Le 2012-06-02 19:56, Sebastian Rother a C)critB :
2. You installed zip but I see no step where it is used. So why did
you
installed zip? Please provide the steps as well to make the HowTo
more complete
Without the zip package, when you export the certificates, you will get
a file .tar.gz not a zip.
And inside, there's several sorts of certificate.
On windows 7 using .pfx is enough.
3. Configuration files like the pf.conf are incomplete. This might be
benefitial for new users of OpenBSD. Please complete the examples
because I think that is something new users will find very
benefitial.
For new users, it is enough,
workstations located on the 'lan' side can use INTERNET (all are opened
in out)
On the web, we can access the box using ssh or vpn.
SSH can be filtered using the file sshd.conf (with Match keywordsb&)
4. The PF rules do not look good to me.
pass in on egress proto {ah,esp}
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto tcp from any to any port 22
If I understand PF correctly you allow ah/esp packets to any port.
Furthermore you allow any source adress to contact port 500 and
4500.
I aint totaly sure right now but I would use:
pass in on egress proto {udp,ah,esp} from any to any port
{500,4500}
It is just to understand how things works. It is not a tutorial on PF.
Effectively, we can put :
admin="ff.gg.hh.ii"
set block-policy drop
set skip on {lo enc0}
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto tcp from $admin to any port 22
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto {ah,esp}
5. I would assume it would be handy to provide screenshots for the
Windows7 part.
Import certificates
Use mmc / Certificates snap / import ca.pfx in "trusted root
certification authorities"
Use mmc / Certificates snap / import win7.pfx in "Personal"
6. Maybe a DHCP-example would also be nice.
of course.
7. Maybe you like to enhance the example to a site-to-site VPN
example
including road warriors at one branch office. I am sure that is a
very common scenario. I am not right sure if iked accapts
hostnames
as well so homesuers with a dyndns client could use your setup as
well. But I aint sure if OpenBSD allows this.
Site-to-site, why not use isakmpd -K with the conf file :
/etc/ipsec.conf
Except this it is a nice and short HowTo. You might consider to
http://www.openbsdsupport.org/ because I assume serval people will
appreciate your HowTo.
I like to thank you for your time which was needed to figure out each
step and providing a HowTo for everybody even it might be uncommon
that
a CEO is tech-aware nowdays. :-)
Thank you very much. ;-)
--
Wesley MOUEDINE ASSABY
wesley[at] mouedine [dot] net
