Fast and Secure VPN setup with OpenBSD 4.5

Premise

Setting up VPN with IPsec using public / private key authentication between two networks using OpenBSD firewalls.

Concept

Each VPN concentrator will have the public key fo the other machine, and one of the VPN concentrators will be designated as the active requester. The other will be set up in a passive role, to accept the connection initiation, like a central VPN gateway at a datacenter would.

Practical steps

  1. Set up proper rules so that the firewalls pass proper traffic. That is done by adding the line in pf.conf to allow for the gateways to communicate:
    pass quick on $ext_if from $remote_vpn_gw_ip
  2. Set up the public key for each firewall on it’s counterpart:
    mkdir -p /etc/isakmpd/pubkeys/ipv4
    cp remote_gateway_local.pub /etc/isakmpd/pubkeys/ipv4/xxx.xxx.xxx.xxx

    where xxx.xxx.xxx.xxx is the IP address of the remote gateway. (See below how to generate the public / private keys.)

  3. Create the ipsec.confconfiguration file on the active VPN gateway:
    GW_LOCAL=ip_of_local_vpn_gateway
    GW_REMOTE=ip_of_remote_vpn_gateway
    LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
    REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"
    
    ike esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
    ike esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
    ike esp from $GW_LOCAL to $GW_REMOTE
  4. Create the ipsec.confconfiguration file on the passive VPN gateway:
    GW_LOCAL=ip_of_local_vpn_gateway
    GW_REMOTE=ip_of_remote_vpn_gateway
    LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
    REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"
    
    ike passive esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
    ike passive esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
    ike passive esp from $GW_LOCAL to $GW_REMOTE
  5. Start the VPN on each VPN gateway:
    isakmpd -K
    ipsecctl -f /etc/ipsec.conf
  6. Test the connections:
    ipsecctl -sa

    it may take a few minutes for the VPN channels to get established.

Public / Private Keys

Generating Public / Private keys with OpenSSL (on full OpenBSD install, this is already done automatically):

openssl genrsa -out /etc/isakmpd/private/local.key
chmod 600 /etc/isakmpd/private/local.key
openssl rsa -out /etc/isakmpd/private/local.pub -in /etc/isakmpd/private/local.key -pubout

If you are running a lightweight distro like flashdist, then you might need to generate these keys on a different machine.

References


Debugging an OpenBSD 4.5 ISAKMP VPN problem

There is some very good info here:http://www.allard.nu/openbsd/ specifically, I found the following hints helpful:


'isakmpd -d'
Start isakmpd with 'isakmpd -d'. Isakmpd will output things like wrong file permissions and typos in the configuration file. On connect you might see things like "NO PROPOSAL CHOOSEN" which can either mean that your configuration parameters between the client and the server doesn't match, or that you have typed the wrong pre-shared key.

'isakmpd -L' and 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'
This one is really nice to check if your configurations between the client and the server match and also to learn howto create isakmpd.conf files for new clients. With 'isakmpd -L' isakmpd will dump, in tcpdump format, everything it sends and recieves to /var/run/isakmpd.pcap. You then check what happened with 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'. Look here for an example output of isakmpd -L and tcpdump. This output is typically what you want to send to the mailing list when you want help with something if the above doesn't help you.


Setting up a VPN between OpenBSD 4.5 and Cisco PIX

The original of this HOWTO was here: OpenBSD – PIX ISAKMP VPN

Setting up an ISAKMP VPN tunnel between OpenBSD 4.5 and Cisco Pix

Configuration:

  Site A:

    OpenBSD 4.5
    Internal Network: 192.168.0.0/24
    External IP: 1.1.1.1

  Site B:

    Cisco Pix 6.1
    Internal Network: 10.0.0.0/8
    External IP: 2.2.2.2

  VPN parameters:

    Shared Secret: theSecret
    Encryption Algorith: 3DES
    Hash Algorith: SHA
    Diffie-Helman Group: 2 (1024bit)

========================================================================

Pix Configuration:

access-list to_siteA permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

access-list no_nat   permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address to_siteA
crypto map newmap 10 set peer 1.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside

isakmp enable outside
isakmp key theSecret address 1.1.1.1 netmask 255.255.255.255
isakmp identity address

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

========================================================================

OpenBSD config:

/etc/ipf.rules

# Adjust for your particular packet filtering setup and NIC
pass   in  quick on ep0 proto esp from any to 1.1.1.1
pass   in  quick on ep0 proto udp from any to 1.1.1.1 port = 500

/etc/isakmpd/isakmpd.conf

[General]
Retransmits=			5
Exchange-max-time=		120
Listen-on=			1.1.1.1
Default-Phase2-Lifetime=        3600,80:86400

[Phase 1]
2.2.2.2=			SiteBPix

[Phase 2]
Connections=			SiteA-SiteB-10

[SiteBPix]
Phase=				1
Transport=			udp
Local-address=			1.1.1.1
Address=			2.2.2.2
Configuration=			Default-main-mode
Authentication=			theSecret

[SiteA-SiteB-10]
Phase=				2
ISAKMP-peer=			SiteBPix
Configuration=			Default-quick-mode
Local-ID=			Net-SiteA
Remote-ID=			Net-SiteB-10

[Net-SiteA]
ID-type=			IPV4_ADDR_SUBNET
Network=			192.168.0.0
Netmask=			255.255.255.0

[Net-SiteB-10]
ID-type=			IPV4_ADDR_SUBNET
Network=			10.0.0.0
Netmask=			255.0.0.0

[Default-main-mode]
DOI=				IPSEC
EXCHANGE_TYPE=			ID_PROT
Transforms=			3DES-SHA

[Default-quick-mode]
DOI=				IPSEC
EXCHANGE_TYPE=			QUICK_MODE
Suites=				QM-ESP-3DES-SHA-PFS-SUITE

[DES-SHA]
GROUP_DESCRIPTION=		MODP_1024

[QM-ESP-3DES-SHA-PFS-SUITE]
GROUP_DESCRIPTION=		MODP_1024

/etc/isakmpd/isakmpd.policy

KeyNote-Version: 2
Authorizer: "POLICY"