1 b1b3910b 2024-05-08 jrmu version=pmwiki-2.3.20 ordered=1 urlencoded=1
2 b1b3910b 2024-05-08 jrmu agent=Mozilla/5.0 (X11; OpenBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0 SeaMonkey/2.53.17.1
4 b1b3910b 2024-05-08 jrmu charset=UTF-8
6 b1b3910b 2024-05-08 jrmu ctime=1715028362
7 b1b3910b 2024-05-08 jrmu host=198.251.84.158
8 b1b3910b 2024-05-08 jrmu name=OpenBSD.Iked
10 b1b3910b 2024-05-08 jrmu targets=Rcctl.Rcctl,OpenBSD.Ping,OpenBSD.OpenBSDFAQ-VirtualPrivateNetworksVPN
11 b1b3910b 2024-05-08 jrmu text=Most IPsec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with @@iked@@ and @@isakmpd@@ handling SAs in IPsec. %0a%0a!!Site-to-Site vpn%0aConsider in the following scenario, servers ''potato'' (@@192.168.1.1@@) and ''toybox'' (@@192.168.2.1@@) would like to access each other's network (@@10.0.1.0/24@@ and @@10.0.2.0/24@@ respectively).%0aThis is called a site-to-site vpn. we may use OpenBSD's @@iked@@, to achieve the goal.%0a%0aIn this guide, the server which actively tries to connect is called ''initiator'', while the server which is going to answer the request is called ''responder''. %0a%0alet's say ''toybox'' is the ''responder'', while potato is the ''initiator''.%0a%0a!!!Responder configuration%0aFirst, if firewall policy of ''responder'' is to @@block@@ by default, we need to configure it's fire, otherwise, no action is needed.%0aIn @@/etc/pf.conf@@:%0a[@%0atoybox=192.168.1.1%0apotato=192.168.2.1%0aext_if=vio0%0a%0apass in log on $ext_if proto udp from $potato to $toybox port {isakmp, ipsec-nat-t} tag IKED%0apass in log on $ext_if proto esp from $potato to $toybox tag IKED%0a@]%0a%0aAfterwards, reload pf:%0a[@%0atoybox$ doas pfctl -f /etc/pf.conf%0a@]%0a%0aNext we need to configure @@iked@@:%0a[@%0atoybox="192.168.1.1"%0anet1="10.0.1.0/24"%0apotato="192.168.2.1"%0anet2="10.0.2.0/24"%0a%0aikev2 'toybox' passive esp \%0a from $net1 to $net2 \%0a from $net1 to $potato \%0a from $toybox to $net1 \%0a local $toybox peer $potato \%0a srcid "toybox"%0a@]%0a%0aIn the configuration above, @@passive esp@@ means @@iked@@ waits for the ''initiator'' to start the connection. we have also defined systems and networks IP addresses, and mention connection from @@net1@@ (network of @@toybox@@) to @@net2@@ (network of @@potato@@, @@net1@@ to @@potato@@ and @@toybox@@ to it's own network should be allowed.%0awe also mention connection is accepted from @@potato@@'s IP, and messages we sent are tagged "toybox".%0a%0afinally, set permissions. iked refuses to start if permissions are too open:%0a[@%0atoybox$ chmod 0600 /etc/iked.conf%0a@]%0a%0awe are done on the responder.%0a%0a!!Initiator configuration%0aIn @@/etc/iked.conf@@:%0a[@%0atoybox="192.168.1.1"%0anet1="10.0.1.0/24"%0apotato="192.168.2.1"%0anet2="10.0.2.0/24"%0a%0aikev2 'potato' active esp \%0a from $net2 to $net1 \%0a from $net2 to $toybox \%0a from $potato to $net1 \%0a peer $toybox \%0a srcid "potato"%0a@]%0a%0aConfiguration here is pretty similar to what we did back in the other server, only important differences are, now connection is @@active@@, meaning this server (@@potato@@) will actively try to connect to other server. messages are also tagged "potato".