Hello!
I’m trying to build a road warrior style ikev2 ipsec vpn for my home
network on openbsd. The idea is to learn a bit of openbsd since its
something I've been meaning to do for some time now and to setup
a vpn for me to reach my home network as securely as possible
(even if I need to compromise some compatibility, although
macOS/iOS and linux/android support is required).
I’m just starting openbsd from a linux background and I have an idea
of how ipsec works but I don’t have a deep understanding of the
protocol nor do I have a strong network background.
I’m using openiked (which I assume is the standard for ikev2 in
openbsd) and I’ve read the man pages for iked, iked.conf and ikectl.
For setting the vpn up I have some questions, as follows:
I’ve chosen ecdsa ecp256 cipher and I’ll be using either aes-256 with
hmac-sha2-512 or aes-256-gcm.
* Do you believe these fit my requirements of currently to be believed
to be the most secure and supporting the systems I mentioned
earlier? What about aes + hmac vs. aes-gcm?
About the certificates used I assume I can't use ikectl ca command to
issue certificates since it doesn't seem to support ecdsa (please
correct me if I'm wrong) so I copied some issued by an easy-rsa ca as
well as keys to /etc/iked/{private,certs} and the ca to
/etc/iked/ca/ca.crt.
* Is this enough to make it work?
* And does the CN of the cert have to be that user's IP address in
the network? Do they need to have some other setting?
I have the following iked.conf:
> ikev2 "base" from any to any \
> peer any \
> ikesa enc aes-256 auth hmac-sha2-512 group ecp256 \
> childsa enc aes-256 auth hmac-sha2-512 group ecp256 \
> ecdsa256 \
> config address <home-vpn-address-range> \
> config name-server <home-dns> \
> config access-server <home-gw>
* Does this seem to configure iked correctly for my requirements?
* Do I need to set any rule in pf.conf or change some other system
setting apart from enabling ip forwarding and esp/ah in sysctl?
* BTW, do I need something else like MOBIKE I keep hearing about,
since it’s a road warrior style vpn? If so, how should I configure it?
Thank you for your help.
