Help in Setting up "Open-ended" VPN connections

Submitted by Anonymous

on June 13, 2006 - 10:41am

OpenBSD

Hello Folks,

I'm able to set up a VPN connection between two networks when I know my peer VPN gateway address. I need to set up our VPN gateway in such a way that our staff can access our internal network from any where in the world. What this means is that we don't know the IP address that they will be connecting from, but they know our VPN gateway's IP address. I tried setting up our isakmpd.conf in a similar manner, except that I put 0.0.0.0/0 for the peer gateway, but then isakmpd complains that it can't create a connection to the IP address 0.0.0.0. I've tried googling and searching on the 'Net for such a config, but I can't seem to find any. Could you help me out or point me in the right direction.

Regards,
g

racoon?

Anonymous (not verified)

June 13, 2006 - 12:56pm

sorry, not for isakmpd... but I've one for racoon:
http://www.lacave.net/~fred/racoon/config.html

you can try 'openvpn'

eugene (not verified)

June 13, 2006 - 7:18pm

you can try 'openvpn' if ipsec setup is too complicated or impossible (nat).

To be fair, IPSec does have

Anonymous (not verified)

September 14, 2007 - 3:05pm

To be fair, IPSec does have NAT traversal when used with UDP encapsulation.

roaming salesperson vpn gateway with isakmpd (its easy, really!)

Todd T. Fries (not verified)

June 15, 2006 - 5:57am

Assuming you're using FQDN and RSA preshared keys, here is the entirety of my IPsec vpn gateway's isakmpd.conf:

[General]
Policy-File=/etc/isakmpd/isakmpd.policy
Retransmits=2
Exchange-max-time=600
Check-interval=15
Logverbose=1

[defaultfqdn]
Phase=1
Configuration=rsa-main-mode
ID=puffy

[puffy]
ID-type=FQDN
Name=puffy.freedaemonhosting.com

[Phase 1]
Default=defaultfqdn

[rsa-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=3DES-SHA-RSA_SIG,AES-SHA-RSA_SIG

[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-3DES-SHA-PFS-SUITE,QM-AES-SHA2-256-PFS-SUITE

And my isakmpd.policy:

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote 
        $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
        $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
        esp_present == "yes" -> "true" &&
        esp_enc_alg != "null" -> "true";

Yes, I need to figure out how to populate this properly for ipsec.conf, but with the above as the vpn gateway, a client can do something as simple as:

ike esp from 10.9.9.28 to 10.255.255.1 peer 66.210.104.251 \
      srcid blue.fries.net dstid puffy.freedaemonhosting.com

... or an even more fun example (for me), lets get our IPv6 fix over IPsec since a lot of friends networks do not have IPv6 yet:

ike esp from 2001:240:58a:41::1c to any peer 66.210.104.251 \
      srcid blue.fries.net dstid puffy.freedaemonhosting.com

Finally, for completeness, lets say you have setup a few IPv6 networks around, and want to use the native IPv6 to build a tunnel to do `private' v4 between two systems. Why? Because some applications/protocols *cough*nfs*cough*amanda*cough*afs*cough* do not support IPv6 yet...

ike esp from 10.9.9.28 to 10.255.255.1 peer 2001:240:58a:100::1 \
      srcid blue.fries.net dstid puffy.freedaemonhosting.com
ike esp from 10.9.9.28 to 10.0.0.0/24 peer 2001:240:58a::1 \
      srcid blue.fries.net dstid carp.fries.net

Please note, in all cases, you must add the local `internal' IP of the tunnel to some network interface. In the IPv4 case, you must also add a route to the internal IP to get the source IP to be correct. In the IPv6 case, you must add a v6 default route or packets will not flow. This is because the routing table is first consulted to see if packets can get anywhere, and then the IPsec stack nabs the packet on its way out and encapsulates, encrypts, and finally transmits the encrypted packet.

# ifconfig lo1 create
# ifconfig lo1 inet 10.9.9.28 netmask 255.255.255.255
# route add 10.0.0.0/24 10.9.9.28
# route add 10.255.255.1 10.9.9.28
# ifconfig lo1 inet6 alias 2001:240:58a:41::1c prefixlen 128
# route add -inet6 default 2001:240:58a:41::1c

Realize, also, I only added IPv6 capabilities recently which means to use ipsecctl and IPv6 you'll need to run -current.

Happy VPN'ing!

Thank You!

thecloud

June 15, 2006 - 10:17am

Thank you everyone for your help. I've got the VPN working now and I had to use Passive-connections instead of Connections in the VPN gateway's isakmpd.conf file. This helpful advice was provided by Hans-Joerg Hoexer in the OpenBSD misc mailing list.

