Contributed by marco on from the RFC dept.
Hello gang. I recently put up a new Papamike document on using IPsec with OpenBSD. It is both a primer for IPsec in general and a guide for setting up rudimentary configurations on OpenBSD.
So I'm looking for comments and corrections. Please be kind! It's an intimidating subject.
Implementing IPsec on OpenBSD
Thanks.
(Comments are closed)
By Simon Lundström (83.140.211.6) simonlundstrom@gmail.com on
I've been waiting for the time to free up for me to look at the ipsecctl(8) since I don't like the whole idea with lots of shellscripts that ipsecadm(8) requires. I'm currently using openvpn for VPN. Works, but IPSec is prefered since it often doesnt require addon/third-party applications.
To create the missing manual/FAQ entry for ipsecctl(8) and ipsec.conf(5) would be the good thing to do, for "someone".
Also, someone might know, does one need to config isakmpd(8) with with iskapmpd.conf(5) when using ipsec.conf(5)? (I know the man does, but I haven't had the time to really read it throughly).
Comments
By Simon Lundström (83.140.211.6) simonlundstrom@gmail.com on
Otherwise good!
By Anonymous Coward (24.221.189.59) on
By Anonymous Coward (66.11.66.41) on
By Anonymous Coward (81.57.42.108) on
I also wonder (but is pure cosmetic). why there no entry for ipsecctl on /etc/netstart or rc and rc.conf ?
Another question about the "new way" (ipsecctl and ipsec.conf): how are we supposed to make it work with either Linux (free|strong|open/swan ) or the other BSDs (racoon) ?
Given that ipsecctl IKE operations can't handle X.509 certs (only RSA keys), and on the other hand racoon & *swan can only handle specialy crafted, uncompatibles, unconvertible RSA keys (or X.509 certs or psk)... Same problem to make it interoperate with MS Windows (no RSA AFAIK, only psk or certs). So interoperability is even harder than before.
But yes, the new pf-like syntax is clean and pretty.
Comments
By Anonymous Coward (70.27.15.123) on
By HJ (194.95.224.220) hshoexer@yerbouti.franken.de on
Comments
By Anonymous Coward (81.57.42.108) on
I did this wrong assumption because ipsec.conf(5) states:
"Note that isakmpd(8) will use RSA authentication."
shouldn't it rather say something like this ? :
"Note that isakmpd(8) will use RSA or X509 authentication as described in the dedicated man page."
But then, the following isakmpd.conf(5) paragraph may better end up in isakmpd(5) (because it explains an isakmpd behaviour that can happen without implying an isakmpd.conf file, and this feature could puzzle someone coming from the ipsec.conf(5) page): "The private_key file contains the private RSA key we use for authentication. If the directory (and the files) exist, they take precedence over X509-based authentication."
On a related note, is there a way to use certificates to match USER_FQDN ids with ipsecctl, eg. for a road warrior setup (the ipsec.conf(5) man page only talk about srcid/dstid fqdn, so I guess we can't) ? If no, is this a bad & dumb idea, or does it just lack an actual implementation in ipsecctl ?
By Peter Matulis (216.252.84.127) on
Comments
By Simon Lundström (62.13.21.254) simonlundstrom@gmail.com on
By HJ (194.95.224.220) hshoexer@yerbouti.franken.de on
But actually I'd like to encourage people to start with the already existing man pages vpn(8), ipsecctl(8) , ipsec.conf(5) etc. and submit improvements for them instead. If something is unclear or too laconic, figure it out and improve the manpage. Especially when this stuff is still under developement -- and it will be for quite some time -- help to keep the man pages as close as possible to what's going on right now.
Well, to be precise, as developer I keep the man page up to date, but as an "insider" it's hard to see what's unclear to the "outsider" -- whom that manual is written for. So apropriate input and improvements are always needed. Welcome to the bleeding edge (-;
By Anonymous Coward (69.70.207.240) on
Comments
By Anonymous Coward (202.6.138.33) on
Almost as useful as this one.
Comments
By Anonymous Coward (69.70.207.240) on
Comments
By Anonymous Coward (69.193.125.68) on
By Anonymous Coward (150.147.18.167) on
"...can be implemented by different protocols is the fist sign that IPsec is unecessarily complex..."
I think you mean "first sign."
Comments
By Peter Matulis (216.252.84.127) on
By Andreas Lundin (194.145.250.32) on http://dreamhosted.se/~lunde
Comments
By lqw (84.185.192.156) on
Comments
By lqw (84.185.192.156) on
By bsd (80.190.252.124) on
BTW, has anyone got any good isakmpd document?
Thank you again.
Comments
By HJ (194.95.224.220) hshoexer@yerbouti.franken.de on
By VideoMan (65.173.207.2) dave@drstrangelove.net on http://www.drstrangelove.net
Currently at. http://www.drstrangelove.net/SafeNet-To-OpenBSD.html
There is also http://www.allard.nu/openbsd/ which has a lot of example configs on it.
Next I'll try to modify the SafeNet doc for OpenVPN. Which IMHO works much better for Windows Clients then SafeNet ever did. I never could truely rely on IKECFG being pushed to the windows client, and it acutualy doing anyting with it. (IKECFG being: Vitural IP, WINS, DNS, DOMAINNAME, ROUTES)
If anyone wants the docs for OpenVPN configs that are very similar to the SafeNet ones let me know...
I'm ranting here arent I?... OOPS!
By VideoMan (65.173.207.2) dave@drstrangelove.net on http://www.drstrangelove.net
The only commands that I have found usefull from the ipsecadmin perspective are...
Dump all isakmpd or ipsec tunnels, yes this is everything *poof* (at least until isakmpd wakes up and re-does the tunnels)
and
Which bypasses the local network when you have set a default or large network segment in the IPSec/isakmpd config.
This is really great work!! Well formated and easy to read. This will surely help others to come!
Now what about running BGP or OSPF on top of this in a mesh? =-)
By Marcello Morsello (201.37.181.143) on
By far more complete than man pages for ipsec and vpn.
Adding topics for ipsec.conf and ipsecctl can be a
"IPSEC user´s guide" like PF´s guide on OpenBSD FAQ.
Comments
By Anonymous Coward (66.11.66.41) on
By Anonymous Coward (80.55.64.214) on
By Matvey Gladkikh (83.102.193.130) matvey@users.sf.net on http://matvey.org.ru
2. each howto is mono (will be better to have stereo configs for both ends - even if they are the same) e.g. - configs of ipsec are stereo - but pf configs - mono (should not be from my point of view).
3. examples should be shell scripts - from my point of view they are easier to understand - instead of mess with netA/netB/hostA/hostB = netA="" later $netA.
4. there is also a mess for me between using ipsecctl and ipsecadmin examples. (It will be great to comment in different colors their output and meanings).
5. I still have questions how to connect ipsecctl/isakmpd driven host to linux box.
6. ipsectl+ipsec.conf +isakmpd -K example worked for me / papmike's manual much more tricky.
By Matvey Gladkikh (83.102.193.130) on