Quite a lot has changed since I wrote this page a couple of years ago,
and most of the information found here is of merely anecdotical value.
|
OpenBSD
IPSEC information
This page gives some hints for IPSEC configuration on
OpenBSD.
OpenBSD
and Checkpoint FW-1 4.1
Here's the set-up I've used to establish an IPSEC tunnel from
OpenBSD
(3.1) to Checkpoint Firewall-1 (4.1) in a SecuRemote-like way. However, due to lack of
standards and documentation this only works with pre-shared keys.
I didn't get the PKI approach to work, but I guess I'm in good company
here.
The actual configuration is pretty trivial. Basically, all you need are
suitable isakmpd.policy and isakmpd.conf files. Obviously,
you'll have to change yourPassword, yourUsername and the
bogus IP addresses to match your specific set-up:
/etc/isakmpd/isakmpd.policy
Authorizer: "POLICY"
Licensees: "passphrase:yourPassword"
Conditions: app_domain == "IPsec policy" && esp_present == "yes" -> "true";
/etc/isakmpd/isakmpd.conf
[General]
Default-phase-1-ID= my-ID
[Phase 1]
245.123.3.254= ISAKMP-remote
[Phase 2]
Connections= IPSec-remote
[ISAKMP-remote]
Phase= 1
Transport= udp
Address= 245.123.3.254
Configuration= Default-main-mode
ID= my-ID
Authentication= yourPassword
[my-ID]
ID-type= USER_FQDN
Name= yourUsername
[IPSec-remote]
Phase= 2
ISAKMP-peer= ISAKMP-remote
Configuration= Default-quick-mode
Local-ID= Net-local
Remote-ID= Net-remote
[Net-local]
ID-type= IPV4_ADDR_SUBNET
Network= 235.12.3.19
Netmask= 255.255.255.255
[Net-remote]
ID-type= IPV4_ADDR_SUBNET
Network= 244.3.0.0
Netmask= 255.255.0.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
OpenBSD
and Nortel Contivity
The very same set-up as above may be used to establish an IPSEC tunnel from
OpenBSD
(3.3) to a Nortel Contivity (software revision 4.7,
connection configured as a user tunnel). Just make sure
that your Contivity profile configuration meets the following
characteristics:
Group profile:
- In the Connectivity section:
- Static IP addresses needs to be enabled
- In the IPSec section:
- enable Split Tunneling
- Split Tunnel Networks needs to be set to your remote
networks, as defined in the [Net-remote] section of your
isakmpd.conf
- Database Authentication (LDAP): User Name and Password needs
to be enabled
User profile:
- Set Remote User Static IP Address and Static Subnet Mask
to match your isakmpd.conf [Net-local] portion.
- IPSec User ID and Password should correspond to
yourUsername and yourPassword from
isakmpd.conf.
I didn't mention obvious stuff like you'll need to enable non-Contivity
clients, and you may very well use different encryption suites ...
OpenBSD
isakmpd RoadWarrior patch
If you're running isakmpd on a system with a dynamically assigned
IP address (quite popular for dial-up and ADSL accounts), you may end up
updating your IP address in /etc/isakmpd/isakmpd.conf regulary.
With
this (for -3.5, probably)
or, for -current,
this
(yet untested, sorry!) patch applied
you may specify an interface name alternatively to an IP address,
and isakmpd will then use the first IPv4 or IPv6 address found
on that interface. The configuration then looks like:
[Net-local]
ID-type= IPV4_ADDR_SUBNET
Network= pppoe0
Netmask= 255.255.255.255
If you want to use NAT to hide a LAN behind your single IP address
(remember, that's your one and only local address within aboves
IPSEC flow), you may simply route the peer network to a local
interface and perform NAT on that. Example:
route add -net 244.3.0.0/16 127.0.0.1
and in /etc/pf.conf:
nat on lo0 from any to 244.3.0.0/16 -> pppoe0
MSS Clamping
You should consider configuring MSS clamping for packets that are
part of the IPSEC security association. E.g., for tunneled mode,
with the configuration outlined above, and connected via PPPoE,
the typical packet looks like:
Ethernet payload, 1500 octets
PPPoE/PPP header, 8 octets |
PPPoE/PPP payload, 1492 octets
IP header, 20 octets |
IP payload, 1472 octets
ESP header, 8 octets |
IPSec payload, encrypted, 1436 octets
IP header, 20 octets |
IP payload, 1416 octets
TCP header, 20 to 64 octets |
TCP payload, 1396 to 1352 octets
|
|
| ESP trailer, 28 octets |
|
|
|
which basically means that something like
scrub in all max-mss 1396 no-df
in /etc/pf.conf might be a helpful. Well, you'll better limit that
to the actual IPSEC flow, but hopefully you've got the idea.
Take care, that particular value not be suitable for other ESP authentication
algorithms.