After much struggling and screaming, I now have a working IPSec configuration in a pair of VMs.
My "network", consisting of 3 host-only networks:
Host-only
(192.168.120.0/24)
/|\
|
\|/
obsd-ipsec-left
(192.168.120.130/
10.255.255.5)
/|\
|
\|/
10.255.255.4/30
/|\
|
\|/
obsd-ipsec-right
(192.168.33.7/
10.255.255.6)
/|\
|
\|/
Host-only
(192.168.33.0/24)
1) copy /etc/isakmpd/local.pub from left side to /etc/isakmpd/pubkeys/ipv4/10.255.255.6 on right
2) copy /etc/isakmpd/local.pub from right side to /etc/isakmpd/pubkeys/ipv4/10.255.255.5 on left
3) on left side:
cat >/etc/ipsec.conf <<EOF
local_ip="10.255.255.5"
local_network="192.168.120.0/24"
remote_ip="10.255.255.6"
remote_network="192.168.33.0/24"
ike esp from { \$local_ip \$local_network } to \
{ \$remote_ip \$remote_network } peer $remote_ip
ike esp from \$local_ip to \$remote_ip
EOF
4) on right side:
cat >/etc/ipsec.conf <<EOF
local_ip="10.255.255.6"
local_network="192.168.33.0/24"
remote_ip="10.255.255.5"
remote_network="192.168.120.0/24"
ike esp from { \$local_ip \$local_network } to \
{ \$remote_ip \$remote_network } peer $remote_ip
ike esp from \$local_ip to \$remote_ip
EOF
5) To test, run "isakmpd -K -d", then "ipsecctl -f /etc/ipsec.conf" on each side.
6) Route each network to the other side's gateway, eg:
obsd-ipsec-left# route add -net 192.168.33/24 10.255.255.6
obsd-ipsec-right# route add -net 192.168.120/24 10.255.255.5
7) Ping each side.
8) Fire up 'tcpdump -ni enc0' and ping each side again. If you get output, then we have succeeded.
9) Make ISAKMPD and IPSec start on boot (both machines):
# sed -e 's/^isakmpd_flags=NO/isakmpd_flags="-K"/' \
-e 's/^ipsec=NO/ipsec=YES/' /etc/rc.conf
10) Make the route setting permanent:
obsd-ipsec-left# echo '!route add -net 192.168.33/24 10.255.255.6' \
>> /etc/hostname.vic1
obsd-ipsec-right# echo '!route add -net 192.168.120/24 10.255.255.5' \
>> /etc/hostname.vic1
11) Reboot
12) ...
13) Profit!
No comments:
Post a Comment