OpenBSD | isakmpd | Public key authentication

Prepare OpenBSD

Prepare the network interfaces.

Delete /etc/mygate when using dhcp.

Create /etc/sysctl.conf.

net.inet.esp.enable=1 # Enable the ESP IPsec protocol
net.inet.ah.enable=1 # Enable the AH IPsec protocol
net.inet.ip.forwarding=1 # Enable IP forwarding for the host.
net.inet.ipcomp.enable=1 # Optional: compress IP datagrams

Create /etc/rc.conf.local

isakmpd_flags="" # Avoid keynote(4) policy checking
ipsec=YES # Load ipsec.conf(5) rules

Some basics

There are three types of ISAKMPD authentication (passphrase, public key, x509 certs). I didn’t use the passphrase method, so i can’t say anything about it. I’ve used the public key method, because i run into some problems using the cert method on OpenBSD.

Public key authentication – preparing the keys


#!/bin/sh
FQDN=$1

openssl genrsa -out /etc/isakmpd/private/$FQDN.key 4096 && \
chmod 600 /etc/isakmpd/private/$FQDN.key && \
openssl rsa -in /etc/isakmpd/private/$FQDN.key -pubout > "/etc/isakmpd/pubkeys/fqdn/$FQDN"

exit $?

You can create these key pairs on any machine.
Place the keys on the opposite machines: The private $FQDN.key on your $FQDN machine and the public $FQDN key on the other host inside the /etc/isakmpd/public/fqdn folder.
The public key file name should have no suffix, name it $FQDN only like the string you will use in your isakmpd.conf file to identify the connection partners later.

isakmpd.policy


Keynote-version:2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";

isakmpd.conf for a static ip partner


[Phase 1]
Default= dynamicpartners

[Phase 2]
Passive-Connections= VPN-potsdam-nordost

# ISAKMP phase 1 peers (from [Phase 1])

[dynamicpartners]
Phase= 1
Transport= udp
Configuration= main-mode
ID= my-ID

[my-ID]
ID-type= FQDN
Name= potsdam

# IPSEC phase 2 connections (from [Phase 2])

[VPN-potsdam-nordost]
Phase= 2
ISAKMP-peer= nordost
Configuration= quick-mode
Local-ID= potsdam-internal-network
Remote-ID= nordost-internal-network

# ID sections (as used in [VPN-A-B])

[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0

[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0

[x509-certificates]
Private-key= /etc/isakmpd/private/potsdam.key

[main-mode]
# ATTENTION: THE SUFFIX '-RSA_SIG' ENABLES PUBLIC KEY AUTH METHOD
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG

[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE

[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600

isakmpd.conf for a dynamic ip partner


[Phase 1]
XXX.XXX.XXX.XXX= potsdam

# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.

[Phase 2]
Connections= VPN-nordost-potsdam

# ISAKMP phase 1 peers (from [Phase 1])

[potsdam]
Phase= 1
Transport= udp
Address= XXX.XXX.XXX.XXX
Configuration= main-mode
ID= my-ID

[my-ID]
ID-type= FQDN
Name= nordost

# IPSEC phase 2 connections (from [Phase 2])

[VPN-nordost-potsdam]
Phase= 2
ISAKMP-peer= potsdam
Configuration= quick-mode
Local-ID= nordost-internal-network
Remote-ID= potsdam-internal-network

# ID sections (as used in [VPN-A-B])

[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0

[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0

[x509-certificates]
Private-key= /etc/isakmpd/private/nordost.key

[main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG

[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE

[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600

Status check


# ipsecctl -s all

Hints

A reboot will recreate these local.key and local.pub standard files. You can’t delete them. :)

The -RSA_SIG Transforms suffix will switch the auth method to public key auth.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.