IPsec OpenBSD: Difference between revisions
m (fix lang) |
|||
(7 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category: |
<indicator name="Tunnels">[[File:Menu-IPsec.svg|link=:Category:FireBrick IPsec|30px|Back up to the FireBrick IPsec Tunnels Category Page]]</indicator> |
||
== Overview and requirements == |
== Overview and requirements == |
||
Line 12: | Line 12: | ||
* 198.51.100.0/24 LAN of machines behind FireBrick |
* 198.51.100.0/24 LAN of machines behind FireBrick |
||
* 203.0.113.0/24 LAN of machines behind OpenBSD |
* 203.0.113.0/24 LAN of machines behind OpenBSD |
||
== FireBrick configuration == |
== FireBrick configuration == |
||
<SyntaxHighlight lang="xml"> |
|||
<code> |
|||
<ipsec-ike allow="192.0.2.2"> |
<ipsec-ike allow="192.0.2.2"> |
||
<connection name="openbsdtest" local-ip="192.0.2.1" peer-ips="192.0.2.2" graph="openbsd ipsec" |
<connection name="openbsdtest" local-ip="192.0.2.1" peer-ips="192.0.2.2" graph="openbsd ipsec" |
||
Line 22: | Line 21: | ||
peer-ID="192.0.2.2" auth-method="Secret" secret="your PSK here"/> |
peer-ID="192.0.2.2" auth-method="Secret" secret="your PSK here"/> |
||
</ipsec-ike> |
</ipsec-ike> |
||
</SyntaxHighlight> |
|||
</code> |
|||
== OpenBSD configuration == |
== OpenBSD configuration == |
||
/etc/iked.conf : |
|||
⚫ | |||
<SyntaxHighlight lang="aconf"> |
|||
ikev2 "tofirebrick" active \ |
|||
esp \ |
|||
from 203.0.113.0/24 to 198.51.100.0/24 \ |
|||
local 192.0.2.2 peer 192.0.2.1 \ |
|||
ikesa group modp2048 \ |
|||
srcid 192.0.2.2 dstid 192.0.2.1 \ |
|||
psk "your PSK here" |
|||
</SyntaxHighlight> |
|||
⚫ |
Latest revision as of 18:14, 19 November 2021
Overview and requirements
This has been tested using pre-shared keys between a Firebrick FB2700 and OpenBSD 5.7-RELEASE.
We had to add some workarounds to the FireBrick IPsec code to cope with some protocol negotiation issues with OpenBSD's IKEv2 implementation. We are in talks with the OpenBSD developers about which end is doing things correctly, but for the moment you will need a FireBrick with firmware version 1.36.032 or newer for this to work.
In this example, IP addresses are assigned as follows:
- 192.0.2.1 FireBrick FB2700
- 192.0.2.2 OpenBSD machine
- 198.51.100.0/24 LAN of machines behind FireBrick
- 203.0.113.0/24 LAN of machines behind OpenBSD
FireBrick configuration
<ipsec-ike allow="192.0.2.2">
<connection name="openbsdtest" local-ip="192.0.2.1" peer-ips="192.0.2.2" graph="openbsd ipsec"
routes="203.0.113.0/24" local-ID="192.0.2.1"
peer-ID="192.0.2.2" auth-method="Secret" secret="your PSK here"/>
</ipsec-ike>
OpenBSD configuration
/etc/iked.conf :
ikev2 "tofirebrick" active \
esp \
from 203.0.113.0/24 to 198.51.100.0/24 \
local 192.0.2.2 peer 192.0.2.1 \
ikesa group modp2048 \
srcid 192.0.2.2 dstid 192.0.2.1 \
psk "your PSK here"