OpenBSD-5.3

How-To : Vpn IKEv2 between a Windows 8 Road Warrior Host and an OpenBSD gateway

Considering the following network ...

 

Please, first read the man pages : IKED(8), IKED.CONF(5), PFCTL(8) and PF.CONF(5)

For newbies, OpenBSD FAQ, AFTERBOOT(8), RC.CONF(8), are useful

** IKED is not yet finished. **

 

:: The Gateway Part ::

hostname : vpn.domain.local

lan : 192.168.0.53/24

egress : static ip address provided by ISP : aa:bb:cc:dd

rl0 : group lan

rl1 : group egress

 

Sample to assign a network card(rl0) to a group "lan"

Edit the file /etc/hostname.rl0 and add this line :

!/sbin/ifconfig rl0 group lan

 

Install zip package for an easy export

 

export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/$(uname -m)/

pkg_add zip

 

Configure PF

 

Be sure that  "net.inet.ip.forwarding=1" # /etc/sysctl.conf

Or apply it on the fly : sysctl net.inet.ip.forwarding=1

 

/etc/pf.conf :

 

admin="ww.xx.yy.zz"

set skip on {lo,enc0}

match out on egress from lan:network to any nat-to egress

block log all

pass in on egress proto tcp from $admin to any port ssh

pass in on egress proto udp from any to any port {isakmp,ipsec-nat-t}

pass in on egress proto {ah,esp}

pass out on egress

pass on lan

 

We allow the host "ww.xx.yy.zz" to administrate the box using ssh (from the web)

 

Enable and load the rules

/sbin/pfctl -evf /etc/pf.conf

 

Get a custom ikeca.cnf to keep things as simply as possible

 

Get it here, and move it in /etc/ssl

or follow this :

 

cd /tmp

ftp ftp://ftp.openbsd.org/pub/OpenBSD/5.3/src.tar.gz

tar -C /usr/src -zxf src.tar.gz

cp /usr/src/usr.sbin/ikectl/ikeca.cnf /etc/ssl

 

Now, modify it at your convenience

Here a sample :

...

CERT_C                  = FR

CERT_ST                 = NA

CERT_L                  = REUNION

CERT_O                  = .aise

CERT_OU                 = VPN

CERT_CN                 =

CERT_EMAIL              = wesley@mouedine.net

...

 

Create certificates

 

/usr/sbin/ikectl ca vpn create # Common Name = Hostname

/usr/sbin/ikectl ca vpn install

 

/usr/sbin/ikectl ca vpn certificate aa.bb.cc.dd create #SERVER, CN = aa.bb.cc.dd

/usr/sbin/ikectl ca vpn certificate aa.bb.cc.dd install

 

/usr/sbin/ikectl ca vpn certificate windows create #CLIENT, CN = Name it at your convenience

/usr/sbin/ikectl ca vpn certificate windows export

 

Copy the windows.zip file on the win8 host.

 

Configure iked

 

/etc/iked.conf :

 

ikev2 passive esp \

from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \

srcid aa.bb.cc.dd \

config address 10.10.10.7

 

You can start iked manually with : /sbin/iked

 

To have iked daemon at startup :

echo iked_flags= >> /etc/rc.conf.local

 

For testing purpose : /sbin/iked -dvv

 

View established connections :

 

# ipsecctl -sa

FLOWS:

flow esp in from 10.10.10.0/24 to 192.168.0.0/24 peer w8.w8.w8.w8 srcid IPV4/aa.bb.cc.dd type use

flow esp out from 192.168.0.0/24 to 10.10.10.0/24 peer w8.w8.w8.w8 srcid IPV4/aa.bb.cc.dd type require

flow esp out from ::/0 to ::/0 type deny

 

SAD:

esp tunnel from w8.w8.w8.w8 to aa.bb.cc.dd spi 0x1704e5e0 auth hmac-sha1 enc aes-256

esp tunnel from aa.bb.cc.dd to w8.w8.w8.w8 spi 0x55ace81c auth hmac-sha1 enc aes-256

 

 

:: Configure the win8 host ::

Windows 8 host : Dynamic Ip address provided by ISP (w8.w8.w8.w8)

IP address (ikev2) : 10.10.10.7

 

Import certificates

 

Use mmc / Certificates snap (computer account)/ import ca.pfx in "trusted root certification authorities"

Use mmc / Certificates snap (computer account)/ import windows.pfx in "Personal"

 

Create the VPN connection

 

IP (destination) : aa.bb.cc.dd

Type ikev2 / NO EAP / Only Certificate (check it !)

Configure IPv4 to 10.10.10.7

 

Tested with Microsoft Windows 7 & 8

Enjoy! ;-)

 

Thank's to the mailling list misc@openbsd.org

Especially : Mike Belopuhov and Pavel Shvagirev

 

© Copyright 2013

contact : wesley [at] mouedine [dot] net