%0a%0asetting permissions:%0a[@%0apotato$ doas chmod 0600 /etc/iked.conf%0a@]%0a%0a!!!Keys%0aIKed can operate using passwords or keys, by default there are public keys generated in @@/etc/iked/local.pub@@, keys for peers are read from one of directiories under @@/etc/iked/pubkeys@@, depending on how connection is made.%0a%0ato copy keys from each server to the other one:%0a[@%0atoybox$ ssh potato cat /etc/iked/local.pub \%0a | doas tee -a /etc/iked/pubkeys/fqdn/potato%0a@]%0aand:%0a%0a[@%0apotato$ ssh toybox cat /etc/iked/local.pub \%0a | doas tee -a etc/iked/pubkeys/fqdn/toybox%0a@]%0a%0aand we are done.%0a%0a!!!Running%0aFinally, to check if everything is working properly,%0aon the ''responder'':%0a[@%0atoybox$ doas iked -dv%0a@]%0a%0aand on the ''initiator'':%0a[@%0apotato$ doas iked -dv%0a@]%0a%0aif everything is working well, you should see '''something like''' following message:%0a[@%0a...%0aspi=0x254fdb97ff6a879e: ikev2_childsa_enable: loaded flows: ESP-10.0.2.0/24=10.0.1.0/24(0), ESP-192.168.2.1/32=10.0.1.0/24(0), ESP-10.0.2.0/24=192.168.1.1/32(0)%0aspi=0x254fdb97ff6a879e: established peer 192.168.1.1:500[FQDN/potato] local 192.168.2.1:500[FQDN/toybox] policy 'toybox' as initiator (enc aes-128-gcm group curve25519 prf hmac-sha2-256)%0a...%0a@]%0a%0aelse, if keys aren't set up properly, you will se '''something like''' this:%0a[@%0a...%0aspi=0xd5de9f25502d0b7d: ikev2_dispatch_cert: peer certificate is invalid%0aspi=0xd5de9f25502d0b7d: ikev2_send_auth_failed: authentication failed for FQDN/toybox%0a...%0a@]%0a%0aif everything works ok, you can enable it using [[rcctl|openbsd/rcctl]] on both servers:%0a[@%0atoybox$ doas rcctl enable iked%0atoybox$ doas rcctl start iked%0aiked(ok)%0a@]%0a%0aand:%0a[@%0apotato$ doas rcctl enable iked%0apotato$ rcctl start iked%0aiked(ok)%0a@]%0a%0a%0a!!!Testing%0aTo verify it works, you may use [[ping|openbsd/ping]], before running iked:%0a[@%0atoybox$ ping -c 1 -I 10.0.1.1 10.0.2.1 %0aPING 10.0.2.1 (10.0.2.1): 56 data bytes%0a%0a--- 10.0.2.1 ping statistics ---%0a1 packets transmitted, 0 packets received, 100.0%25 packet loss%0a%0apotato$ ping -c 1 -I 10.0.2.1 10.0.1.1 %0aPING 10.0.1.1 (10.0.1.1): 56 data bytes%0a%0a--- 10.0.1.1 ping statistics ---%0a1 packets transmitted, 0 packets received, 100.0%25 packet loss%0a@]%0a%0a%0aAfter running @@iked@@:%0a[@%0atoybox$ ping -c 1 -I 10.0.1.1 10.0.2.1 %0aPING 10.0.2.1 (10.0.2.1): 56 data bytes%0a64 bytes from 10.0.2.1: icmp_seq=0 ttl=255 time=1.539 ms%0a%0a--- 10.0.2.1 ping statistics ---%0a1 packets transmitted, 1 packets received, 0.0%25 packet loss%0around-trip min/avg/max/std-dev = 1.539/1.539/1.539/0.000 ms%0apotato$ ping -c 1 -I 10.0.2.1 10.0.1.1%0aPING 10.0.1.1 (10.0.1.1): 56 data bytes%0a64 bytes from 10.0.1.1: icmp_seq=0 ttl=255 time=1.639 ms%0a%0a--- 10.0.1.1 ping statistics ---%0a1 packets transmitted, 1 packets received, 0.0%25 packet loss%0around-trip min/avg/max/std-dev = 1.639/1.639/1.639/0.000 ms%0a@]%0a%0a----%0aNote that this setup is lightly tested, be careful while using it.%0a----%0aSee also%0a[[OpenBSD FAQ - Virtual Private Networks (VPN)||https://www.openbsd.org/faq/faq17.html]], iked(8), ipsec(4), iked.conf(5)
