|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
IPsec VPN for remote users to access my lans
Hello everybody,
My intent is to somehow allow access to remote users within my LANs. I've done this with OpenVPN using both tun and tap interfaces in the past, but this time I decided to use IPsec, and I'm having difficulties in achieving it. Before setting up an IPsec VPN on my real OpenBSD router, I've decided to understand how it works on a test network (using 4 OpenBSD VM's within Virtualbox). I've read about a dozen of howtos around the Internet none of which was doing exactly what I wish to do (most of these howtos were about connecting two or more LANs), I've read the man pages (diagonally), I've read some topics on this forum, but I still haven't managed to accomplish it. So here's how it goes: My VPN server has two network interfaces: Code:
em0: 10.0.0.2/24 my LAN em1: 10.0.1.1/24 my WAN (outgoing traffic is NAT-ed) Code:
em0: 10.0.2.2/24 All machines are running OpenBSD 5.8, and all firewalls are allowing traffic. No matter what ipsec.conf I've tried, I can't accomplish to ping 10.0.0.1 which is another host on my server's LAN, even though I've managed to ping 10.0.0.2 using various configurations. The truth is that I haven't succeed in understanding ipsec.conf's syntax, no matter how easy it initially seemed. I'll just copy my last two /etc/ipsec.conf files which of course don't work, just to show you my last, unsuccessful trials, and also show you how confused I am! : Code:
SERVER# cat /etc/ipsec.conf ike passive from any to 10.0.0.0/24 local 10.0.1.2 peer any \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk secret ike passive from 10.0.0.0/24 to any local 10.0.1.2 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk secret CLIENT# cat /etc/ipsec.conf ike active from any to 10.0.0.0/24 peer 10.0.1.1 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk secret ike active from 10.0.0.0/24 to em0 peer 10.0.1.1 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk secret <EDIT> OK, I understand why it happens, any traffic destined to 10.0.0.0/24 is passed through ike, but how should I configure it otherwise? I couldn't find a ! statement. </EDIT> If somebody could explain to me how from (along with srcnat), to, local and peer should be used in each side's context, I think I could make out how the correct configuration should be. Ah, and as a consequence of not having understood how to correctly configure IPsec, I am still unable to understand ipsecctl -s all output (flows in specific). Thanks all in advance! Last edited by mamalos; 29th January 2016 at 04:08 PM. |
|
|||
I haven't played with IPsec for a long time, but a few years ago the following article was quite popular: Zero to IPSec in 4 minutes.
Of course the nat rule in that article's pf.conf needs to be adjusted, but I think the IPsec configuration is still valid. You could give it a try And don't forget to use tcpdump(8) to monitor the traffic. Also use it on the pflog0 device to make sure the IPsec traffic is allowed in/out.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Secure Remote Access to an Internal Web Server | Oko | General software and network | 7 | 1st April 2015 06:35 PM |
UPnP-enabled routers allow attacks on LANs | J65nko | News | 1 | 25th August 2011 12:00 AM |
Setup Remote Access VPN | plexter | OpenBSD Security | 54 | 4th September 2009 06:33 PM |
ssh key access non root users | carpman | FreeBSD Security | 7 | 12th August 2009 06:09 PM |
Remote Access to File Server | Oko | OpenBSD Security | 7 | 23rd June 2008 05:17 PM |