On Thu, Dec 07, 2006 at 11:08:40PM +0100, misc(at)openbsd.org wrote: > I want to replace my linux firewall/vpn-server with an openbsd 4.0 > installation. My problem is, that the linux server is a vpn-endpoint > with two draytek vigor 2900. At the moment I'm looking for a > vpn-documentation (or a howto) for ipsec and openbsd 4.0. > Does somebody have a link for me? The man-pages didn't help me out (I'm > using strongswan at the moment, it looks like there are many > differences).
OpenBSD 4.0 includes the ipsecctl interface, which makes life much easier for the majority of cases, such as basic IPSEC tunnel mode setups. Try this as a starting point (*): http://www.securityfocus.com/infocus/1859 One difference to note between Linux and OpenBSD is the handling of policy. OpenBSD's approach is IMO a lot simpler and cleaner. If you want to enforce that certain traffic is (or is not) encrypted you just do this using pf rules, since encrypted traffic appears to go in and out of the 'enc0' pseudo-interface. So whereas Linux has both a Security Policy Database and a Security Association Database in the kernel, I believe (and someone please correct me if I'm wrong) that OpenBSD kernel has only an SAD. You put your policy into ipsecctl, which passes it onto isakmpd, and isakmpd negotiates keys and sticks them in the SAD. For a typical VPN setup which says "everything which comes in via IPSEC is trusted" then the pf policy is very simple. Regards, Brian. (*) There are a few errors in this article. What you actually need in /etc/rc.conf or /etc/rc.conf.local is isakmpd_flags="-K" # I use "-K -4" to disable IPv6 ipsec="YES" pf="YES" There's no need to stick anything in /etc/rc.local
