Prepare OpenBSD
Prepare the network interfaces.
Delete /etc/mygate when using dhcp.
Create /etc/sysctl.conf.
net.inet.esp.enable=1 # Enable the ESP IPsec protocol
net.inet.ah.enable=1 # Enable the AH IPsec protocol
net.inet.ip.forwarding=1 # Enable IP forwarding for the host.
net.inet.ipcomp.enable=1 # Optional: compress IP datagrams
Create /etc/rc.conf.local
isakmpd_flags="" # Avoid keynote(4) policy checking
ipsec=YES # Load ipsec.conf(5) rules
Some basics
There are three types of ISAKMPD authentication (passphrase, public key, x509 certs). I didn’t use the passphrase method, so i can’t say anything about it. I’ve used the public key method, because i run into some problems using the cert method on OpenBSD.
Public key authentication – preparing the keys
#!/bin/sh
FQDN=$1
openssl genrsa -out /etc/isakmpd/private/$FQDN.key 4096 && \
chmod 600 /etc/isakmpd/private/$FQDN.key && \
openssl rsa -in /etc/isakmpd/private/$FQDN.key -pubout > "/etc/isakmpd/pubkeys/fqdn/$FQDN"
exit $?
You can create these key pairs on any machine.
Place the keys on the opposite machines: The private $FQDN.key on your $FQDN machine and the public $FQDN key on the other host inside the /etc/isakmpd/public/fqdn folder.
The public key file name should have no suffix, name it $FQDN only like the string you will use in your isakmpd.conf file to identify the connection partners later.
isakmpd.policy
Keynote-version:2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
isakmpd.conf for a static ip partner
[Phase 1]
Default= dynamicpartners
[Phase 2]
Passive-Connections= VPN-potsdam-nordost
# ISAKMP phase 1 peers (from [Phase 1])
[dynamicpartners]
Phase= 1
Transport= udp
Configuration= main-mode
ID= my-ID
[my-ID]
ID-type= FQDN
Name= potsdam
# IPSEC phase 2 connections (from [Phase 2])
[VPN-potsdam-nordost]
Phase= 2
ISAKMP-peer= nordost
Configuration= quick-mode
Local-ID= potsdam-internal-network
Remote-ID= nordost-internal-network
# ID sections (as used in [VPN-A-B])
[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0
[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[x509-certificates]
Private-key= /etc/isakmpd/private/potsdam.key
[main-mode]
# ATTENTION: THE SUFFIX '-RSA_SIG' ENABLES PUBLIC KEY AUTH METHOD
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG
[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
isakmpd.conf for a dynamic ip partner
[Phase 1]
XXX.XXX.XXX.XXX= potsdam
# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-nordost-potsdam
# ISAKMP phase 1 peers (from [Phase 1])
[potsdam]
Phase= 1
Transport= udp
Address= XXX.XXX.XXX.XXX
Configuration= main-mode
ID= my-ID
[my-ID]
ID-type= FQDN
Name= nordost
# IPSEC phase 2 connections (from [Phase 2])
[VPN-nordost-potsdam]
Phase= 2
ISAKMP-peer= potsdam
Configuration= quick-mode
Local-ID= nordost-internal-network
Remote-ID= potsdam-internal-network
# ID sections (as used in [VPN-A-B])
[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0
[x509-certificates]
Private-key= /etc/isakmpd/private/nordost.key
[main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG
[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
Status check
# ipsecctl -s all
Hints
A reboot will recreate these local.key and local.pub standard files. You can’t delete them. :)
The -RSA_SIG Transforms suffix will switch the auth method to public key auth.
bytes and bones 