divzeroweb

2f30.org website
git clone git://git.2f30.org/divzeroweb.git
Log | Files | Refs | README | LICENSE

commit 6d6b94bdf5163d2d8f932842bf205d78e7da54a9
parent a0ac812a5f861195ed16f3333e3922d8dd239aa9
Author: lostd <lostd@2f30.org>
Date:   Fri May  2 13:18:42 +0300

Document our IPsec setup

Diffstat:
Makefile | 3++-
guides.md | 1+
guides/ipsec.md | 70++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile @@ -13,7 +13,8 @@ PAGES = $(MENUPAGES) \ guides/git.html \ guides/sunsparc.html \ guides/proxy.html \ - guides/trunk.html + guides/trunk.html \ + guides/ipsec.html EXTRA = css divzerokey.png favicon.ico index.html \ lectures/resources diff --git a/guides.md b/guides.md @@ -6,3 +6,4 @@ Just some notes on various useful tasks. * [sunsparc](guides/sunsparc.html): Booting Sun UltraSPARC machines * [proxy](guides/proxy.html): Accessing firewalled services using PF on OpenBSD * [trunk](guides/trunk.html): Trunk failover setup on OpenBSD + * [ipsec](guides/ipsec.html): Securing services with IPsec tunnels diff --git a/guides/ipsec.md b/guides/ipsec.md @@ -0,0 +1,70 @@ +### Securing services with IPsec tunnels + +This short document will get you started on how to configure simple +IPsec tunnels between your remote hosts. All peers need to run the +key management daemon and have IPsec enabled and allowed through PF. + +/etc/rc.conf.local: + + isakmpd_flags="-K" + ipsec=YES + +/etc/pf.conf: + + # Allow incoming IPsec traffic + pass quick on egress proto {esp, ah} + pass in quick on egress proto udp to port {isakmp, ipsec-nat-t} + + +#### Server configuration + +/etc/ipsec.conf: + + peers="{hosta.example.org, hostb.example.org, hostc.example.org}" + ike passive esp proto tcp from egress to $peers \ + port submission \ + psk "hackme" + ike passive esp proto tcp from egress to $peers \ + port pop3 \ + psk "hackmemore" + + +#### Client configuration + +/etc/ipsec.conf: + + peer=ipsec.example.org + ike esp proto tcp from egress to $peer \ + port submission \ + psk "hackme" + ike esp proto tcp from egress to $peer \ + port pop3 \ + psk "hackmemore" + +Furthermore, here is a little trick to bypass some nasty firewalls that +block low ports. That is because the isakmpd server uses UDP port 500 +for key management. + + $ grep isakmp /etc/services + isakmp 500/udp # ISAKMP key management + +/etc/pf.conf: + + # Rewrite outgoing src port isakmp to src port 5000 and back + pass out on egress proto udp from any port isakmp to any port isakmp \ + nat-to (egress) port 5000 + +#### Notes + +There is no actual server and client in the protocol, however in this +setup the server knows all other hosts, and they only know the server. +The server is configured as passive while others start negotiation +immediately. The server needs to know all peers in order to correctly +setup the Encap routes. A config with `peers=any` will create a default +route pointing to the peer negotiated last. Such a setup is broken! + +That is certainly not all folks! + +Cheers! + +lostd@