Trying to use IPSEC between two hosts on a LAN. No VPN involved
Using OpenBSD 5.8 (in VirtualBox). I'd prefer to use OpenBSD's built-in support for IPSEC and key exchange and not a third-party.
Two hosts: 10.0.2.10
(host "A") and 10.0.2.11
(host "B")
They can ping/ssh each other before trying to setup IPSEC.
UPDATE: I think maybe OpenIKED (IKE v2) doesn't support transport
mode, so I'll accept answers for isakmp (IKE v1) too
Copied A's /etc/iked/local.pub
to B's /etc/iked/pubkeys/ipv4/10.0.2.10
Copied B's /etc/iked/local.pub
to A's /etc/iked/pubkeys/ipv4/10.0.2.11
On both:
echo "ikev2 esp from any to any" > /etc/iked.conf
chmod 640 /etc/iked.conf
echo "ipsec=YES" > /etc/rc.conf.local
echo "iked_flags=" >> /etc/rc.conf.local
Check configuration:
/sbin/iked -n
Configuration OK
I'm confused as to what to do next. I think I need to setup /etc/ipsec.conf
, but I've only found IKEv1 documentation out there.
Restarted both machines. No errors. Says iked daemon started. If I rename the public keys to anything, can still ping each other, so IPSEC doesn't seem to be working.
- What else do I need to configure?
- Are there logs for IPSEC and iked, and if so, where can I find them?
- How to tell if IPSEC is working once configured, without looking at packets between the machines? Ping from B to A, tcpdump on A. Should see "esp" and "spi" in tcpdump
UPDATE: I got IPSEC working with manual key exchange
/etc/ipsec.conf
:
# .10 is source, .11 is destination
flow esp from 10.0.2.10 to 10.0.2.11 type require
esp transport from 10.0.2.10 to 10.0.2.11 \
spi 0xCAFEBABE:0xCAFEBABE \
authkey 0x64CHARHEX:0x64CHARHEX \
enckey 0x64CHARHEX:0x64CHARHEX
hex needs to be in all uppercase
chmod 640 /etc/ipsec.conf
ipsecctl -F (delete config)
ipsecctl -f /etc/ipsec.conf (load config)
ipsecctl -s all -v (show config)
I'd prefer to use IKEv2's automatic keying. What can I do?
Best Answer
Answering my own question like a nerd
Problem 1. OpenIKED (IKEv2) does not support transport mode, so you can only use it for VPNs, and not on a LAN. Use
isakmpd
(IKEv1)Problem 2. The documentation for
ipsec.conf
says that theauth
andenc
values have defaults, but you seem to need to set them anywaysYou need to set the correct
rc.d
flags onisakmpd
(see below)The logs are at
/var/log/daemon
on B, run
tcpdump host A
, and on A runping B
. You want to seeesp
andspi
in the tcpdump outputSetup:
Host A (10.0.2.10)
Host B (10.0.2.11)