Setting up IPSEC on LAN between two hosts (OpenBSD)

ikev2ipseclocal-area-networkopenbsd

Trying to use IPSEC between two hosts on a LAN. No VPN involved

Using OpenBSD 5.8 (in VirtualBox). I'd prefer to use OpenBSD's built-in support for IPSEC and key exchange and not a third-party.

Two hosts: 10.0.2.10 (host "A") and 10.0.2.11 (host "B")

They can ping/ssh each other before trying to setup IPSEC.

UPDATE: I think maybe OpenIKED (IKE v2) doesn't support transport mode, so I'll accept answers for isakmp (IKE v1) too

Copied A's /etc/iked/local.pub to B's /etc/iked/pubkeys/ipv4/10.0.2.10
Copied B's /etc/iked/local.pub to A's /etc/iked/pubkeys/ipv4/10.0.2.11

On both:

echo "ikev2 esp from any to any" > /etc/iked.conf

chmod 640 /etc/iked.conf

echo "ipsec=YES" > /etc/rc.conf.local

echo "iked_flags=" >> /etc/rc.conf.local

Check configuration:

/sbin/iked -n
Configuration OK

I'm confused as to what to do next. I think I need to setup /etc/ipsec.conf , but I've only found IKEv1 documentation out there.

Restarted both machines. No errors. Says iked daemon started. If I rename the public keys to anything, can still ping each other, so IPSEC doesn't seem to be working.

  1. What else do I need to configure?
  2. Are there logs for IPSEC and iked, and if so, where can I find them?
  3. How to tell if IPSEC is working once configured, without looking at packets between the machines? Ping from B to A, tcpdump on A. Should see "esp" and "spi" in tcpdump

UPDATE: I got IPSEC working with manual key exchange

/etc/ipsec.conf:

# .10 is source, .11 is destination
flow esp from 10.0.2.10 to 10.0.2.11 type require

esp transport from 10.0.2.10 to 10.0.2.11 \
spi 0xCAFEBABE:0xCAFEBABE \
authkey 0x64CHARHEX:0x64CHARHEX \
enckey 0x64CHARHEX:0x64CHARHEX

hex needs to be in all uppercase 

chmod 640 /etc/ipsec.conf

ipsecctl -F (delete config)
ipsecctl -f /etc/ipsec.conf (load config)
ipsecctl -s all -v (show config)

I'd prefer to use IKEv2's automatic keying. What can I do?

Best Answer

Answering my own question like a nerd

Problem 1. OpenIKED (IKEv2) does not support transport mode, so you can only use it for VPNs, and not on a LAN. Use isakmpd (IKEv1)

Problem 2. The documentation for ipsec.conf says that the auth and enc values have defaults, but you seem to need to set them anyways

What else do I need to configure?

You need to set the correct rc.d flags on isakmpd (see below)

Are there logs for IPSEC and iked, and if so, where can I find them?

The logs are at /var/log/daemon

How to tell if IPSEC is working once configured, without looking at packets between the machines?

on B, run tcpdump host A, and on A run ping B . You want to see esp and spi in the tcpdump output

Setup:

Host A (10.0.2.10)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.10 to 10.0.2.11 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.11:/etc/isakmpd/local.pub 10.0.2.11 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Host B (10.0.2.11)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.11 to 10.0.2.10 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp notRoot@10.0.2.10:/etc/isakmpd/local.pub 10.0.2.10 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd
Related Topic