Once again, thank you!
g

TheCloud, Could you please

iamatt

October 23, 2006 - 1:57pm

TheCloud,

Could you please post an example of your working ipsec.conf configuration? I am looking for an example config for dynamic ipsec connections with 3DES and pre share key. The windows clients will be using GreenBow vpn client. Thanks for any assistance!

iamatt

UPDATE- greenbow roadwarrior to openbsd using ipsec.conf and PSK

iamatt

September 14, 2007 - 1:08pm

Messed with this using greenbow and have a working config in case anyone cares.

This is a simple setup which uses pre-share key with a road warrior
using the GreenBow vpn client.

IPSEC.CONF

# ls -la /etc/ipsec.conf
-rw------- 1 root wheel 141 Aug 26 02:45 /etc/ipsec.conf

# cat /etc/ipsec.conf

ike passive esp tunnel from any to any \
main auth hmac-sha enc 3des group grp2 \
psk 1234

ISAKMPD.POLICY

# ls -la /etc/isakmpd/isakmpd.policy
-rw------- 1 root wheel 272 Aug 29 23:58 /etc/isakmpd/isakmpd.policy

# cat /etc/isakmpd/isakmpd.policy

KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:1234"
conditions: app_domain == "IPsec policy" && doi == "ipsec" &&
esp_present == "yes" && ah_present == "no" &&
(esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true";

GREENBOW CONFIG EXPORT (*.TGB FILE)

(You will have to edit the address isakmpd.example.com to reflect the
gateway/domain/ip address of the openbsd running isakmpd)

8<-------------------------------------------------------

# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2007-08-29 at 22:53:04
# Written by VpnConf 2.51
#

[General]
Shared-SADB = Defined
Retransmits = 5
Exchange-max-time = 80
Default-phase-1-lifetime = 1800,360:28800
Bitblocking = 0
Xauth-interval = 20

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 1200,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
isakmpd.example.com = CnxVpn1-P1

[CnxVpn1-main-mode]
DOI = IPSEC
EXCHANGE_TYPE = ID_PROT
Transforms = 3DES-SHA-GRP2

[CnxVpn1-P1]
Phase = 1
Local-address = *
Address = isakmpd.example.com
Transport = udp
Configuration = CnxVpn1-main-mode
Authentication = 1234

# ==================== PHASES 2 ====================

[Phase 2]
Passive-connections = CnxVpn1-CnxVpn1-P2

[CnxVpn1-CnxVpn1-P2]
Phase = 2
ISAKMP-peer = CnxVpn1-P1
Local-ID = CnxVpn1-local-addr
Remote-ID = CnxVpn1-remote-addr
Configuration = CnxVpn1-quick-mode
AutoStart = 0
USBStart = 0

# ==================== Ipsec ID ====================

[CnxVpn1-local-addr]
ID-type = IPV4_ADDR
Address = 192.168.1.30

[CnxVpn1-remote-addr]
ID-type = IPV4_ADDR
Address = 192.168.3.13

# ==================== TRANSFORMS ====================

[CnxVpn1-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = CnxVpn1-quick-mode-suite

[CnxVpn1-quick-mode-suite]
Protocols = TGBQM-ESP-AES128-SHA-TUN

[TGBQM-ESP-AES128-SHA-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-AES128-SHA-TUN-XF

[TGBQM-ESP-AES128-SHA-TUN-XF]
TRANSFORM_ID = AES
KEY_LENGTH = 128,128:256
AUTHENTICATION_ALGORITHM = HMAC_SHA
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

8<-------------------------------------------------------

save as foo.tgb and import into Greenbow.

Start isakmpd on OpenBSD

#isakmpd -4v

Load ipsec.conf rules

#ipsecctl -F -f /etc/ipsec.conf

"Open tunnel" on the Greenbow client.

Checking #ipsecctl -sa

# ipsecctl -sa
FLOWS:
flow esp in from 192.168.1.30 to 192.168.3.13 peer 192.168.1.30 srcid
isakmpd.example.com/32 dstid 192.168.1.30/32 type use
flow esp out from 192.168.3.13 to 192.168.1.30 peer 192.168.1.30 srcid
isakmpd.example.com/32 dstid 192.168.1.30/32 type require

SAD:
esp tunnel from 192.168.1.30 to isakmpd.example.com spi 0x0a006089
auth hmac-sha1 enc aes
esp tunnel from isakmpd.example.com to 192.168.1.30 spi 0xccd342c4
auth hmac-sha1 enc aes

--
Matt Bettinger