Thread: IPsec/pf setup
View Single Post
  #1   (View Single Post)  
Old 25th April 2011
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default IPsec/pf setup

Hello!

I've been playing around with IPsec lately (4.9-current), and it seems to be working just fine. Connectivity is how I want it, and tcpdumps on interfaces looks good too, and nothing weird in logs. But as it feels fairly complicated to get a grasp on this, it would be nice with some feedback or fresh eyes on the setup, especially the pf-stuff in case there are some glaring obvious hole(s) or stupid stuff somewhere =

The basic setup is a pretty common scenario, a laptop on a rfc1918-net behind a crappy wireless router somewhere (with a dynamic IP) wants an IPsec tunnel to the OpenBSD box connecting remote_net and int_net.


Code:
                                (crap.com)
   wireless------internet------- OpenBSD
    router                       gateway
       |                            |
       |                            |
       |                            |
   laptop                       (int_net)
(remote_net)                  192.168.1.0/24
192.168.3.0/24
Code:
# /etc/ipsec.conf @ gateway (modified domainnames/srcid/dstid ofc)

ike passive esp \
from 192.168.1.0/24 to 192.168.3.0/24 \
local crap.com \
srcid crap.com dstid laptop.my.domain \
psk <psk>

ike passive esp \
from crap.com to 192.168.3.0/24 \
local crap.com \
srcid crap.com dstid laptop.my.domain \
psk <psk>
Code:
# /etc/ipsec.conf @ laptop

ike dynamic esp \
from 192.168.3.0/24 to 192.168.1.0/24 \
peer crap.com \
srcid laptop.my.domain dstid crap.com \
psk <psk>

ike dynamic esp \
from 192.168.3.0/24 to crap.com \
peer crap.com \
srcid laptop.my.domain dstid crap.com \
psk <psk>
Code:
# /etc/pf.conf @ gateway

ext_if="vr0"
int_if="fxp0"
int_net="192.168.1.0/24"
remote_net="192.168.3.0/24"

set block-policy drop
set loginterface $ext_if
set optimization aggressive
set skip on lo

match in all scrub (no-df)
match out on $ext_if from $int_net nat-to ($ext_if)

block in all
block quick inet6 all
antispoof quick for { $int_if $ext_if }
pass out

block on enc0 all
pass in on enc0 from any to ($ext_if)  keep state (if-bound)
pass out on enc0 from ($ext_if) to any  keep state (if-bound)
pass in on enc0 from $remote_net to $int_net keep state (if-bound)
pass out on enc0 from $int_net to $remote_net keep state (if-bound)

pass in on $ext_if inet proto udp from any to ($ext_if) port { 500 4500 } keep state (pflow)
pass in on $ext_if inet proto esp from any to ($ext_if) keep state (pflow)
pass in on $int_if keep state (pflow)
block in on ! lo0 proto tcp to port 6000:6010
edit: Haven't actually gotten around to sort proper packet filtering on enc0 yet!
Reply With Quote