What is the difference between site to site and mobile VPN?

For most businesses, there are two types of VPN that apply:

  • site to site VPN: this is used to link sites, such as your office and the data center,
  • mobile VPN: this is used to link mobile or home users to a corporate site, or a data center.

The mobile VPN to your office is typically free, you just need to pay a one time setup fee and sometimes an extra license fee depending on the vendor. If your firewall is based on pfSense, there are no extra license fees.

The site to site VPN is typically priced on a per channel basis, to cover our bandwidth and virtual port costs on the terminating firewall in the data center. This is optional, and you can decide to sign up for that service once there is a clear business case for it.

Directing all VPN traffic through the OpenVPN concentrator


It is necessary for some users to have all their traffic directed through the OpenVPN concentrator. The number one reason for such a configuration is to protect the HTTP traffic over unsecured WiFi (a.k.a. hotspots).


Add to the bottom of the connecting client’s configuration file (typically under /etc/openvpn/clients.d the following line:
push "redirect-gateway"

Fast and Secure VPN setup with OpenBSD 4.5


Setting up VPN with IPsec using public / private key authentication between two networks using OpenBSD firewalls.


Each VPN concentrator will have the public key fo the other machine, and one of the VPN concentrators will be designated as the active requester. The other will be set up in a passive role, to accept the connection initiation, like a central VPN gateway at a datacenter would.

Practical steps

  1. Set up proper rules so that the firewalls pass proper traffic. That is done by adding the line in pf.conf to allow for the gateways to communicate:
    pass quick on $ext_if from $remote_vpn_gw_ip
  2. Set up the public key for each firewall on it’s counterpart:
    mkdir -p /etc/isakmpd/pubkeys/ipv4
    cp remote_gateway_local.pub /etc/isakmpd/pubkeys/ipv4/xxx.xxx.xxx.xxx

    where xxx.xxx.xxx.xxx is the IP address of the remote gateway. (See below how to generate the public / private keys.)

  3. Create the ipsec.confconfiguration file on the active VPN gateway:
    LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
    REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"
    ike esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
    ike esp from $GW_LOCAL to $GW_REMOTE
  4. Create the ipsec.confconfiguration file on the passive VPN gateway:
    LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
    REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"
    ike passive esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
    ike passive esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
    ike passive esp from $GW_LOCAL to $GW_REMOTE
  5. Start the VPN on each VPN gateway:
    isakmpd -K
    ipsecctl -f /etc/ipsec.conf
  6. Test the connections:
    ipsecctl -sa

    it may take a few minutes for the VPN channels to get established.

Public / Private Keys

Generating Public / Private keys with OpenSSL (on full OpenBSD install, this is already done automatically):

openssl genrsa -out /etc/isakmpd/private/local.key
chmod 600 /etc/isakmpd/private/local.key
openssl rsa -out /etc/isakmpd/private/local.pub -in /etc/isakmpd/private/local.key -pubout

If you are running a lightweight distro like flashdist, then you might need to generate these keys on a different machine.


How to set up PPTP on Win2k

Setting up a folder for PPTP access:

  1. Right click and select properties
  2. Select Sharing tab
  3. Check “Share this folder” and give it a share name
  4. Click the permissions button, and make sure that only the right user(s) have permission

Setting up user for PPTP:

  1. Start->Settings->Network and Dial-up connections->Incoming connections
  2. Click users tab
  3. Check the check box next to user to authorize

How to set up "road warior" VPN with OpenBSD

I found this solution in the summary of a related thread on misc@openbsd.org (mailing list).

    Thanks for the various assists on this, I’m glad to say that the problem I was having is now solved. I am now successfully interworking dynamically addressed (DHCP) Win2K-pro and XP clients with OpenBSD isakmpd using X.509 certificate-based authentication. I believe this to be a lot more scalable and manageable than using pre-shared secrets.

    For reference, the problem I was having was caused by incorrectly entering the X.509 certificates into the cert stores on the Windows machines using the MMC snap-in. So it wasn’t an OBSD issue at all 😉

    If anyone has the same problem, you need to make sure you are entering the CA and client certs into the cert stores for the LOCAL COMPUTER *not* the CURRENT USER (which is the default if you just double-click on the cert bundle on the desktop). Doh! Instead click start->run and enter “mmc” then add the snap-in for ‘Manage Certificates’ making sure you select ‘local computer’ in the dialogue. Obviously you will also need to add the snap-in for ‘manage IPsec policies’ too.

    All-in-all not entirely a pain-free process, but a great learning experience (and now at last I am confident my wireless LAN is *properly* secure).

    For ref, below are the isakmpd.conf and isakmp.policy files which I am using on the OPENBSD server.

