After receiving a mail from Ed Hintz (sent to the GB Users list) on his
successful implementation of a VPN between GB & OpenBSD, I decided to give
it a go myself. I've expanded on Ed's original mail and included further
configuration information. For those that are having difficulty negotiating
a VPN connection between a GB unit and another VPN implementation, ask your
local GB support technician how to get the debugging information logged, it
comes in very handy !!
This isn't foul proof, and it doesn't use the mobile protocol (to the best
of my knowledge)
On the GB side,
Create an object (called InternalNet) that contains the IP range of the
machines within the PRO network
Create an object (called VPNClients) that contains a list of public IP's
that are allowed to initiate a VPN connection to THIS GB.
Create an object (called RemoteNetworkRange ) that contains the IP range of
the REMOTE network (i.e. the machines BEHIND the OpenBSD box. Typical
values are 10.0.0.0/8, or 192.168.0.0/24
Create a VPN object ( called OBSDVPNObject ) with the following properties
:
Name : OBSDVPNObject
Description : { Create your own }
Require Mobile Authentication : "Unchecked"
Force Mobile Protocol : "Unchecked"
Local Gateway : EXTERNAL
Local Network : InternalNet
Phase 1
Exchange Mode : Main
Hash algorithm : hmac-md5
Encryption Method : 3des
Key Group : any
Phase 2
Hash algorithm : hmac-sha1
Encryption Method : 3des
Key Group : any
Create a VPN ( listed under the Authorization section ) with the following
:
Key Exchange : IKE
Description : { Set your own }
Identity : { Leave this blank }
VPN Object : OBSDVPNObject
Remote Gateway : { Public IP Address of the OpenBSD machine }
Remote Network : RemoteNetworkRange
Preshared secret :
Type : ASCII
Value : MYSHAREDSECRET
{ This value should work with printable ascii value, but alphanumeric
characters are safe }
Create Remote access filters :
#1
Description : Allow incoming ESP
Type : Accept
Interface : External
Protocal : ESP
Actions : { Leave all unchecked }
Priority : { as required }
Log : { as required }
Source Adress : VPNClients
Source Port : { Leave empty }
Destination Adress : External
Destination Port : { Leave empty }
#2
Description : Allow IPsec negotiation
Interface : External
Protocol : UDP
Type : Accept
Actions : { Leave all unchecked }
Priority : { as required }
Log : { as required }
Source Address: VPNClients
Source Port : 500
Destination Address : External
Destination Port : 500
I added the following RAF for testing, but I'm not convinced I need it
anymore
#3
Description : Allow AH protocol
Interface : External
Protocol : AH
Type : Accept
Actions : { Leave all unchecked }
Priority : { as required }
Log : { as required }
Source Address: VPNClients
Source Port : { Leave empty }
Destination Address : External
Destination Port : { Leave empty }
Create IP Pass through filters as policy dictates, I currently have the
following , which allow everything to go both ways :
#1
Description : Allow inbound connections
Interface : External
Protocol : ALL
Type : Accept
Actions : { Leave all unchecked }
Priority : { as required }
Log : { as required }
Source Address: RemoteNetworkRange
Source Port : { Leave empty }
Destination Address : InternalNet
Destination Port : { Leave empty }
#2
Description : Allow outbound connections
Interface : Protected
Protocol : ALL
Type : Accept
Actions : { Leave all unchecked }
Priority : { as required }
Log : { as required }
Source Address: InternalNet
Source Port : { Leave empty }
Destination Address : RemoteNetworkRange
Destination Port : { Leave empty }
No inbound tunnels (NAT), or Hosts/Networks (IP Pass Through) entries are
defined.
On the OBSD side :
Edit the /etc/rc.conf file, and uncomment/add the following lines :
isakmpd_flags="" # Enables the use of the ISAKMPD daemon
pf=YES # Enables packet filtering, NAT within the kernel
pf_rules=/etc/pf.conf # The configuration file for packet filtering
nat_rules=/etc/nat.conf #The configuration file for NATing private machines
to the net
Edit the /etc/sysctl.conf file, and uncomment/add the following lines :
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets)
net.inet.esp.enable=1 # 0=Disable the ESP IPsec protocol
The following lines exist in my configuration, but I don't think they're
required
net.inet.ipcomp.enable=1 # =Enable the IPCOMP protocol
net.inet.ah.enable=1 # 0=Disable the AH IPsec protocol
net.key.preffered_oldsa=1 # 1=Permit forwarding (routing) of packets
The contents of the following file are stripped down from Ed's original
post. Create the following file called /etc/isakmpd/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts any IPsec initiations from external IPs
The contents of the following file define the phase 1 & 2 negotiations.
Note the spacing (space char, no tabs), and watch for any trailing spaces
on these lines, isakmpd doesn't like them.. Store this file in
/etc/isakmpd/isakmpd.conf
[General]
Listen-on= 123.124.125.126
# Replace this IP with the External (public) IP on the OBSD machine
Shared-SADB= Defined
[Phase 1]
147.148.149.150= ISAKMP-peer-west
#Replace this IP with the External (public) IP on the GB device
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= 147.148.149.150
Configuration= Default-main-mode
Authentication= MYSHAREDKEY
# This authentication entry MUST match the shared ASCII key you set in the
GB configuration
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
COnfiguration= Default-quick-mode
Local-ID= Host-east
Remote-ID= Host-west
[Host-east]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
# Replace the above two lines withe the network & netmask of the machines
on the PROtected network of the GB
[Host-west]
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.1.0
Netmask= 255.255.0.0
# Replace the above two lines withe the network & netmask of the machines
on the PROtected network of the OBSD machine
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
FLAGS=
# The line above has some white space, then a CR/LF
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
ENCAPSULATINO_MODE= TUNNEL
SUITES= QM-ESP-3DES-SHA-SUITE
FLAGS=
# Again, the line above just has some white space
The following information is from /etc/nat.conf
nat on ep1 from 192.168.0.0/24 to any -> ep1
# Replace ep1 with the EXT interface on the OBSD box
# Replace the network/mask with the private IP range BEHIND the OBSD box
When packet filtering testing, the simplest thing to do is have only the
following two lines in /etc/pf.conf
pass in log all
pass out log all
To view the log file that this configuration generates run :
tcpdump -n -e -ttt -r /var/log/pflog |less
pflogd is the logging daemon for the packet filter. It needs to be running
if you want the log to be created.
When all the configuration files have been saved, check that the isakmpd
daemon is not running (use ps to check). From a command line, run :
isakmpd -d -DA=##
where ## is a number between 0 & 99, the higher the number, the more
debugging information you get.
Generally, this configuration is quite weak in terms of what packet
filtering between the two networks, but it's safer to allow everything
through and tighten it up once it's all working.
Hope someone finds this usefull !!
Simon Delicata
********************************************************************************
Simon Delicata
Planer plc, 110 Windmill Road,
Sunbury-on-Thames, Middlesex, UK, TW16 7HD
Tel: +44 01932 755064
Fax: +44 01932 755063
E-Mail: [EMAIL PROTECTED]
Home Page: http://www.planer.co.uk
********************************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
