DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th January 2016
mamalos mamalos is offline
New User
 
Join Date: Dec 2015
Posts: 8
Default IPsec VPN for remote users to access my lans

Hello everybody,

My intent is to somehow allow access to remote users within my LANs. I've done this with OpenVPN using both tun and tap interfaces in the past, but this time I decided to use IPsec, and I'm having difficulties in achieving it.

Before setting up an IPsec VPN on my real OpenBSD router, I've decided to understand how it works on a test network (using 4 OpenBSD VM's within Virtualbox). I've read about a dozen of howtos around the Internet none of which was doing exactly what I wish to do (most of these howtos were about connecting two or more LANs), I've read the man pages (diagonally), I've read some topics on this forum, but I still haven't managed to accomplish it.

So here's how it goes: My VPN server has two network interfaces:

Code:
em0: 10.0.0.2/24 my LAN
em1: 10.0.1.1/24 my WAN (outgoing traffic is NAT-ed)
My VPN client has one network interface:
Code:
em0: 10.0.2.2/24
My client's gateway is 10.0.2.1 (em1) which has a second interface (em0) with an IP address of 10.0.1.2 on which outgoing traffic is NAT-ed. This way my client is able to access my server's WAN IP (I've set it up like this to resemble a sort-of-real-life scenario).

All machines are running OpenBSD 5.8, and all firewalls are allowing traffic.

No matter what ipsec.conf I've tried, I can't accomplish to ping 10.0.0.1 which is another host on my server's LAN, even though I've managed to ping 10.0.0.2 using various configurations.

The truth is that I haven't succeed in understanding ipsec.conf's syntax, no matter how easy it initially seemed. I'll just copy my last two /etc/ipsec.conf files which of course don't work, just to show you my last, unsuccessful trials, and also show you how confused I am! :

Code:
SERVER# cat /etc/ipsec.conf
ike passive from any to 10.0.0.0/24 local 10.0.1.2 peer any \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret
ike passive from 10.0.0.0/24 to any local 10.0.1.2 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret


CLIENT# cat /etc/ipsec.conf
ike active from any to 10.0.0.0/24 peer 10.0.1.1 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret
ike active from 10.0.0.0/24 to em0 peer 10.0.1.1 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret
Please excuse my horrible configs, but everything is mixed-up in my head so I've started trying various combinations that don't make any sense even to me... In the above configuration, once both IPsec's start to communicate, the server is unable to ping 10.0.0.1 any more, since for some reason that I haven't understood yet, traffic for 10.0.0.1 is passing through enc0.

<EDIT>
OK, I understand why it happens, any traffic destined to 10.0.0.0/24 is passed through ike, but how should I configure it otherwise? I couldn't find a ! statement.
</EDIT>

If somebody could explain to me how from (along with srcnat), to, local and peer should be used in each side's context, I think I could make out how the correct configuration should be. Ah, and as a consequence of not having understood how to correctly configure IPsec, I am still unable to understand ipsecctl -s all output (flows in specific).

Thanks all in advance!

Last edited by mamalos; 29th January 2016 at 04:08 PM.
Reply With Quote
  #2   (View Single Post)  
Old 31st January 2016
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,593
Default

I haven't played with IPsec for a long time, but a few years ago the following article was quite popular: Zero to IPSec in 4 minutes.

Of course the nat rule in that article's pf.conf needs to be adjusted, but I think the IPsec configuration is still valid. You could give it a try

And don't forget to use tcpdump(8) to monitor the traffic. Also use it on the pflog0 device to make sure the IPsec traffic is allowed in/out.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure Remote Access to an Internal Web Server Oko General software and network 7 1st April 2015 06:35 PM
UPnP-enabled routers allow attacks on LANs J65nko News 1 25th August 2011 12:00 AM
Setup Remote Access VPN plexter OpenBSD Security 54 4th September 2009 06:33 PM
ssh key access non root users carpman FreeBSD Security 7 12th August 2009 06:09 PM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM


All times are GMT. The time now is 06:21 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick