [VPN-GATEWAY] dstid secondhost.my.domain
ike passive esp from 172.16.12.0/24 to [VPN-GATEWAY] dstid thirdhost.my.domain
- Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...)
- Start isakmpd
# isakmpd -K && ipsecctl -f /etc/ipsec.conf
3.) The laptops are using /30 subnets in the 172.16.0.0/16 range and
they're reachable via the VPN. Have a look at ssh_config(5) or the
src/usr.bin/ssh/README.tun file for details. SSH-VPN can be used
almost everywhere (even with HTTP-proxies and CONNECT, that's a
benefit of TCP over UDP or ESP) and it's the ideal solution for
mobile users with temporary connections.
and it just works... :)
Currently, all the ipsec-hosts are running OpenBSD (what else?) and
the Laptops are running OpenBSD, Linux and MacOS X 10.4.
reyk
--
/* .vantronix|secure systems - (research & development)
* reyk floeter - friendly known free software engineer
* [EMAIL PROTECTED] - http://team.vantronix.net/reyk/
*/