12 b1b3910b 2024-05-08 jrmu time=1715029214
13 b1b3910b 2024-05-08 jrmu author:1715029214=mkf
14 b1b3910b 2024-05-08 jrmu diff:1715029214:1715028645:=1,2c1,2%0a%3c Most IPsec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with @@iked@@ and @@isakmpd@@ handling SAs in IPsec. %0a%3c %0a---%0a> Most IPsec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with iked and isakmp handling SAs in IP-sec. %0a> %0a121c121%0a%3c if everything works ok, you can enable it using [[rcctl|openbsd/rcctl]] on both servers:%0a---%0a> if everything works ok, you can enable it using [[rcctl|OpenBSD/rcctl]] on both servers:%0a137c137%0a%3c To verify it works, you may use [[ping|openbsd/ping]], before running iked:%0a---%0a> To verify it works, you may use [[ping|OpenBSD/ping]], before running iked:%0a
15 b1b3910b 2024-05-08 jrmu host:1715029214=198.251.84.158
16 b1b3910b 2024-05-08 jrmu author:1715028645=mkf
17 b1b3910b 2024-05-08 jrmu diff:1715028645:1715028534:minor=1,2c1,2%0a%3c Most IPsec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with iked and isakmp handling SAs in IP-sec. %0a%3c %0a---%0a> Most IP-sec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with iked and isakmp handling SAs in IP-sec. %0a> %0a137c137%0a%3c To verify it works, you may use [[ping|OpenBSD/ping]], before running iked:%0a---%0a> To verify it works, you may use [[ping|OpenBSD.ping]], before running iked:%0a175c175%0a%3c [[OpenBSD FAQ - Virtual Private Networks (VPN)||https://www.openbsd.org/faq/faq17.html]], iked(8), ipsec(4), iked.conf(5)%0a\ No newline at end of file%0a---%0a> [[OpenBSD FAQ - Virtual Private Networks (VPN)|https://www.openbsd.org/faq/faq17.html]], iked(8), ipsec(4), iked.conf(5)%0a\ No newline at end of file%0a
18 b1b3910b 2024-05-08 jrmu host:1715028645=198.251.84.158
19 b1b3910b 2024-05-08 jrmu author:1715028534=mkf
20 b1b3910b 2024-05-08 jrmu diff:1715028534:1715028384:minor=53c53%0a%3c !!Initiator configuration%0a---%0a> !!!Responder configuration%0a136c136%0a%3c !!!Testing%0a---%0a> !!!verifying it works%0a
21 b1b3910b 2024-05-08 jrmu host:1715028534=198.251.84.158
22 b1b3910b 2024-05-08 jrmu author:1715028384=mkf
23 b1b3910b 2024-05-08 jrmu diff:1715028384:1715028362:minor=4c4%0a%3c Consider in the following scenario, servers ''potato'' (@@192.168.1.1@@) and ''toybox'' (@@192.168.2.1@@) would like to access each other's network (@@10.0.1.0/24@@ and @@10.0.2.0/24@@ respectively).%0a---%0a> Consider in the following scenario, servers ''potato'' (192.168.1.1@@) and ''toybox'' (@@192.168.2.1@@) would like to access each other's network (@@10.0.1.0/24@@ and @@10.0.2.0/24@@ respectively).%0a
24 b1b3910b 2024-05-08 jrmu host:1715028384=198.251.84.158
25 b1b3910b 2024-05-08 jrmu author:1715028362=mkf
26 b1b3910b 2024-05-08 jrmu csum:1715028362=ok.
