OpenBSD 5.1

How-To : Vpn IKEv2 between a Windows 7 Road Warrior Host and an OpenBSD gateway

Considering the following network ...

Please, first read the man pages : IKED(8), IKED.CONF(5), PFCTL(8) and PF.CONF(5)

For newbies, OpenBSD FAQ, AFTERBOOT(8), RC.CONF(8), are useful

** IKED is not yet finished. **

 

:: The Gateway Part ::

hostname vpn.domain.local

lan : 192.168.0.51/24

egress : static ip address provided by ISP : aa:bb:cc:dd

rl0 : group lan

rl1 : group egress

 

Sample to assign a network card(rl0) to a group :

Edit the file /etc/hostname.rl0 and add this line :

!/sbin/ifconfig rl0 group lan

 

Install zip package to have only 2 certificates (.pfx extension)

 

export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/5.1/packages/i386/

pkg_add zip

 

Get a custom ikeca.cnf to keep things as simply as possible

 

Get it here or follow this :

 

cd /tmp

ftp ftp://ftp.openbsd.org/pub/OpenBSD/5.1/src.tar.gz

tar -C /usr/src -zxf src.tar.gz

cp /usr/src/usr.sbin/ikectl/ikeca.cnf /etc/ssl

 

Now, modify it at your convenience

Here a sample :

...

CERT_C                  = FR

CERT_ST                 = NA

CERT_L                  = REUNION

CERT_O                  = .aise

CERT_OU                 = VPN

CERT_CN                 =

CERT_EMAIL              = wesley@mouedine.net

...

 

Create certificates

 

/usr/sbin/ikectl ca vpn create # Common Name = Hostname

/usr/sbin/ikectl ca vpn install

 

/usr/sbin/ikectl ca vpn certificate aa.bb.cc.dd create #SERVER, CN = aa.bb.cc.dd

/usr/sbin/ikectl ca vpn certificate aa.bb.cc.dd install

 

/usr/sbin/ikectl ca vpn certificate win7 create #CLIENT, CN = Name it at your convenience

/usr/sbin/ikectl ca vpn certificate win7 export

 

Copy the win7.zip file on the win7 host.

 

Configure iked

 

/etc/iked.conf :

 

ikev2 passive esp \

from 192.168.0.0/24 to 10.10.10.0/24 local aa.bb.cc.dd peer any \

srcid aa.bb.cc.dd \

config address 10.10.10.7

 

You can start it manually with : /sbin/iked

 

To have it at startup :

echo iked_flags= >> /etc/rc.conf.local

 

For testing purpose : /sbin/iked -dvv

 

Configure PF

 

Be sure that  "net.inet.ip.forwarding=1" # /etc/sysctl.conf

 

/etc/pf.conf :

 

admin="ww.xx.yy.zz"

set block-policy drop

set skip on {lo,enc0}

match out on egress from lan:network to any nat-to egress

block log all

pass in on egress proto tcp from $admin to any port 22

pass in on egress proto udp from any to any port {500,4500}

pass in on egress proto {ah,esp}

pass out on egress

pass on lan

 

We allow the host "ww.xx.yy.zz" to administrate the box using ssh (web)

 

Enable and load the rules

/sbin/pfctl -vf /etc/pf.conf

 

:: Configure the win7 host ::

Windows 7 host : Dynamic Ip address provided by ISP

IP address (ikev2) : 10.10.10.7

 

Import certificates

 

Use mmc / Certificates snap (computer account)/ import ca.pfx in "trusted root certification authorities"

Use mmc / Certificates snap (computer account)/ import win7.pfx in "Personal"

 

Create the VPN connection

 

IP (destination) : aa.bb.cc.dd

Type ikev2 / NO EAP / Only Certificate (check it !)

Configure IPv4 to 10.10.10.7

 

Enjoy! ;-)

 

Thank's to the mailling list misc@openbsd.org

Especially : Mike Belopuhov and Pavel Shvagirev