Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
Hi, Transport mode IPSec has many legit uses. The first one which springs to mind is gateway-gateway encryption, over which you can use your favourite tunneling protocol e.g. L2TP or GRE. Especially useful if you're transporting multicast traffic over the VPN. Also one of the most popular remote access VPN solutions (works 'out of the box' on Windows, OS.X Cisco routers) is L2TP over IPSec. This provides both static dynamically addressed clients with an IPSec tunnel back to the VPN server, over which L2TP is tunneled, providing DHCP for tunnel IP addressing, and multi-protocol (IPX or IPv6 anyone ?) support. It's also ideal for ubiquitous IP level any to any encryption if you spend the effort on key management issues. /Pete On 31. mai 2010, at 18.56, Toni Mueller wrote: I'd say that transport mode is a design error in IPSEC and should be avoided at all costs. It also complicates network setup quite a bit, imho. Kind regards, --Toni++
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
Hi, On Sun, 23.05.2010 at 11:41:27 +0200, Martin PelikC!n martin.peli...@gmail.com wrote: It really depends on what you need - most road warriors are okay with transport mode (where obviously DHCP doesn't make any sense). If I'd say that transport mode is a design error in IPSEC and should be avoided at all costs. It also complicates network setup quite a bit, imho. Kind regards, --Toni++
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
2010/5/22, dontek don...@gmail.com: Yes, thanks, I've read the man pages. I've even made the proposed connection work both ways. (less the DHCP working) What I was hoping for was a few that have more experience than I do to share their experiences and tell me some of the potential benefits and/or drawbacks of doing it one way or the other; preferably specific to multiple roaming clients, with the intention of using DHCP over IPSec, and with any OpenBSD-4.7-specific nuances. The only OpenBSD-4.7-specific nuance that I know of, is the fixed bug in HMAC-SHA-256, that makes it incompatible with older releases. From what I tried, single point-to-point tunnel works even with Racoon on Gentoo Linux. The painful three-hundred-clicks setup under Windows I didn't find time to test against 4.7 or -current. It really depends on what you need - most road warriors are okay with transport mode (where obviously DHCP doesn't make any sense). If you're planning to connect the whole network to a single IPsec gateway (I have IPv6-over-IPv4 tunnel like this), you might want to pay attention to *what traffic do you actually want* to encrypt and add something like flow esp from local-net to local-net type bypass, so only packets the right way are secure. But all this comes from common sense and observing what's happening. OpenBSD does this a clever way - you have enc(4) interface where you can observe whats's inside your tunnel and it doesn't mix up with what you want to see on your *real* interface. (typically only ESP/isakmp traffic) -- Martin Pelikan
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
-Original Message- From: Martin PelikC!n [mailto:martin.peli...@gmail.com] Sent: Friday, May 21, 2010 8:19 AM To: dontek Cc: Misc OpenBSD Subject: Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration Hi did you actually read any piece of documentation about the topic? Manual pages like ipsec(4) for overview, ipsec.conf(5) for configuration and isakmpd(8) + keynote(3,4,5) + openssl(1) + authpf(8) for possible ways of authenticating your warriors. Yes, thanks, I've read the man pages. I've even made the proposed connection work both ways. (less the DHCP working) What I was hoping for was a few that have more experience than I do to share their experiences and tell me some of the potential benefits and/or drawbacks of doing it one way or the other; preferably specific to multiple roaming clients, with the intention of using DHCP over IPSec, and with any OpenBSD-4.7-specific nuances. I've found many examples via Google. Some are using isakmpd.conf, while others use the isakmpd -K switch and defer to ipsec.conf for configuration. Choose what you prefer. ipsec.conf is less typing (about ten times). In my situation with multiple Road Warriors, is one way more correct than the other..? Easier..? All the situations are easy if you know what are doing :-) And guess where the place to learn is... What's the preferred method in the day of OpenBSD 4.7? To search before typing? -- Martin Pelikan
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
-Original Message- From: Wouter Slegers [mailto:wou...@yourcreativesolutions.nl] Sent: Saturday, May 22, 2010 5:23 AM To: dontek Subject: Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration In my situation with multiple Road Warriors, is one way more correct than the other..? Easier..? My advise is to really consider OpenVPN. I know it is not the OpenBSD quality software, but IPSec is really difficult to get through most hotel NAT and firewall layers. OpenVPN with the UDP and TCP tunnelling is way more robust in that regard. It has good failover and recovery options, built in DHCPlike features and such, and clients for *BSD, Linux, Windows, MacOSX. Thanks for the suggestion, I would like to try OpenBSD straight-IPSec first and see how it goes in the field. Fortunately my chosen client supports both setups, so if I start to see problems, your solution should just be a quick configuration change once it's setup on the gateway. With kind regards, Wouter
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
Hi did you actually read any piece of documentation about the topic? Manual pages like ipsec(4) for overview, ipsec.conf(5) for configuration and isakmpd(8) + keynote(3,4,5) + openssl(1) + authpf(8) for possible ways of authenticating your warriors. I've found many examples via Google. Some are using isakmpd.conf, while others use the isakmpd -K switch and defer to ipsec.conf for configuration. Choose what you prefer. ipsec.conf is less typing (about ten times). In my situation with multiple Road Warriors, is one way more correct than the other..? Easier..? All the situations are easy if you know what are doing :-) And guess where the place to learn is... What's the preferred method in the day of OpenBSD 4.7? To search before typing? -- Martin Pelikan
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
2010/5/21 Martin Pelikan martin.peli...@gmail.com: What's the preferred method in the day of OpenBSD 4.7? To search before typing? +1
OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
Hey guys: I'm looking for a little direction here, as the preferred method of setting up a VPN for these types of connections seems to have changed many times throughout the version history of OpenBSD and changes to IPSec, isakmpd, pf, etc.. So as you've probably gleaned from the subject, I want multiple clients to be able to connect to the OpenBSD 4.7 VPN Gateway. I'd also like to use DHCP over IPSec. I've found many examples via Google. Some are using isakmpd.conf, while others use the isakmpd -K switch and defer to ipsec.conf for configuration. In my situation with multiple Road Warriors, is one way more correct than the other..? Easier..? What's the preferred method in the day of OpenBSD 4.7? Thanks, don..