27 b1b3910b 2024-05-08 jrmu diff:1715028362:1715028362:=1,175d0%0a%3c Most IP-sec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with iked and isakmp handling SAs in IP-sec. %0a%3c %0a%3c !!Site-to-Site vpn%0a%3c Consider in the following scenario, servers ''potato'' (192.168.1.1@@) and ''toybox'' (@@192.168.2.1@@) would like to access each other's network (@@10.0.1.0/24@@ and @@10.0.2.0/24@@ respectively).%0a%3c This is called a site-to-site vpn. we may use OpenBSD's @@iked@@, to achieve the goal.%0a%3c %0a%3c In this guide, the server which actively tries to connect is called ''initiator'', while the server which is going to answer the request is called ''responder''. %0a%3c %0a%3c let's say ''toybox'' is the ''responder'', while potato is the ''initiator''.%0a%3c %0a%3c !!!Responder configuration%0a%3c First, if firewall policy of ''responder'' is to @@block@@ by default, we need to configure it's fire, otherwise, no action is needed.%0a%3c In @@/etc/pf.conf@@:%0a%3c [@%0a%3c toybox=192.168.1.1%0a%3c potato=192.168.2.1%0a%3c ext_if=vio0%0a%3c %0a%3c pass in log on $ext_if proto udp from $potato to $toybox port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in log on $ext_if proto esp from $potato to $toybox tag IKED%0a%3c @]%0a%3c %0a%3c Afterwards, reload pf:%0a%3c [@%0a%3c toybox$ doas pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c Next we need to configure @@iked@@:%0a%3c [@%0a%3c toybox="192.168.1.1"%0a%3c net1="10.0.1.0/24"%0a%3c potato="192.168.2.1"%0a%3c net2="10.0.2.0/24"%0a%3c %0a%3c ikev2 'toybox' passive esp \%0a%3c from $net1 to $net2 \%0a%3c from $net1 to $potato \%0a%3c from $toybox to $net1 \%0a%3c local $toybox peer $potato \%0a%3c srcid "toybox"%0a%3c @]%0a%3c %0a%3c In the configuration above, @@passive esp@@ means @@iked@@ waits for the ''initiator'' to start the connection. we have also defined systems and networks IP addresses, and mention connection from @@net1@@ (network of @@toybox@@) to @@net2@@ (network of @@potato@@, @@net1@@ to @@potato@@ and @@toybox@@ to it's own network should be allowed.%0a%3c we also mention connection is accepted from @@potato@@'s IP, and messages we sent are tagged "toybox".%0a%3c %0a%3c finally, set permissions. iked refuses to start if permissions are too open:%0a%3c [@%0a%3c toybox$ chmod 0600 /etc/iked.conf%0a%3c @]%0a%3c %0a%3c we are done on the responder.%0a%3c %0a%3c !!!Responder configuration%0a%3c In @@/etc/iked.conf@@:%0a%3c [@%0a%3c toybox="192.168.1.1"%0a%3c net1="10.0.1.0/24"%0a%3c potato="192.168.2.1"%0a%3c net2="10.0.2.0/24"%0a%3c %0a%3c ikev2 'potato' active esp \%0a%3c from $net2 to $net1 \%0a%3c from $net2 to $toybox \%0a%3c from $potato to $net1 \%0a%3c peer $toybox \%0a%3c srcid "potato"%0a%3c @]%0a%3c %0a%3c Configuration here is pretty similar to what we did back in the other server, only important differences are, now connection is @@active@@, meaning this server (@@potato@@) will actively try to connect to other server. messages are also tagged "potato".%0a%3c %0a%3c setting permissions:%0a%3c [@%0a%3c potato$ doas chmod 0600 /etc/iked.conf%0a%3c @]%0a%3c %0a%3c !!!Keys%0a%3c IKed can operate using passwords or keys, by default there are public keys generated in @@/etc/iked/local.pub@@, keys for peers are read from one of directiories under @@/etc/iked/pubkeys@@, depending on how connection is made.