On 2017-01-02, Peter Fraser <[email protected]> wrote:
> A charity that I support has been having trouble with its internet provider
> (Rogers).
> The problem I have is that Roger is the only supplier that is available that
> will
> give a fixed IP address.
>
> I want the fixed IP address so I don't have to drive there to fix problems.
>
> It occurred to me that if I could get a VPN set up automatically when their
> OpenBSD firewall boots.
> I could then use the VPN to reach back into their computer.
>
> Having never set up a VPN using OpenBSD I started by reading, and I was left
> very confused.
>
> I came up with:
>
> On my firewall I have /etc/ipsec.conf
>
> ike passive from egress to 192.168.254/24 peer 192.168.254.1 srcid thinkage.ca
> dstid kwaccessability.ca tag ipsec-kwa
> ike passive from 192.102.11.0/24 to 192.168.254.0/24 peer 192.168.254.1 srcid
> thinkage.ca dstid kwaccessability.ca tag ipsec-kwa
Because you don't know the other side's IP address, use "to any" here
to set it as the "default peer", i.e. the peer that matches traffic from a
destination where you don't have a specific IP configuration in isakmpd.conf.
Remove "peer 192.168.254.1".
Don't rely on shortcuts like 192.168.254/24, use the proper 192.168.254.0/24.
It might not be a problem but it's something else to go wrong (or something that
might work now but go wrong later). Not worth the typing saving.
So I'd try something like
ike passive from {egress, 192.102.11.0/24} to any srcid thinkage.ca \
dstid kwaccessability.ca tag ipsec-kwa
> on their firewall
>
> ike from egress to 192.102.11/24 peer 192.102.11.1 srcid kwaccessability.ca
> dstid thinkage.ca tag ipsec-kwa
> ike from 192.168.254/24 to 192.102.11/24 peer 192.102.11.1 srcid
> kwaccessability.ca dstid thinkage.ca tag ipsec-kwa
>
> I also opened up the firewall to allow packed in from both networks without
> restrictions,
> something I will have to clean up later
>
> On both system I have isakmpd_flags=-K -v -D A=10
After reading code and trying things out I settled on using this as my
standard config for systems where I'm interested in getting logging out of
isakmpd:
isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30
-D10=20"
Then if there's something particular I need to look at I'll bump that
area's logging based on looking at the source code.
> because of some of the readings I also put on both systems into
> /etc/hostname.enc0
> up
Not needed.
> when I try to start isakmpd on the remote system I get only a message about
> privilege droping.
Are you doing anything funny with logging setup?
Are you actually loading ipsec.conf (ipsec=YES in rc.conf.local or manually
running ipsecctl -f /etc/ipsec.conf)?
> Jan 2 16:24:00 gateway isakmpd[71980]: ipsec_get_id: invalid section
> to-192.168.254/24 network 192.168.254
that might be connected with your truncated IP addresses.
> Jan 2 16:24:00 gateway isakmpd[71980]: connection_init: could not record
> passive connection "from-ste0-to-192.168.254/24"
ste, not my favourite nic ;)
