Skip navigation

Another howto for the sake of posterity 🙂

Create /etc/ipsec.conf on Machine A


## machine A
# external IP: 111.111.111.111
# internal network: 192.168.1.0/24
## machine B
# eternal IP: 222.222.222.222
# internal network: 192.168.2.0/24

ike esp from 192.168.1.0/24 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase
ike esp from 111.111.111.111 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase
ike esp from 111.111.111.111 to 222.222.222.222 psk supersecretpassphrase

Create /etc/ipsec.conf on Machine B


ike esp from 192.168.2.0/24 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase
ike esp from 222.222.222.222 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase
ike esp from 222.222.222.222 to 111.111.111.111 psk supersecretpassphrase

Edit /etc/rc.conf.local on both machines


## start the isakmpd
isakmpd_flags="-K"
ipsec=YES

Allow VPN traffic on Machine A


vpn_net = "192.168.2.0/24"

pass in quick on tun0
pass out quick on tun0
pass in quick on $int_if from $lan_net to $vpn_net
pass out quick on $int_if from $vpn_net to any


Allow VPN traffic on Machine B


vpn_net = "192.168.1.0/24"

pass in quick on tun0
pass out quick on tun0
pass in quick on $int_if from $lan_net to $vpn_net
pass out quick on $int_if from $vpn_net to any



Reboot the machine to check if everything starts at boot

Runningi netstat -rn on Machine A should give something like:


Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
192.168.2/24     0     111.111.111.111/32   0     0     222.222.222.222/esp/use/in
111.111.111.111/32   0     192.168.2/24     0     0     222.222.222.222/esp/require/out
222.222.222.222/32    0     111.111.111.111/32   0     0     222.222.222.222/esp/use/in
111.111.111.111/32   0     222.222.222.222/32    0     0     222.222.222.222/esp/require/out
192.168.2/24     0     192.168.1/24     0     0     222.222.222.222/esp/use/in
192.168.2/24     0     192.168.2/24     0     0     222.222.222.222/esp/require/out

Advertisements

2 Comments

    • Christer Solskogen
    • Posted August 15, 2008 at 2:23 am
    • Permalink
    • Reply

    How about certificates?

  1. Anybody knows if OpenBSD supports NHRP?
    It would be usefull to create a spoke client in a DMVPN network.


3 Trackbacks/Pingbacks

  1. By Steganos Internet Anonym VPN 2008 · on 14 Aug 2008 at 8:18 pm

    […] & RAS Servers News » News News Site-to-site IPSec VPN using OpenBSD2008-08-14 07:18:23To pf. vpn_net = “192.168.2.0/24″. pass in quick on tun0 pass out quick on […]

  2. […] howto on setting up Site-to-site IPSec VPN using OpenBSD. Bookmark and […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: