IPsec VPN for remote users to access my lans

[mamalos]

Hello everybody,

My intent is to somehow allow access to remote users within my LANs. I've done this with OpenVPN using both tun and tap interfaces in the past, but this time I decided to use IPsec, and I'm having difficulties in achieving it.

Before setting up an IPsec VPN on my real OpenBSD router, I've decided to understand how it works on a test network (using 4 OpenBSD VM's within Virtualbox). I've read about a dozen of howtos around the Internet none of which was doing exactly what I wish to do (most of these howtos were about connecting two or more LANs), I've read the man pages (diagonally), I've read some topics on this forum, but I still haven't managed to accomplish it.

So here's how it goes: My VPN server has two network interfaces:

Code:

em0: 10.0.0.2/24 my LAN
em1: 10.0.1.1/24 my WAN (outgoing traffic is NAT-ed)

My VPN client has one network interface:

Code:

em0: 10.0.2.2/24

My client's gateway is 10.0.2.1 (em1) which has a second interface (em0) with an IP address of 10.0.1.2 on which outgoing traffic is NAT-ed. This way my client is able to access my server's WAN IP (I've set it up like this to resemble a sort-of-real-life scenario).

All machines are running OpenBSD 5.8, and all firewalls are allowing traffic.

No matter what ipsec.conf I've tried, I can't accomplish to ping 10.0.0.1 which is another host on my server's LAN, even though I've managed to ping 10.0.0.2 using various configurations.

The truth is that I haven't succeed in understanding ipsec.conf's syntax, no matter how easy it initially seemed. I'll just copy my last two /etc/ipsec.conf files which of course don't work, just to show you my last, unsuccessful trials, and also show you how confused I am! :

Code:

SERVER# cat /etc/ipsec.conf
ike passive from any to 10.0.0.0/24 local 10.0.1.2 peer any \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret
ike passive from 10.0.0.0/24 to any local 10.0.1.2 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret


CLIENT# cat /etc/ipsec.conf
ike active from any to 10.0.0.0/24 peer 10.0.1.1 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret
ike active from 10.0.0.0/24 to em0 peer 10.0.1.1 \
    main auth hmac-sha1 enc aes group modp1024 \
    quick auth hmac-sha1 enc aes psk secret

Please excuse my horrible configs, but everything is mixed-up in my head so I've started trying various combinations that don't make any sense even to me... In the above configuration, once both IPsec's start to communicate, the server is unable to ping 10.0.0.1 any more, since for some reason that I haven't understood yet, traffic for 10.0.0.1 is passing through enc0.

<EDIT>
OK, I understand why it happens, any traffic destined to 10.0.0.0/24 is passed through ike, but how should I configure it otherwise? I couldn't find a ! statement.
</EDIT>

If somebody could explain to me how from (along with srcnat), to, local and peer should be used in each side's context, I think I could make out how the correct configuration should be. Ah, and as a consequence of not having understood how to correctly configure IPsec, I am still unable to understand ipsecctl -s all output (flows in specific).

Thanks all in advance!

[J65nko]

I haven't played with IPsec for a long time, but a few years ago the following article was quite popular: Zero to IPSec in 4 minutes.

Of course the nat rule in that article's pf.conf needs to be adjusted, but I think the IPsec configuration is still valid. You could give it a try

And don't forget to use tcpdump(8) to monitor the traffic. Also use it on the pflog0 device to make sure the IPsec traffic is allowed in/out.