OpenBSD with IPSEC -> GIF -> OSFP

Page content

Intro

Stage two Machines, puffy206 and puffy207 Both Maschines needs static IP Adresses

puffy206

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.6/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.6 10.10.10.7 netmask 255.255.255.255
tunnel 192.168.108.206 192.168.108.207
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.206 to 192.168.108.207 peer 192.168.108.207 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.206 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.206"

# global configuration
router-id id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

puffy207

Loopback & Gif

doas su -
cat << 'EOF' > /etc/hostname.lo1
inet 10.0.0.7/32
up
EOF

cat << 'EOF' > /etc/hostname.gif0
description "Point2Point Interface for OSPF"
mtu 1420
10.10.10.7 10.10.10.6 netmask 255.255.255.255
tunnel 192.168.108.207 192.168.108.206
EOF

Enable IPSEC & IP Forwarding

cat << 'EOF' >> /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.gre.allow=1
EOF

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K

Create Tunnel Endpoint

cat << 'EOF' > /etc/ipsec.conf
ike active esp transport from 192.168.108.207 to 192.168.108.206 peer 192.168.108.206 \
main auth "hmac-sha2-256" enc "aes-128" group modp3072 \
quick enc "aes-128-gcm" group modp3072 \
srcid 192.168.108.207 \
psk "my-tunnel-is-private"
EOF

chmod 600 /etc/ipsec.conf

Create ospfd.conf

cat << 'EOF' > /etc/ospfd.conf
# macros
id="192.168.108.207"

# global configuration
router-id $id
fib-update yes
stub router yes
spf-delay 1
spf-holdtime 5

# areas
area 0.0.0.0 {
  interface gif0
  interface lo1 {}
}
EOF

chmod 600 /etc/ospfd.conf
rcctl enable ospfd

Reboot and Check

reboot
gnuwatch "ipsecctl -s all"

Test

ifconfig gif
ipsecctl -s all
route -n show -inet
ospfctl show nei

Throughput Test

root@client2 ~# tcpbench 10.0.0.7
  elapsed_ms          bytes         mbps   bwidth
        1000        2801664       22.413  100.00%
Conn:   1 Mbps:       22.413 Peak Mbps:       22.413 Avg Mbps:       22.413
        2009        2775672       22.007  100.00%
Conn:   1 Mbps:       22.007 Peak Mbps:       22.413 Avg Mbps:       22.007
        3014        3173760       25.264  100.00%
Conn:   1 Mbps:       25.264 Peak Mbps:       25.264 Avg Mbps:       25.264
        4021        3192912       25.391  100.00%
Conn:   1 Mbps:       25.391 Peak Mbps:       25.391 Avg Mbps:       25.391

sha256: c9de898e50d94e2d898f96628890f64ac7acc7f96383da59353bd667609becae