Prepare OpenBSD
Prepare the network interfaces.
Delete /etc/mygate when using dhcp.
Create /etc/sysctl.conf.
net.inet.esp.enable=1 # Enable the ESP IPsec protocol
net.inet.ah.enable=1 # Enable the AH IPsec protocol
net.inet.ip.forwarding=1 # Enable IP forwarding for the host.
net.inet.ipcomp.enable=1 # Optional: compress IP datagrams
Create /etc/rc.conf.local
isakmpd_flags="" # Avoid keynote(4) policy checking
ipsec=YES # Load ipsec.conf(5) rules
Some basics
There are three types of ISAKMPD authentication (passphrase, public key, x509 certs). I didn’t use the passphrase method, so i can’t say anything about it. Personally I’ve used the public key method, because i run into some problems using the cert method on OpenBSD.
x509 certificate authentication – preparing the certs
Preparing the CA cert.
#!/bin/sh
echo "CREATING CA's PRIVATE KEY..."
openssl genrsa -des3 -out ca.key 4096
echo "CREATING CA'S CERT REQUEST..."
openssl req -new -key ca.key -out ca.req
echo "SELF CERTIFYING... "
openssl x509 -req -days $(($VALIDYEARS * 365)) -in ca.req -signkey ca.key -extfile $SSLDIR/x509v3.cnf -extensions x509v3_CA -out ca.crt
exit $?
Preparing a fqdn cert.
MHD=$(($VALIDYEARS * 365))
echo "GENERATING MY PRIVATE KEY..."
openssl genrsa -out $FQDN.key 4096
echo "GENERATING A CERTIFICATE REQUEST..."
openssl req -new -key $FQDN.key -out $FQDN.req
echo "GENERATING THE CERTIFICATE..."
export CERTFQDN=$FQDN
openssl x509 -req -days $MHD -in $FQDN.req -CA ca.crt -CAkey ca.key -CAcreateserial -extfile $SSLDIR/x509v3.cnf -extensions x509v3_FQDN -out $FQDN.crt
echo "VERIFYING THE CERTIFICATE..."
openssl verify -CAfile ca.crt $FQDN.crt 2>&1 | grep error
if [ $? -eq 0 ]; then
echo "FAILED!"
echo "Possible reason: Your Organization Name should differ from CA's Organization Name."
exit 1;
fi
echo "KEEPING PRIVACY..."
chmod 600 $FQDN.key
echo "SHOW YOUR CERT..."
openssl x509 -in $FQDN.crt -text -noout
exit $?
You can create these certs on any machine.
Place the certs on the opposite machines:
Put the ca.crt into the /etc/isakmpd/ca folders.
The $FQDN.crt files belong into the /etc/isakmpd/certs folders.
isakmpd.policy
Keynote-version:2
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
isakmpd.conf for a static ip partner
[Phase 1]
Default= dynamicpartners
[Phase 2]
Passive-Connections= VPN-potsdam-nordost
# ISAKMP phase 1 peers (from [Phase 1])
[dynamicpartners]
Phase= 1
Transport= udp
Configuration= main-mode
ID= my-ID
[my-ID]
ID-type= FQDN
Name= potsdam
# IPSEC phase 2 connections (from [Phase 2])
[VPN-potsdam-nordost]
Phase= 2
ISAKMP-peer= nordost
Configuration= quick-mode
Local-ID= potsdam-internal-network
Remote-ID= nordost-internal-network
# ID sections (as used in [VPN-A-B])
[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0
[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[x509-certificates]
Accept-self-signed= 1
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
#Private-key= /etc/isakmpd/private/potsdam.key
[main-mode]
# ATTENTION: THE SUFFIX '-RSA_SIG' ENABLES PUBLIC KEY AUTH METHOD
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG
[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
isakmpd.conf for a dynamic ip partner
[Phase 1]
XXX.XXX.XXX.XXX= potsdam
# 'Phase 2' defines which connections the daemon should establish.
# These connections contain the actual "IPsec VPN" information.
[Phase 2]
Connections= VPN-nordost-potsdam
# ISAKMP phase 1 peers (from [Phase 1])
[potsdam]
Phase= 1
Transport= udp
Address= XXX.XXX.XXX.XXX
Configuration= main-mode
ID= my-ID
[my-ID]
ID-type= FQDN
Name= nordost
# IPSEC phase 2 connections (from [Phase 2])
[VPN-nordost-potsdam]
Phase= 2
ISAKMP-peer= potsdam
Configuration= quick-mode
Local-ID= nordost-internal-network
Remote-ID= potsdam-internal-network
# ID sections (as used in [VPN-A-B])
[nordost-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.1.0
Netmask= 255.255.255.0
[potsdam-internal-network]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.0.0
[x509-certificates]
Accept-self-signed= 1
CA-directory= /etc/isakmpd/ca/
Cert-directory= /etc/isakmpd/certs/
#Private-key= /etc/isakmpd/private/nordost.key
[main-mode]
DOI=IPSEC
EXCHANGE_TYPE=ID_PROT
Transforms=AES-256-SHA2-256-GRP14-RSA_SIG
[quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=QUICK_MODE
Suites=QM-ESP-AES-256-SHA2-256-PFS-GRP14-SUITE
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
Status check
# ipsecctl -s all
My problem
It’s important that the certs contain a subjectAltName value that corresponds exactly with your $FQDN value. The cert $FQDN creation command includes the x509v3.cnf file who refers to an environment variable named $CERTFQDN. Thats the reason why my creation script runs the export CERTFQDN=$FQDN command. Unfortunately on my OpenBSD version 6.7 the openssl command whó creates the cert does ignore my exported $CERTFQDN env variable. In result the prepared cert contains a subjectAltName value but it was set to nohost.nodomain. This causes the authentication process to fail, the opposite site got my ID but could not identify/find the proper corresponding cert. I’ve had to tune the x509v3.cnf for every creation process.
My recommendation
Use the public key auth method if this is possible in your environment, its much more easy to implement.
Hints
A reboot will recreate these local.key and local.pub standard files. You can’t delete them. :)
The -RSA_SIG Transforms suffix will switch the auth method to x509.
bytes and bones 