Re: OpenBSD IPSec setup

Oh no, he really wanted to know why you are not using openvpn instead. I'd say because I can transfer at 1GBps with ipsec, without the bugs of openvpn... Sent from ProtonMail Mobile On Fri, Jun 30, 2017 at 9:20 PM, Rupert Gallagher wrote: > I think he wanted to know why

Re: OpenBSD IPSec setup

I think he wanted to know why you are still using ipsec/IKEv1 (/etc/ipsec.conf) instead of ipsec/IKEv2 (/etc/iked.conf). Sent from ProtonMail Mobile On Thu, Jun 29, 2017 at 12:59 PM, Marko Cupać wrote: > On Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are

Re: OpenBSD IPSec setup

I know I'm venturing of topic but I can't resist. I'll go for OpenBSD with IPSec any day. Only last week OpenVPN had a security fallout: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 One of these exploits even has a high probability of being remotely exploitable.

Re: OpenBSD IPSec setup

On Thu, 29 Jun 2017 12:32:01 +0200 Luescher Claude wrote: > Why are you using ipsec in the 21th century: Because it is in OpenBSD base. Because, at least on OpenBSD, it integrates great with the rest of networking ecosystem (carp, sasync, ospf, pf etc.) Because it pays my

Re: OpenBSD IPSec setup

My two-cents: * IPsec hardware crypto is supported for a lot more platforms than OpenVPN out of the box, so IPsec uses to be noticeably faster. i.e, and UBNT Edgerouter Lite will give me about 20Mbps over OpenVPN vs almost 1Gbps (line rate) over IPsec. * IPsec code in OpenBSD is audited, OpenVPN

Re: OpenBSD IPSec setup

Am 29.06.2017 12:32 schrieb Luescher Claude: Why are you using ipsec in the 21th century: https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use just a week after four CVEs (incl RCE) in openvpn? Great. -- pb

Re: OpenBSD IPSec setup

Why are you using ipsec in the 21th century: https://serverfault.com/questions/202917/openvpn-vs-ipsec-pros-and-cons-what-to-use I see no pros here just cons unless you need to setup a vpn with some crappy old device which should be just switched out with an obsd box anyway :) On 2017-06-29

Re: OpenBSD IPSec setup

On 29 June 2017, Liviu Daia wrote: [...] > On the server: > > # iked -d > ikev2_recv: IKE_SA_INIT request from initiator 89.136.163.27:500 to > x.y.z.t:500 policy 'sb1' id 0, 510 bytes > ikev2_msg_send: IKE_SA_INIT response from x.y.z.t:500 to 89.136.163.27:500 >

Re: OpenBSD IPSec setup

On 28 June 2017, Rupert Gallagher wrote: > You need a server-signed certificate. Ok, let me redo this from scratch: (1) On the server: ikectl ca vpn create ikectl ca vpn install ikectl ca vpn certificate x.y.z.t create ikectl ca vpn

Re: OpenBSD IPSec setup

You need a server-signed certificate. Sent from ProtonMail Mobile On Wed, Jun 28, 2017 at 11:18 AM, Liviu Daia wrote: > I'm trying to create a VPN between my home network (sitting behind an OpenBSD > router), and a remote server (also an OpenBSD machine). After reading

Re: OpenBSD IPSec setup

On 28 June 2017, Philipp Buehler wrote: > Am 28.06.2017 11:18 schrieb Liviu Daia: > > > > set skip on { lo, enc } > > pass in quick on egress inet proto udp to any port { isakmp, > > ipsec-nat-t } > > needs (on both) a 'pass quick

Re: OpenBSD IPSec setup

Am 28.06.2017 11:18 schrieb Liviu Daia: set skip on { lo, enc } pass in quick on egress inet proto udp to any port { isakmp, ipsec-nat-t } needs (on both) a 'pass quick inet proto esp', too -- pb

OpenBSD IPSec setup

I'm trying to create a VPN between my home network (sitting behind an OpenBSD router), and a remote server (also an OpenBSD machine). After reading many man pages and searching previous posts, I'm still thoroughly confused. What I have so far: (1) On the remote server: - fixed IP, let's