Sitetosite
Most IPsec implementations consist of two parts, one part in kernel for handling connection flow and encryption, and one userspace program for configuration and handling SAs, OpenBSD by default ships with iked and isakmpd handling SAs in IPsec.
Site-to-Site vpn
Consider in the following scenario, servers potato (192.168.1.1) and toybox (192.168.2.1) would like to access each other's network (10.0.1.0/24 and 10.0.2.0/24 respectively).
This is called a site-to-site vpn. we may use OpenBSD's iked, to achieve the goal.
In this guide, the server which actively tries to connect is called initiator, while the server which is going to answer the request is called responder.
let's say toybox is the responder, while potato is the initiator.
Responder configuration
First, if firewall policy of responder is to block by default, we need to configure it's fire, otherwise, no action is needed.
In /etc/pf.conf:
toybox=192.168.1.1
potato=192.168.2.1
ext_if=vio0
pass in log on $ext_if proto udp from $potato to $toybox port {isakmp, ipsec-nat-t} tag IKED
pass in log on $ext_if proto esp from $potato to $toybox tag IKED
Afterwards, reload pf:
toybox$ doas pfctl -f /etc/pf.conf
Next we need to configure iked:
toybox="192.168.1.1"
net1="10.0.1.0/24"
potato="192.168.2.1"
net2="10.0.2.0/24"
ikev2 'toybox' passive esp \
from $net1 to $net2 \
from $net1 to $potato \
from $toybox to $net1 \
local $toybox peer $potato \
srcid "toybox"
In the configuration above, passive esp means iked waits for the initiator to start the connection. we have also defined systems and networks IP addresses, and mention connection from net1 (network of toybox) to net2 (network of potato, net1 to potato and toybox to it's own network should be allowed.
we also mention connection is accepted from potato's IP, and messages we sent are tagged "toybox".
finally, set permissions. iked refuses to start if permissions are too open:
toybox$ chmod 0600 /etc/iked.conf
we are done on the responder.
Initiator configuration
In /etc/iked.conf:
toybox="192.168.1.1"
net1="10.0.1.0/24"
potato="192.168.2.1"
net2="10.0.2.0/24"
ikev2 'potato' active esp \
from $net2 to $net1 \
from $net2 to $toybox \
from $potato to $net1 \
peer $toybox \
srcid "potato"
Configuration here is pretty similar to what we did back in the other server, only important differences are, now connection is active, meaning this server (potato) will actively try to connect to other server. messages are also tagged "potato".
setting permissions:
potato$ doas chmod 0600 /etc/iked.conf
Keys
IKed can operate using passwords or keys, by default there are public keys generated in /etc/iked/local.pub, keys for peers are read from one of directiories under /etc/iked/pubkeys, depending on how connection is made.
to copy keys from each server to the other one:
toybox$ ssh potato cat /etc/iked/local.pub \ | doas tee -a /etc/iked/pubkeys/fqdn/potato
and:
potato$ ssh toybox cat /etc/iked/local.pub \ | doas tee -a etc/iked/pubkeys/fqdn/toybox
and we are done.
Running
Finally, to check if everything is working properly, on the responder:
toybox$ doas iked -dv
and on the initiator:
potato$ doas iked -dv
if everything is working well, you should see something like following message:
... spi=0x254fdb97ff6a879e: ikev2_childsa_enable: loaded flows: ESP-10.0.2.0/24=10.0.1.0/24(0), ESP-192.168.2.1/32=10.0.1.0/24(0), ESP-10.0.2.0/24=192.168.1.1/32(0) spi=0x254fdb97ff6a879e: established peer 192.168.1.1:500[FQDN/potato] local 192.168.2.1:500[FQDN/toybox] policy 'toybox' as initiator (enc aes-128-gcm group curve25519 prf hmac-sha2-256) ...
else, if keys aren't set up properly, you will se something like this:
... spi=0xd5de9f25502d0b7d: ikev2_dispatch_cert: peer certificate is invalid spi=0xd5de9f25502d0b7d: ikev2_send_auth_failed: authentication failed for FQDN/toybox ...
if everything works ok, you can enable it using openbsd/rcctl on both servers:
toybox$ doas rcctl enable iked toybox$ doas rcctl start iked iked(ok)
and:
potato$ doas rcctl enable iked potato$ rcctl start iked iked(ok)
Testing
To verify it works, you may use openbsd/ping?, before running iked:
toybox$ ping -c 1 -I 10.0.1.1 10.0.2.1 PING 10.0.2.1 (10.0.2.1): 56 data bytes --- 10.0.2.1 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss potato$ ping -c 1 -I 10.0.2.1 10.0.1.1 PING 10.0.1.1 (10.0.1.1): 56 data bytes --- 10.0.1.1 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss
After running iked:
toybox$ ping -c 1 -I 10.0.1.1 10.0.2.1 PING 10.0.2.1 (10.0.2.1): 56 data bytes 64 bytes from 10.0.2.1: icmp_seq=0 ttl=255 time=1.539 ms --- 10.0.2.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.539/1.539/1.539/0.000 ms potato$ ping -c 1 -I 10.0.2.1 10.0.1.1 PING 10.0.1.1 (10.0.1.1): 56 data bytes 64 bytes from 10.0.1.1: icmp_seq=0 ttl=255 time=1.639 ms --- 10.0.1.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.639/1.639/1.639/0.000 ms
Note that this setup is lightly tested, be careful while using it.
See also |https://www.openbsd.org/faq/faq17.html?, iked(8), ipsec(4), iked.conf(5)