DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th April 2011
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default IPsec/pf setup

Hello!

I've been playing around with IPsec lately (4.9-current), and it seems to be working just fine. Connectivity is how I want it, and tcpdumps on interfaces looks good too, and nothing weird in logs. But as it feels fairly complicated to get a grasp on this, it would be nice with some feedback or fresh eyes on the setup, especially the pf-stuff in case there are some glaring obvious hole(s) or stupid stuff somewhere =

The basic setup is a pretty common scenario, a laptop on a rfc1918-net behind a crappy wireless router somewhere (with a dynamic IP) wants an IPsec tunnel to the OpenBSD box connecting remote_net and int_net.


Code:
                                (crap.com)
   wireless------internet------- OpenBSD
    router                       gateway
       |                            |
       |                            |
       |                            |
   laptop                       (int_net)
(remote_net)                  192.168.1.0/24
192.168.3.0/24
Code:
# /etc/ipsec.conf @ gateway (modified domainnames/srcid/dstid ofc)

ike passive esp \
from 192.168.1.0/24 to 192.168.3.0/24 \
local crap.com \
srcid crap.com dstid laptop.my.domain \
psk <psk>

ike passive esp \
from crap.com to 192.168.3.0/24 \
local crap.com \
srcid crap.com dstid laptop.my.domain \
psk <psk>
Code:
# /etc/ipsec.conf @ laptop

ike dynamic esp \
from 192.168.3.0/24 to 192.168.1.0/24 \
peer crap.com \
srcid laptop.my.domain dstid crap.com \
psk <psk>

ike dynamic esp \
from 192.168.3.0/24 to crap.com \
peer crap.com \
srcid laptop.my.domain dstid crap.com \
psk <psk>
Code:
# /etc/pf.conf @ gateway

ext_if="vr0"
int_if="fxp0"
int_net="192.168.1.0/24"
remote_net="192.168.3.0/24"

set block-policy drop
set loginterface $ext_if
set optimization aggressive
set skip on lo

match in all scrub (no-df)
match out on $ext_if from $int_net nat-to ($ext_if)

block in all
block quick inet6 all
antispoof quick for { $int_if $ext_if }
pass out

block on enc0 all
pass in on enc0 from any to ($ext_if)  keep state (if-bound)
pass out on enc0 from ($ext_if) to any  keep state (if-bound)
pass in on enc0 from $remote_net to $int_net keep state (if-bound)
pass out on enc0 from $int_net to $remote_net keep state (if-bound)

pass in on $ext_if inet proto udp from any to ($ext_if) port { 500 4500 } keep state (pflow)
pass in on $ext_if inet proto esp from any to ($ext_if) keep state (pflow)
pass in on $int_if keep state (pflow)
block in on ! lo0 proto tcp to port 6000:6010
edit: Haven't actually gotten around to sort proper packet filtering on enc0 yet!
Reply With Quote
  #2   (View Single Post)  
Old 25th May 2012
polken polken is offline
Port Guard
 
Join Date: May 2012
Posts: 12
Default

did u try disabling pf to see if the pf component is not the problem
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
connect to an other site using ipsec-nat wesley OpenBSD Security 30 23rd September 2009 09:41 AM
ipsec with client nat sicute OpenBSD General 0 30th October 2008 05:39 PM
IPsec on openbsd hitete OpenBSD Installation and Upgrading 1 12th July 2008 01:57 AM


All times are GMT. The time now is 04:50 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick