IPSEC with OpenBSD

Page content

Intro

Stage a few Machines, puffy206 - 209 puffy206 has got a static ip, while puffy207 - 209 got dynamic ip addresses

Master, puffy206

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.7/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"

ike dynamic esp tunnel from 10.0.0.6/32 to 10.0.0.8/32 peer any \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Slave, puffy207

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.7/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy208

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.8/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.8/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Slave, puffy209

Loopback

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.9/32
up
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

IPSEC

cat << 'EOF' > /etc/ipsec.conf
ike esp tunnel from 10.0.0.9/32 to 10.0.0.6/32 peer 192.168.108.206 \
    main group "modp1024" quick group "modp1024" \
    psk "my-tunnel-is-private"
EOF
chmod 600 /etc/ipsec.conf

Packetmischief

Kernel Panic

man openbsd

Exoscale

Broadcom Forum

sha256: ae0f71377ab679bc931b62754808c00316a54358566aac30fe384ea7c41e6673