View Single Post
  #1   (View Single Post)  
Old 4th April 2014
Dr-D's Avatar
Dr-D Dr-D is offline
Port Guard
 
Join Date: Jun 2011
Posts: 43
Default OpenBSD Multiple VPN Setup

Thanks to jggimi I have working VPN setup between my home network and a remote network. I now want to connect with another site from home and would like to know if my ipsec.conf and pf.conf files are setup correctly when I add the new VPN. My question is this, for the second VPN do still use "ike esp" and "enc" or do those have to be change to something different to denote a different VPN and change the pf.conf accordingly. Below are my ipsec.conf and pf.conf files, masked accordingly. Are they correct for the two VPN's I'd like to setup?

Thank you.

Code:
#ipsec.conf
ike esp from 192.168.69.0/24 to 199.194.199.0/24 peer B.B.B.B \
        main auth hmac-sha1 enc aes-256 group modp1536 \
        quick auth hmac-sha1 enc aes-256 \
        srcid A.A.A.A psk "password-goes-here"

ike esp from 192.168.69.0/24 to 10.0.0.0/24 peer C.C.C.C \
        main auth hmac-sha1 enc aes-256 group modp1536 \
        quick auth hmac-sha1 enc aes-256 \
        srcid A.A.A.A psk "password-goes-here"
Code:
#pf.conf
# macros
ext_if="em0"
int_if="em1"
int_net="{ 192.168.69.0/24 }"
whs="192.168.69.50"

# options
set block-policy drop
set loginterface $ext_if
set skip on {enc0, lo}

# match rules
match in all scrub (no-df)
match out on egress inet from !(egress) to any nat-to (egress:0)

# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp to (egress) port 443 rdr-to $whs synproxy state
pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500
pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A
pass in on $ext_if inet proto udp from C.C.C.C to A.A.A.A port 500
pass in on $ext_if inet proto esp from C.C.C.C to A.A.A.A
pass in log on $int_if
Reply With Quote