%0a%3c %0a%3c to copy keys from each server to the other one:%0a%3c [@%0a%3c toybox$ ssh potato cat /etc/iked/local.pub \%0a%3c | doas tee -a /etc/iked/pubkeys/fqdn/potato%0a%3c @]%0a%3c and:%0a%3c %0a%3c [@%0a%3c potato$ ssh toybox cat /etc/iked/local.pub \%0a%3c | doas tee -a etc/iked/pubkeys/fqdn/toybox%0a%3c @]%0a%3c %0a%3c and we are done.%0a%3c %0a%3c !!!Running%0a%3c Finally, to check if everything is working properly,%0a%3c on the ''responder'':%0a%3c [@%0a%3c toybox$ doas iked -dv%0a%3c @]%0a%3c %0a%3c and on the ''initiator'':%0a%3c [@%0a%3c potato$ doas iked -dv%0a%3c @]%0a%3c %0a%3c if everything is working well, you should see '''something like''' following message:%0a%3c [@%0a%3c ...%0a%3c spi=0x254fdb97ff6a879e: ikev2_childsa_enable: loaded flows: ESP-10.0.2.0/24=10.0.1.0/24(0), ESP-192.168.2.1/32=10.0.1.0/24(0), ESP-10.0.2.0/24=192.168.1.1/32(0)%0a%3c spi=0x254fdb97ff6a879e: established peer 192.168.1.1:500[FQDN/potato] local 192.168.2.1:500[FQDN/toybox] policy 'toybox' as initiator (enc aes-128-gcm group curve25519 prf hmac-sha2-256)%0a%3c ...%0a%3c @]%0a%3c %0a%3c else, if keys aren't set up properly, you will se '''something like''' this:%0a%3c [@%0a%3c ...%0a%3c spi=0xd5de9f25502d0b7d: ikev2_dispatch_cert: peer certificate is invalid%0a%3c spi=0xd5de9f25502d0b7d: ikev2_send_auth_failed: authentication failed for FQDN/toybox%0a%3c ...%0a%3c @]%0a%3c %0a%3c if everything works ok, you can enable it using [[rcctl|OpenBSD/rcctl]] on both servers:%0a%3c [@%0a%3c toybox$ doas rcctl enable iked%0a%3c toybox$ doas rcctl start iked%0a%3c iked(ok)%0a%3c @]%0a%3c %0a%3c and:%0a%3c [@%0a%3c potato$ doas rcctl enable iked%0a%3c potato$ rcctl start iked%0a%3c iked(ok)%0a%3c @]%0a%3c %0a%3c %0a%3c !!!verifying it works%0a%3c To verify it works, you may use [[ping|OpenBSD.ping]], before running iked:%0a%3c [@%0a%3c toybox$ ping -c 1 -I 10.0.1.1 10.0.2.1 %0a%3c PING 10.0.2.1 (10.0.2.1): 56 data bytes%0a%3c %0a%3c --- 10.0.2.1 ping statistics ---%0a%3c 1 packets transmitted, 0 packets received, 100.0%25 packet loss%0a%3c %0a%3c potato$ ping -c 1 -I 10.0.2.1 10.0.1.1 %0a%3c PING 10.0.1.1 (10.0.1.1): 56 data bytes%0a%3c %0a%3c --- 10.0.1.1 ping statistics ---%0a%3c 1 packets transmitted, 0 packets received, 100.0%25 packet loss%0a%3c @]%0a%3c %0a%3c %0a%3c After running @@iked@@:%0a%3c [@%0a%3c toybox$ ping -c 1 -I 10.0.1.1 10.0.2.1 %0a%3c PING 10.0.2.1 (10.0.2.1): 56 data bytes%0a%3c 64 bytes from 10.0.2.1: icmp_seq=0 ttl=255 time=1.539 ms%0a%3c %0a%3c --- 10.0.2.1 ping statistics ---%0a%3c 1 packets transmitted, 1 packets received, 0.0%25 packet loss%0a%3c round-trip min/avg/max/std-dev = 1.539/1.539/1.539/0.000 ms%0a%3c potato$ ping -c 1 -I 10.0.2.1 10.0.1.1%0a%3c PING 10.0.1.1 (10.0.1.1): 56 data bytes%0a%3c 64 bytes from 10.0.1.1: icmp_seq=0 ttl=255 time=1.639 ms%0a%3c %0a%3c --- 10.0.1.1 ping statistics ---%0a%3c 1 packets transmitted, 1 packets received, 0.0%25 packet loss%0a%3c round-trip min/avg/max/std-dev = 1.639/1.639/1.639/0.000 ms%0a%3c @]%0a%3c %0a%3c ----%0a%3c Note that this setup is lightly tested, be careful while using it.%0a%3c ----%0a%3c See also%0a%3c [[OpenBSD FAQ - Virtual Private Networks (VPN)|https://www.openbsd.org/faq/faq17.html]], iked(8), ipsec(4), iked.conf(5)%0a\ No newline at end of file%0a
28 b1b3910b 2024-05-08 jrmu host:1715028362=198.251.84.158
