Marcos, Basically I use the ISAKMPD (daemon) started up from rc.conf.local. The daemon reads the configurarion from isakmpd.conf and isakmpd.policy. Also, my pf.conf has rules to block any attempt to access the VPN from unauthorized hosts. This kind of VPN is perfect for a Windows PC and you can use the ipsecmd or netsh or ipsecpol scripts or the GUI interface to establish the tunnel to the network you just created the tunnel. You can use any OS PC to access the VPN, but this is the scenario my clients ask for.
Below is a sample for the files needed. Please, see that you can add the lines or modify an existing file to reflect the excerpt. Pay attention to some modifications you MUST do. In the isakmpd.conf you must change the settings in bold to reflect your system. For example: * 212.212.212 is the IP address of your external interface (Internet). It can be an IP address or an interface, like xl0. * 222.222.222.222 represents the IP address of the gateway that establishes the tunnel LAN-LAN. * your-pre-shared-key-string1 and your-pre-shared-key-string2 must reflect the pass-phrase used to authenticate your networks and PCs. Basically, it is your "poor" security mechanism. A better aproach will be the use of certificates. The can be the same, or not. * 192.168.0.0 and 255.255.255.0 must identify your network and network mask, respectively * 10.0.0.0 and 255.0.0.0 must identify the remote network and network mask, respectively As I said before, the use of certificates for a PC-LAN tunnel is more secure and better manageable as various users can use this VPN. This iskampd.policy file is very simple, you can do more than that, if you need so. The flag "-L" creates the file /var/run/isakmpd.pcap that helps to identify problems to establish the VPN. You can use a command like tcpdump -avs 1440 /var/run/isakmpd.pcap to follow the negotiation between the hosts involved. After the diagnosis, you can remove the flag "-L" from your configuration - this file can grow fast depending on the use of the VPN. Also, you can use the tcpdump to see if UDP/500 traffic has been blocked by your firewall. The isakmpd.conf below supports the two types of VPN I commented before. The pf.conf is a joint of various firewalls, so it is a little confusing and some rules may be not necessary. As you can see, I have a file with the hosts that can connect to the vpn (despite the pass-phrase). The IP address pointed by the macro netX_fw could be in the files vpn-cli.txt. With the netX-lan is slightly different because the tunnel has two blocking points: the gateways involved and the hosts/lans involved. As you can see, you can block the traffic inside the tunnel. In the kind of VPN you asked for, the gateway is the same as the endpoint. Finally, here are two ways to connect a Windows PC with the tunnel: ipseccmd and netsh. The ipsecpol is old (Windows 2000) and the GUI way have a KB article from Microsoft (http://support.microsoft.com/kb/816514/en-us). There is a problem with the W2K8 and Vista with IPSec. You call any of the scripts providing your IP address as a parameter, like: * c:\mytunnel_ipseccmd.cmd <mi_direccion_ip> * c:\mytunnel_netsh.cmd <mi_direccion_ip> Just for the sake of curiosity: where are you from? IB4m from Brazil. Best Regards, Marcello c:\mytunnel_ipseccmd.cmd ipseccmd.exe -u ipseccmd.exe -f 0=192.168.0.0/255.255.255.0 -n ESP[3DES,SHA] -t 212.212.212.212 -a PRESHARE:"your-pre-shared-key-string2" -1s 3DES-SHA-2 ipseccmd.exe -f 192.168.0.0/255.255.255.0=0 -n ESP[3DES,SHA] -t %1 -a PRESHARE:"your-pre-shared-key-string2" -1s 3DES-SHA-2 c:\mytunnel_netsh.cmd netsh ipsec dynamic add mmpolicy name=Remoto-MM mmsecmethods=3DES-SHA1-2 netsh ipsec dynamic add qmpolicy name=Remoto-QM soft=no pfsgroup=NOPFS qmsecmethods=ESP[3DES,SHA1] netsh ipsec dynamic add rule srcaddr=0.0.0.0 dstaddr=192.168.0.0 mmpolicy=Remoto-MM qmpolicy=Remoto-QM mirrored=no srcmask=32 dstmask=24 tunneldstaddres=212.212.212.212 psk=your-pre-shared-key-string2 netsh ipsec dynamic add rule srcaddr=192.168.0.0 dstaddr=0.0.0.0 mmpolicy=Remoto-MM qmpolicy=Remoto-QM mirrored=no srcmask=24 dstmask=32 tunneldstaddres=%1 psk=your-pre-shared-key-string2 /etc/pf.conf table <vpn_cli> persist file "/etc/folder/vpn-cli.txt" netX_fw = "222.222.222.222" netX_lan = "10.0.0.0/24" # Rules to permit LAN-LAN IPSec traffic ####################################### pass in quick on $ext_if inet proto esp from { $netX_fw } to $ext_if pass out quick on $ext_if inet proto esp from $ext_if to { $netX_fw } pass in quick on $ext_if inet proto udp from { $netX_fw } to $ext_if port isakmp keep state pass out quick on $ext_if inet proto udp from $ext_if to { $netX_fw } port isakmp keep state # Rules to permit PC-LAN IPSec Traffic ###################################### pass in quick on $ext_if inet proto esp from <vpn_cli> to $ext_if pass in quick on $ext_if inet proto esp from $ext_if to <vpn_cli> pass in quick on $ext_if inet proto udp from <vpn_cli> to $ext_if port isakmp keep state pass out quick on $ext_if inet proto udp from $ext_if to <vpn_cli> port isakmp keep state # Rules to encapsulate/decapsulate IP Traffic ############################################# pass in quick on enc0 proto ipencap all pass out quick on enc0 all # VPN rules between endpoints of the tunnel ########################################### pass in quick log on enc0 inet proto tcp from <vpn_cli> port 1433 to { 192.168.0.1, 192.168.0.254 } keep state block out quick log on enc0 inet proto tcp from ! 