DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th May 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default Bare Minimum Site-to-Site VPN on OpenBSD

This is a short, down and dirty guide to setting up a site to site VPN in OpenBSD. It is taken straight from a job setup I just completed.
In my work situation, we have two datacenters , one on each side of the country. Each datacenter (dc) setup has two internal networks- the first we call the public network, where traffic to and from the Internet traverse (like HTTP traffic from a website we host to a client on the Internet.) The second network we call the private network, and packets on that network never hit the Internet (so as to provide a secure channel between all the servers inside each network for things like DNS resolution and SQL communication between SQL servers and webservers..) This means each server has two NICs, one for public/Internet communications, and one for private/intranet communications.

We wanted to link each private network at each datacenter to each other so that servers at each DC could talk to each other via their private network interfaces, and we wanted those communications to remain secure (read: encrypted.) Our public firewall gateways had VPN capability, but they were for strict use on the 'public' side of the network. We wanted them to continue to do that without the added fluff of a VPN configuration connecting the private sides of each network. So I dropped an OBSD box into each datacenter (vpnbox1 and vpnbox2), each with two NICs (just like all the other servers, one NIC for public communications and one NIC for private communications.)



First, let's start with our diagram (forgive my text graphic disabilities, the periods are there for spacing purposes (imagine they aren't there))-
Code:
______________  ______________
|pri-10.1.1.2| |pri-10.1.1.253|
| dc1server  | | vpnbox1      |
|pub-1.1.1.2 | |pub-1.1.1.253 |
|____________| |______________|
	|	 |
	|	 |
 ______|_______|___	
 |  1.1.1.1       |
 |  dc1 router    |
 |  3.3.3.3       |
 |________________|
	|
	|
    INTERNET
	|
	|
 ______|___________	
 |  4.4.4.4       |
 |  dc2 router    |
 |  2.2.2.1       |
 |________________|
	|	  |
_______|______ _|_____________
|pub-2.2.2.2 | |pub-2.2.2.253 |
| dc2server  | | vpnbox2      |
|pri-10.2.2.2| |pri-10.2.2.253|
|____________| |______________|
And now, the configurations of the VPN boxes and the dcservers-

========
VPNBOX1-
========


/etc/ipsec.conf
Code:
flow esp from 10.1.1.0/24 to 10.2.2.0/24 peer 2.2.2.253
	esp from 2.2.2.253 to 1.1.1.253 spi 0xabd9da38:0xc9dbb82d \
	authkey 0x54f79f479a31814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e7:0x7f48ee352c626cdc3a731b9d90bd63e29db2a9c684044b70b2f4441521b621d6 \     
	enckey 0xb341aa065c3850edd6a61e150d6b5fd4:0xf7795f6bdd697a43a4d28dcf1b79062d
/etc/mygate -
Code:
1.1.1.1

=========
dc1server
=========

(a windows box)
Code:
route add -p 10.2.2.0 mask 255.255.255.0 10.1.1.253

========
VPNBOX2-
========

/etc/ipsec.conf
Code:
	flow esp from 10.2.2.0/24 to 10.1.1.0/24 peer 1.1.1.253
	esp from 2.2.2.253 to 1.1.1.253 spi 0xabd9da38:0xc9dbb82d \
	authkey 0x54f79f479a31814347bb768d3e01b2b58e49ce674ec6e2d327b63408c56ef4e7:0x7f48ee352c626cdc3a731b9d90bd63e29db2a9c684044b70b2f4441521b621d6 \
	enckey 0xb341aa065c3850edd6a61e150d6b5fd4:0xf7795f6bdd697a43a4d28dcf1b79062d
/etc/mygate -
Code:
2.2.2.1
=========
dc2server
=========

(a windows box)
Code:
route add -p 10.1.1.0 mask 255.255.255.0 10.2.2.253

Assumptions-

- The vpnboxes are not the default gateways for each respective network to the Internet itself... they are simply being tacked onto the existing network. So 1.1.1.2 and 1.1.1.253 use the router at 1.1.1.1 as it's default gateway, for instance.
- You have another device or layer handling local security on each network... configuring PF on these only clouds the lesson.
- each VPN box has two nics, one for regular connection to the network for default gatewaying (pub), and the other as the entry/exit point for the VPN connection (pri).
- The private networks (pri) are connected to each other via L2 switch (not show in diagram.)
__________________
Network Firefighter

Last edited by ai-danno; 21st May 2008 at 12:10 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
connect to an other site using ipsec-nat wesley OpenBSD Security 30 23rd September 2009 09:41 AM
Routing between site-to-site tunnels docrice OpenBSD General 5 26th September 2008 09:21 AM
Posting to O'Reilly site Fritz_Katz Feedback and Suggestions 1 22nd July 2008 11:03 PM
Getting mentioned on the FreeBSD site scottro Feedback and Suggestions 6 1st June 2008 10:11 PM
Transferring away from the other site... s2scott Feedback and Suggestions 2 5th May 2008 09:47 AM


All times are GMT. The time now is 06:24 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick