IPsec and GRE between OpenBSD en Linux
Filed under network, tips & tricks on oct 28, 2009
Repost of http://href.be/xe
The Linux side
- Tools required:
- racoon
- ipsec-tools
/etc/ipsec-tools.conf
Configure both endpoints:
spdadd <Remote IP> <Local IP> any
-P in ipsec esp/transport/<Remote IP>-<Local IP>/require;
spdadd <Local IP> <Remote IP> any
-P out ipsec esp/transport/<Local IP>-<Remote IP>/require;
/etc/racoon/psk.txt
Configure pre-shared keys:
<Remote IP> <Your PSK>
/etc/racoon/racoon.conf
remote <Remote IP> {
exchange_mode main;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address <Local IP>/32 any address <Remote IP>/32 any {
pfs_group modp1024;
encryption_algorithm blowfish;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address <Remote IP>/32 any address <Local IP>/32 any {
pfs_group modp1024;
encryption_algorithm blowfish;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
The OpenBSD side
Keep in mind the if PF is enabled you need to add firewall rules for the IPsec traffic:
proto ah proto esp proto ipencap port 500 udp
and check the rules for interface enc0. It is advised to set skip on that interface.
/etc/ipsec.conf
ike esp transport from <Local IP> to <Remote IP> peer <Remote IP> \ main auth hmac-md5 enc blowfish group modp1024 \ quick auth hmac-md5 enc blowfish group modp1024 \ psk <Your PSK>
/etc/isakmpd/isakmpd.policy
Authorizer: "POLICY" Comment: This bare-bones assertion accepts everything
/etc/sysctl.conf
net.inet.gre.allow=1 net.inet.ipip.allow=1 net.inet.ah.enable=1 net.inet.esp.enable=1
/etc/rc.conf
isakmpd_flags="" ipsec=YES
Add to
Post your feedback
You can use this form to leave your feedback. Your insights are always appreciated.