192.168.0.100 to <cpn_cli> port { 1433, 22, 80, 443 } block in quick log on enc0 inet proto tcp from <vpn_cli> port { 1433, 22, 80, 443 } to ! 192.168.0.100 pass in quick log on enc0 inet from $netX_lan to $int_net keep state pass out quick log on enc0 inet from $int_net to $netX_lan keep state /etc/folder/vpn-cli.txt 200.200.200.200 192.168.99.1 /etc/rc.conf.local isakmpd_flags="-L" /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: "POLICY" /etc/isakmpd/isakmpd.conf [General] Listen-on= 212.212.212.212 Default-phase-1-lifetime= 1200,60:86400 Default-phase-2-lifetime= 3600,60:86400 [Phase 1] 222.222.222.222= FW-NetworkX Default= RemoteClient [Phase 2] Connections= IPSec-NetworkX Passive-Connections= IPSec-Remote # ISAKMP Phase 1 peer sections ############################## [FW-NetworkX] Phase= 1 Address= 222.222.222.222 Configuration= Default-main-mode Authentication= your-pre-shared-key-string1 [RemoteClient] Phase= 1 Configuration= Remote-main-mode Authentication= your-pre-shared-key-string2 # IPSec Phase 2 sections ######################## [IPSec-NetworkX] Phase= 2 ISAKMP-peer= FW-NetworkX Configuration= Default-quick-mode Local-ID= Local-NET Remote-ID= NetworkX-NET [IPSec-Remote] Phase= 2 ISAKMP-peer= RemoteClient Configuration= Remote-quick-mode Local-ID= Local-NET Remote-ID= Remote-HOST # Client ID sections #################### [Local-NET] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 255.255.255.0 [NetworkX-NET] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.0.0.0 [Remote-HOST] ID-type= IPV4_ADDR Address= 0.0.0.0 # Main mode descriptions ######################## [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-MD5 [Remote-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Microsoft-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA-GRP2 # Quick mode descriptions ######################### [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-MD5-SUITE [Remote-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE [Microsoft-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE ----- Original Message ----- From: "Marcos Laufer" <mar...@ipv4networks.com> To: "Marcello Cruz" <marcello.c...@globo.com> Cc: <misc@openbsd.org> Sent: Wednesday, April 08, 2009 11:37 AM Subject: Re: VPN client-to-site over IPSec > Marcello , > > If you don't mind, i'd like to know more info or what to read to > acomplish your first scenario: > > PC ------ Internet ------ OpenBSD -------- LAN > PC ------------ IPSec Tunnel -------------- LAN > > Thanks! > Marcos Laufer > > Marcello Cruz escribiC3: >> Toni, >> >> Do you mean a VPN where only a HOST will access an entire NETWORK? If >> so, then the answer is YES. >> >> For instance, I have some OpenBSD servers acting as VPN Server and >> they allow me to connect from home to the networks behind those >> OpenBSD servers. >> >> PC ------ Internet ------ OpenBSD -------- LAN >> PC ------------ IPSec Tunnel -------------- LAN >> >> I also have other situations where I need an entire LAN communicate >> with other LAN, like: >> >> LAN ------ OpenBSD/Other ------ Internet ------- OpenBSD ------ LAN >> LAN ----------------------- IPSec Tunnel --------------------------- LAN >> >> What do you need? >> >> ----- Original Message ----- From: "Toni Mueller" <openbsd-m...@oeko.net> >> To: <misc@openbsd.org> >> Sent: Friday, April 03, 2009 5:43 PM >> Subject: Re: VPN client-to-site over IPSec >> >> >>> Hi, >>> >>> On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti >>> <salva...@gmail.com> wrote: >>>> Is it possible to implement a client-to-site VPN over IPSec? I have >>>> searched on the web, but only found site-to-site models. >>> >>> what exactly do you mean by "client to site"? >>> >>> You can distinguish between transport mode, where you use the IP that >>> you actually use, as an endpoint, and tunnel mode, where you assign an >>> IP of your chosing for use inside the tunnel, and then use that IP for >>> all of your connections. >>> >>> Usually, "site-to-site" is associated with tunnel mode, and I currently >>> see no reason, and much less any advantage, in using transport mode. >>> >>> >>> Kind regards, >>> --Toni++