    Generating the X.509 certs correctly requires some care. I do it using the ‘ca’ command on openssl (this avoids the need to use certpatch, but make sure you read the relevant parts of the IPSEC/ISAKMPD/VPN manpages about what is needed here – because you are using DHCP clients, you need to put the FQDN in the subjectAltName part of the cert). I also use the ‘pkcs12’ command on openssl to produce a cert-bundle which is the easiest way to safely transport and import the certs and private key onto the windows boxes. I have some basic scripts for doing the openssl bits, which I guess I can email to anyone who’s interested.

    By the way, if you are using PF don’t forget you will additionally need to create some relevant filtering rules to allow traffic on esp0…

    Rgds to all

# This is the isakmpd.conf file for the SERVER


[Phase 1]
Default=                ISAKMP-peer-dhcp

[Phase 2]
Passive-connections=    IPsec-connection

Phase=                  1
ID=                     server-fqdn-id
Configuration=          IKE-main-mode-config

ID-type=                FQDN
Name=                   server

DOI=                    IPSEC
Transforms=             AES-SHA-RSA_SIG, 3DES-SHA-RSA_SIG

Phase=                  2
ISAKMP-peer=            ISAKMP-peer-dhcp
Configuration=          IKE-quick-mode-config
Local-ID=               server-ipv4-id
Remote-ID=              generic-ipv4-id

DOI=                    IPSEC

ID-type=                IPV4_ADDR

ID-type=                IPV4_ADDR

Ca-directory=           /etc/isakmpd/ca/
Cert-directory=         /etc/isakmpd/certs/
Private-key=            /etc/isakmpd/private/local.key

# this is the matching isakmpd.policy file for the SERVER
Authorizer: "POLICY"
Licensees: "DN:/C=My Country/O=My Org/OU=PKI Infrastructure/CN=My Root CA"
conditions:app_domain == "IPsec policy" &&
        doi == "ipsec" &&
        esp_present == "yes" &&
        esp_enc_alg != "null" -> "true";

Debugging an OpenBSD 4.5 ISAKMP VPN problem

There is some very good info here:http://www.allard.nu/openbsd/ specifically, I found the following hints helpful:

'isakmpd -d'
Start isakmpd with 'isakmpd -d'. Isakmpd will output things like wrong file permissions and typos in the configuration file. On connect you might see things like "NO PROPOSAL CHOOSEN" which can either mean that your configuration parameters between the client and the server doesn't match, or that you have typed the wrong pre-shared key.

'isakmpd -L' and 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'
This one is really nice to check if your configurations between the client and the server match and also to learn howto create isakmpd.conf files for new clients. With 'isakmpd -L' isakmpd will dump, in tcpdump format, everything it sends and recieves to /var/run/isakmpd.pcap. You then check what happened with 'tcpdump -avs 1440 -r /var/run/isakmpd.pcap'. Look here for an example output of isakmpd -L and tcpdump. This output is typically what you want to send to the mailing list when you want help with something if the above doesn't help you.

Setting up a VPN between OpenBSD 4.5 and Cisco PIX

The original of this HOWTO was here: OpenBSD – PIX ISAKMP VPN

Setting up an ISAKMP VPN tunnel between OpenBSD 4.5 and Cisco Pix


  Site A:

    OpenBSD 4.5
    Internal Network:
    External IP:

  Site B:

    Cisco Pix 6.1
    Internal Network:
    External IP:

  VPN parameters:

    Shared Secret: theSecret
    Encryption Algorith: 3DES
    Hash Algorith: SHA
    Diffie-Helman Group: 2 (1024bit)


Pix Configuration:

access-list to_siteA permit ip

access-list no_nat   permit ip

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address to_siteA
crypto map newmap 10 set peer
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside

isakmp enable outside
isakmp key theSecret address netmask
isakmp identity address

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000


OpenBSD config:


# Adjust for your particular packet filtering setup and NIC
pass   in  quick on ep0 proto esp from any to
pass   in  quick on ep0 proto udp from any to port = 500


Retransmits=			5
Exchange-max-time=		120
Default-Phase2-Lifetime=        3600,80:86400

[Phase 1]			SiteBPix

[Phase 2]
Connections=			SiteA-SiteB-10

Phase=				1
Transport=			udp
Configuration=			Default-main-mode
Authentication=			theSecret

Phase=				2
ISAKMP-peer=			SiteBPix
Configuration=			Default-quick-mode
Local-ID=			Net-SiteA
Remote-ID=			Net-SiteB-10



Transforms=			3DES-SHA





KeyNote-Version: 2
Authorizer: "POLICY"