IPsec OpenBSD
Overview and requirements
This has been tested using pre-shared keys between a Firebrick FB2700 and OpenBSD 5.7-RELEASE.
We had to add some workarounds to the FireBrick IPsec code to cope with some protocol negotiation issues with OpenBSD's IKEv2 implementation. We are in talks with the OpenBSD developers about which end is doing things correctly, but for the moment you will need a FireBrick with firmware version 1.36.032 or newer for this to work.
In this example, IP addresses are assigned as follows:
- 192.0.2.1 FireBrick FB2700
- 192.0.2.2 OpenBSD machine
- 198.51.100.0/24 LAN of machines behind FireBrick
- 203.0.113.0/24 LAN of machines behind OpenBSD
FireBrick configuration
<ipsec-ike allow="192.0.2.2">
<connection name="openbsdtest" local-ip="192.0.2.1" peer-ips="192.0.2.2" graph="openbsd ipsec"
routes="203.0.113.0/24" local-ID="192.0.2.1"
peer-ID="192.0.2.2" auth-method="Secret" secret="your PSK here"/>
</ipsec-ike>
OpenBSD configuration
/etc/iked.conf :
<code>
ikev2 "tofirebrick" active \
esp \
from 203.0.113.0/24 to 198.51.100.0/24 \
local 192.0.2.2 peer 192.0.2.1 \
ikesa group modp2048 \
srcid 192.0.2.2 dstid 192.0.2.1 \
psk "your PSK here"
</code>