OpenBSD Journal

Requesting peer review of IPsec document

Contributed by marco on from the RFC dept.

Peter Matulis pmatulis at papamike dot ca writes:

Hello gang. I recently put up a new Papamike document on using IPsec with OpenBSD. It is both a primer for IPsec in general and a guide for setting up rudimentary configurations on OpenBSD.

So I'm looking for comments and corrections. Please be kind! It's an intimidating subject.

Implementing IPsec on OpenBSD

Thanks.

(Comments are closed)


Comments
  1. By Simon Lundström (83.140.211.6) simonlundstrom@gmail.com on

    It would be really great if you moved away from the old way of configuring IPSec with ipsecadm(8) and instead concentrated on just using ipsec.conf(5) and ipsecctl(8) since it's the new, cool and supposedly easy of doing IPSec.

    I've been waiting for the time to free up for me to look at the ipsecctl(8) since I don't like the whole idea with lots of shellscripts that ipsecadm(8) requires. I'm currently using openvpn for VPN. Works, but IPSec is prefered since it often doesnt require addon/third-party applications.

    To create the missing manual/FAQ entry for ipsecctl(8) and ipsec.conf(5) would be the good thing to do, for "someone".

    Also, someone might know, does one need to config isakmpd(8) with with iskapmpd.conf(5) when using ipsec.conf(5)? (I know the man does, but I haven't had the time to really read it throughly).

    Comments
    1. By Simon Lundström (83.140.211.6) simonlundstrom@gmail.com on

      And yeah, almost forgot. A _very_ throughly going document about IPSec, almost too much.

      Otherwise good!

    2. By Anonymous Coward (24.221.189.59) on

      I'd read it, but if it's recommending the old way and use of old tools, I can't waste my time since I'm not interested in the old method.

    3. By Anonymous Coward (66.11.66.41) on

      No. On 3.8 you need an isakmpd.policy still, but that's it. On current you can use pre-shared secrets or the automatically generated RSA key pairs with ipsecctl. In your ipsec.conf: ike esp from 10.0.0.0/24 to 10.0.1.0/24 peer 1.1.1.1

    4. By Anonymous Coward (81.57.42.108) on

      I found the ipsec.conf(5) man page too laconic about the need (or not) of an isakmpd.conf (an the params to start isakmpd correctly). Well, after lots of semi-blind tests: no isakmpd.conf and start it with "isakmpd -K".

      I also wonder (but is pure cosmetic). why there no entry for ipsecctl on /etc/netstart or rc and rc.conf ?

      Another question about the "new way" (ipsecctl and ipsec.conf): how are we supposed to make it work with either Linux (free|strong|open/swan ) or the other BSDs (racoon) ?
      Given that ipsecctl IKE operations can't handle X.509 certs (only RSA keys), and on the other hand racoon & *swan can only handle specialy crafted, uncompatibles, unconvertible RSA keys (or X.509 certs or psk)... Same problem to make it interoperate with MS Windows (no RSA AFAIK, only psk or certs). So interoperability is even harder than before.
      But yes, the new pf-like syntax is clean and pretty.

      Comments
      1. By Anonymous Coward (70.27.15.123) on

        If you are running current you can use pre-shared secrets with ipsec.conf, which should work just fine connecting to linux or whatever. I am sure cert support will be added eventually too, ipsecctl isn't finished yet.

      2. By HJ (194.95.224.220) hshoexer@yerbouti.franken.de on

        You can use x509 as well. Just put your certs -- as described in isakmpd(8) -- in /etc/isakmpd/{ca,certs}.

        Comments
        1. By Anonymous Coward (81.57.42.108) on

          Wow, so great !

          I did this wrong assumption because ipsec.conf(5) states:
          "Note that isakmpd(8) will use RSA authentication."
          shouldn't it rather say something like this ? :
          "Note that isakmpd(8) will use RSA or X509 authentication as described in the dedicated man page."
          But then, the following isakmpd.conf(5) paragraph may better end up in isakmpd(5) (because it explains an isakmpd behaviour that can happen without implying an isakmpd.conf file, and this feature could puzzle someone coming from the ipsec.conf(5) page): "The private_key file contains the private RSA key we use for authentication. If the directory (and the files) exist, they take precedence over X509-based authentication."

          On a related note, is there a way to use certificates to match USER_FQDN ids with ipsecctl, eg. for a road warrior setup (the ipsec.conf(5) man page only talk about srcid/dstid fqdn, so I guess we can't) ? If no, is this a bad & dumb idea, or does it just lack an actual implementation in ipsecctl ?

    5. By Peter Matulis (216.252.84.127) on

      Well if you read the appropriate section you will see that I am waiting for the development of "the new way" to stabilize. I had started to write about it but then decided against it since it all felt half-baked. Be patient...

      Comments
      1. By Simon Lundström (62.13.21.254) simonlundstrom@gmail.com on

        Good! Looking forward to it, hoping that would be in 3.9!

    6. By HJ (194.95.224.220) hshoexer@yerbouti.franken.de on

      In general it's good to see, when someone puts much effort in writing such a howto. Thanks! (-:

      But actually I'd like to encourage people to start with the already existing man pages vpn(8), ipsecctl(8) , ipsec.conf(5) etc. and submit improvements for them instead. If something is unclear or too laconic, figure it out and improve the manpage. Especially when this stuff is still under developement -- and it will be for quite some time -- help to keep the man pages as close as possible to what's going on right now.

