How to set up "road warior" VPN with OpenBSD

I found this solution in the summary of a related thread on misc@openbsd.org (mailing list).

Thanks for the various assists on this, I’m glad to say that the problem I was having is now solved. I am now successfully interworking dynamically addressed (DHCP) Win2K-pro and XP clients with OpenBSD isakmpd using X.509 certificate-based authentication. I believe this to be a lot more scalable and manageable than using pre-shared secrets.

For reference, the problem I was having was caused by incorrectly entering the X.509 certificates into the cert stores on the Windows machines using the MMC snap-in. So it wasn’t an OBSD issue at all

If anyone has the same problem, you need to make sure you are entering the CA and client certs into the cert stores for the LOCAL COMPUTER *not* the CURRENT USER (which is the default if you just double-click on the cert bundle on the desktop). Doh! Instead click start->run and enter “mmc” then add the snap-in for ‘Manage Certificates’ making sure you select ‘local computer’ in the dialogue. Obviously you will also need to add the snap-in for ‘manage IPsec policies’ too.

All-in-all not entirely a pain-free process, but a great learning experience (and now at last I am confident my wireless LAN is *properly* secure).

For ref, below are the isakmpd.conf and isakmp.policy files which I am using on the OPENBSD server.

Generating the X.509 certs correctly requires some care. I do it using the ‘ca’ command on openssl (this avoids the need to use certpatch, but make sure you read the relevant parts of the IPSEC/ISAKMPD/VPN manpages about what is needed here – because you are using DHCP clients, you need to put the FQDN in the subjectAltName part of the cert). I also use the ‘pkcs12′ command on openssl to produce a cert-bundle which is the easiest way to safely transport and import the certs and private key onto the windows boxes. I have some basic scripts for doing the openssl bits, which I guess I can email to anyone who’s interested.

By the way, if you are using PF don’t forget you will additionally need to create some relevant filtering rules to allow traffic on esp0…

Rgds to all
MC

===
# This is the isakmpd.conf file for the SERVER
#

[General]
Listen-on=              10.0.0.1

[Phase 1]
Default=                ISAKMP-peer-dhcp

[Phase 2]
Passive-connections=    IPsec-connection

[ISAKMP-peer-dhcp]
Phase=                  1
Local-address=          10.0.0.1
ID=                     server-fqdn-id
Configuration=          IKE-main-mode-config

[server-fqdn-id]
ID-type=                FQDN
Name=                   server

[IKE-main-mode-config]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             AES-SHA-RSA_SIG, 3DES-SHA-RSA_SIG

[IPsec-connection]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-dhcp
Configuration=          IKE-quick-mode-config
Local-ID=               server-ipv4-id
Remote-ID=              generic-ipv4-id

[IKE-quick-mode-config]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-TRP-AES-SHA-SUITE, QM-ESP-TRP-AES-MD5-SUITE, QM-ESP-TRP-3DES-SHA-SUITE, QM-ESP-TRP-3DES-MD5-SUITE

[server-ipv4-id]
ID-type=                IPV4_ADDR
Address=                10.0.0.1

[generic-ipv4-id]
ID-type=                IPV4_ADDR
Address=                0.0.0.0

[X509-certificates]
Ca-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

===
# this is the matching isakmpd.policy file for the SERVER
Authorizer: "POLICY"
Licensees: "DN:/C=My Country/O=My Org/OU=PKI Infrastructure/CN=My Root CA"
conditions:app_domain == "IPsec policy" &&
        doi == "ipsec" &&
        esp_present == "yes" &&
        esp_enc_alg != "null" -> "true";