View Single Post
  #1   (View Single Post)  
Old 20th May 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Default Bare Minimum Site-to-Site VPN on OpenBSD

This is a short, down and dirty guide to setting up a site to site VPN in OpenBSD. It is taken straight from a job setup I just completed.
In my work situation, we have two datacenters , one on each side of the country. Each datacenter (dc) setup has two internal networks- the first we call the public network, where traffic to and from the Internet traverse (like HTTP traffic from a website we host to a client on the Internet.) The second network we call the private network, and packets on that network never hit the Internet (so as to provide a secure channel between all the servers inside each network for things like DNS resolution and SQL communication between SQL servers and webservers..) This means each server has two NICs, one for public/Internet communications, and one for private/intranet communications.

We wanted to link each private network at each datacenter to each other so that servers at each DC could talk to each other via their private network interfaces, and we wanted those communications to remain secure (read: encrypted.) Our public firewall gateways had VPN capability, but they were for strict use on the 'public' side of the network. We wanted them to continue to do that without the added fluff of a VPN configuration connecting the private sides of each network. So I dropped an OBSD box into each datacenter (vpnbox1 and vpnbox2), each with two NICs (just like all the other servers, one NIC for public communications and one NIC for private communications.)



First, let's start with our diagram (forgive my text graphic disabilities, the periods are there for spacing purposes (imagine they aren't there))-
Code:
______________  ______________
|pri-10.1.1.2| |pri-10.1.1.253|
| dc1server  | | vpnbox1      |
|pub-1.1.1.2 | |pub-1.1.1.253 |
|____________| |______________|
	|	 |
	|	 |
 ______|_______|___	
 |  1.1.1.1       |
 |  dc1 router    |
 |  3.3.3.3       |
 |________________|
	|
	|
    INTERNET
	|
	|
 ______|___________	
 |  4.4.4.4       |
 |  dc2 router    |
 |  2.2.2.1       |
 |________________|
	|	  |
_______|______ _|_____________
|pub-2.2.2.2 | |pub-2.2.2.253 |
| dc2server  | | vpnbox2      |
|pri-10.2.2.2| |pri-10.2.2.253|
|____________| |______________|
And now, the configurations of the VPN boxes and the dcservers-

========
VPNBOX1-
========


/etc/ipsec.conf
Code:
flow esp from 10.1.1.0/24 to 10.2.2.0/24 peer 2.2.2.253
	esp from 2.2.2.253 to 1.1.1.253 spi 0xabd9da38:0xc9dbb82d \
	authkey 0x54f79f479a31814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e7:0x7f48ee352c626cdc3a731b9d90bd63e29db2a9c684044b70b2f4441521b621d6 \     
	enckey 0xb341aa065c3850edd6a61e150d6b5fd4:0xf7795f6bdd697a43a4d28dcf1b79062d
/etc/mygate -
Code:
1.1.1.1

=========
dc1server
=========

(a windows box)
Code:
route add -p 10.2.2.0 mask 255.255.255.0 10.1.1.253

========
VPNBOX2-
========

/etc/ipsec.conf
Code:
	flow esp from 10.2.2.0/24 to 10.1.1.0/24 peer 1.1.1.253
	esp from 2.2.2.253 to 1.1.1.253 spi 0xabd9da38:0xc9dbb82d \
	authkey 0x54f79f479a31814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e7:0x7f48ee352c626cdc3a731b9d90bd63e29db2a9c684044b70b2f4441521b621d6 \
	enckey 0xb341aa065c3850edd6a61e150d6b5fd4:0xf7795f6bdd697a43a4d28dcf1b79062d
/etc/mygate -
Code:
2.2.2.1
=========
dc2server
=========

(a windows box)
Code:
route add -p 10.1.1.0 mask 255.255.255.0 10.2.2.253

Assumptions-

- The vpnboxes are not the default gateways for each respective network to the Internet itself... they are simply being tacked onto the existing network. So 1.1.1.2 and 1.1.1.253 use the router at 1.1.1.1 as it's default gateway, for instance.
- You have another device or layer handling local security on each network... configuring PF on these only clouds the lesson.
- each VPN box has two nics, one for regular connection to the network for default gatewaying (pub), and the other as the entry/exit point for the VPN connection (pri).
- The private networks (pri) are connected to each other via L2 switch (not show in diagram.)
__________________
Network Firefighter

Last edited by ai-danno; 21st May 2008 at 12:10 AM.
Reply With Quote