      Well, to be precise, as developer I keep the man page up to date, but as an "insider" it's hard to see what's unclear to the "outsider" -- whom that manual is written for. So apropriate input and improvements are always needed. Welcome to the bleeding edge (-;

  2. By Anonymous Coward (69.70.207.240) on

    I haven't had a chance to read this over, but by looking at it so far, I think you did a great job! Thank you! I'll leave the constructive criticism to others; at least until I get the chance to read this over, otherwise it looks really good.

    Comments
    1. By Anonymous Coward (202.6.138.33) on

      You haven't read it, but it looks really good. Yup. That's a useful comment.
      Almost as useful as this one.

      Comments
      1. By Anonymous Coward (69.70.207.240) on

        What I meant is that it looks like he put a lot of effort into it. Have you taken the time to do anything useful like this, or the best you could do was reply with an even more useless comment?

        Comments
        1. By Anonymous Coward (69.193.125.68) on

          He asked for comments and corrections so I think he was looking specifically for critical analysis. I'm sure he's perfectly capable of judging how much effort he put into it himself.

  3. By Anonymous Coward (150.147.18.167) on

    "...can be implemented by different protocols is the fist sign that IPsec is unecessarily complex..."

    I think you mean "first sign."

    Comments
    1. By Peter Matulis (216.252.84.127) on

      Got it.

  4. By Andreas Lundin (194.145.250.32) on http://dreamhosted.se/~lunde

    I see that you refer to kernfs in your document, I don't belive that you should since it's not included in 3.9. Read the archives for the cvs commit log.

    Comments
    1. By lqw (84.185.192.156) on

      I belive -DA=99 is too much of debug messages for most uses, -DA=90 is recommended and should suffice (I saw this even suggested by th delvelopers)

      Comments
      1. By lqw (84.185.192.156) on

        Oh, and lsof is not installed by default, but fstat is. So maybe "fstat |grep *:500" is the more "OpenBSDish" way...

  5. By bsd (80.190.252.124) on

    Hi, Thank you for your PSK work firstly. But it would be great if you provide RSA and X.509 Cert example also.
    BTW, has anyone got any good isakmpd document?
    Thank you again.

    Comments
    1. By HJ (194.95.224.220) hshoexer@yerbouti.franken.de on

      What's wrong with isakmpd(8), section "X509 AUTHENTICATION" and vpn(8)?

    2. By VideoMan (65.173.207.2) dave@drstrangelove.net on http://www.drstrangelove.net

      I did a write up on SafeNET and OpenBSD with X509 certs, it's not fully pollished, but it works.
      Currently at. http://www.drstrangelove.net/SafeNet-To-OpenBSD.html
      There is also http://www.allard.nu/openbsd/ which has a lot of example configs on it.

      Next I'll try to modify the SafeNet doc for OpenVPN. Which IMHO works much better for Windows Clients then SafeNet ever did. I never could truely rely on IKECFG being pushed to the windows client, and it acutualy doing anyting with it. (IKECFG being: Vitural IP, WINS, DNS, DOMAINNAME, ROUTES)

      If anyone wants the docs for OpenVPN configs that are very similar to the SafeNet ones let me know...

      I'm ranting here arent I?... OOPS!

  6. By VideoMan (65.173.207.2) dave@drstrangelove.net on http://www.drstrangelove.net

    I don't see a signifant value in the ipsecadmin manual configurations, I think that this step just muddys and confuses the users as well as the configuration of isakmpd.

    The only commands that I have found usefull from the ipsecadmin perspective are...
     ipsecadmin flush
    Dump all isakmpd or ipsec tunnels, yes this is everything *poof* (at least until isakmpd wakes up and re-does the tunnels)

    and
     ipsecadm flow -bypass -addr 192.168.0.0/24 192.168.0.0/24 
    Which bypasses the local network when you have set a default or large network segment in the IPSec/isakmpd config.


    This is really great work!! Well formated and easy to read. This will surely help others to come!
    Now what about running BGP or OSPF on top of this in a mesh? =-)

  7. By Marcello Morsello (201.37.181.143) on

    Great job!
    By far more complete than man pages for ipsec and vpn.
    Adding topics for ipsec.conf and ipsecctl can be a
    "IPSEC user´s guide" like PF´s guide on OpenBSD FAQ.

    Comments
    1. By Anonymous Coward (66.11.66.41) on

      More words than the man pages perhaps, but definately less helpful.

  8. By Anonymous Coward (80.55.64.214) on

    Great work, but i wish see some examples of configuring IPcomp with ESP.

  9. By Matvey Gladkikh (83.102.193.130) matvey@users.sf.net on http://matvey.org.ru

    1. I found somewhat a mess that ipsec configuration goes with pf configuration - easier for me to test first without firewall - and when everything working - to setup pf rules. (I think if smth goes wrong firewall messes alot for newbie).

    2. each howto is mono (will be better to have stereo configs for both ends - even if they are the same) e.g. - configs of ipsec are stereo - but pf configs - mono (should not be from my point of view).

    3. examples should be shell scripts - from my point of view they are easier to understand - instead of mess with netA/netB/hostA/hostB = netA="" later $netA.

    4. there is also a mess for me between using ipsecctl and ipsecadmin examples. (It will be great to comment in different colors their output and meanings).

    5. I still have questions how to connect ipsecctl/isakmpd driven host to linux box.

    6. ipsectl+ipsec.conf +isakmpd -K example worked for me / papmike's manual much more tricky.

  10. By Matvey Gladkikh (83.102.193.130) on

    this is the howto of ipsecctl + ipsec.conf + "isakmpd -K" that I mentioned: http://www.securityfocus.com/infocus/1859

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]