Configuring OpenBSD IPSEC
=========================

Shanker Balan
http://shankerbalan.com/

Overview
========

See the FreeBSD+IPSEC article. Only the OpenBSD part of the config is described
here.

Configuration
=============

###
### /etc/isakmpd/isakmpd.conf
###

[Phase 1]
192.168.1.24=       west

[Phase 2]
Connections=        east

[west]
Phase=              1
Transport=          udp
Address=            192.168.1.24
Configuration=      Default-main-mode
Authentication=     mekmitasdigoat

[east]
Phase=              2
ISAKMP-peer=        west
Configuration=      Default-quick-mode
Local-ID=           Net-east
Remote-ID=          Net-west

[Net-west]
ID-type=                IPV4_ADDR
Address=                192.168.1.24

[Net-east]
ID-type=                IPV4_ADDR
Address=                192.168.1.95

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          AGGRESSIVE
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-3DES-SHA-PFS-SUITE


###
### /etc/isakmpd/isakmpd.policy
###

KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:mekmitasdigoat"
Conditions: app_domain == "IPsec policy" &&
	        esp_present == "yes" &&
            esp_enc_alg == "3des" &&
            esp_auth_alg == "hmac-sha" -> "true";


Start Isakmpd
=============

# isakmpd

###
### /etc/rc.conf.local
###
isakmpd_flags=""

Monitoring And Debugging
========================

openbsd# ifconfig enc0 up
openbsd# tcpdump -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0
21:27:50.305857 (authentic,confidential): SPI 0x0ae28b9f: buffy.my-domain.com.ssh > godzilla.my-domain.com.50134: P 2025502368:2025502480(112) ack 3791386398 win 17376 <nop,nop,timestamp 180912072 1968041> [tos 0x10] (encap) 

openbsd# tcpdump -i ne3
tcpdump: listening on ne3
21:28:29.530413 esp buffy.my-domain.com > godzilla.my-domain.com spi 0x0AE28B9F seq 281 len 148 [tos 0x10]
21:28:29.531178 esp godzilla.my-domain.com > buffy.my-domain.com spi 0xEBE01BC8 seq 22 len 84 [tos 0x10]

openbsd# netstat -r -f encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
godzilla.my-domain.com 0     buffy.my-domain.com    0     0     192.168.1.24/50/use/in
buffy.my-domain.com    0     godzilla.my-domain.com 0     0     192.168.1.24/50/require/out

Changelog
=========

* Fri Sep 12 15:36:02 IST 2003
- Initial docs