commit 6d6b94bdf5163d2d8f932842bf205d78e7da54a9
parent a0ac812a5f861195ed16f3333e3922d8dd239aa9
Author: lostd <lostd@2f30.org>
Date: Fri, 2 May 2014 13:18:42 +0300
Document our IPsec setup
Diffstat:
3 files changed, 73 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
@@ -13,7 +13,8 @@ PAGES = $(MENUPAGES) \
guides/git.html \
guides/sunsparc.html \
guides/proxy.html \
- guides/trunk.html
+ guides/trunk.html \
+ guides/ipsec.html
EXTRA = css divzerokey.png favicon.ico index.html \
lectures/resources
diff --git a/guides.md b/guides.md
@@ -6,3 +6,4 @@ Just some notes on various useful tasks.
* [sunsparc](guides/sunsparc.html): Booting Sun UltraSPARC machines
* [proxy](guides/proxy.html): Accessing firewalled services using PF on OpenBSD
* [trunk](guides/trunk.html): Trunk failover setup on OpenBSD
+ * [ipsec](guides/ipsec.html): Securing services with IPsec tunnels
diff --git a/guides/ipsec.md b/guides/ipsec.md
@@ -0,0 +1,70 @@
+### Securing services with IPsec tunnels
+
+This short document will get you started on how to configure simple
+IPsec tunnels between your remote hosts. All peers need to run the
+key management daemon and have IPsec enabled and allowed through PF.
+
+/etc/rc.conf.local:
+
+ isakmpd_flags="-K"
+ ipsec=YES
+
+/etc/pf.conf:
+
+ # Allow incoming IPsec traffic
+ pass quick on egress proto {esp, ah}
+ pass in quick on egress proto udp to port {isakmp, ipsec-nat-t}
+
+
+#### Server configuration
+
+/etc/ipsec.conf:
+
+ peers="{hosta.example.org, hostb.example.org, hostc.example.org}"
+ ike passive esp proto tcp from egress to $peers \
+ port submission \
+ psk "hackme"
+ ike passive esp proto tcp from egress to $peers \
+ port pop3 \
+ psk "hackmemore"
+
+
+#### Client configuration
+
+/etc/ipsec.conf:
+
+ peer=ipsec.example.org
+ ike esp proto tcp from egress to $peer \
+ port submission \
+ psk "hackme"
+ ike esp proto tcp from egress to $peer \
+ port pop3 \
+ psk "hackmemore"
+
+Furthermore, here is a little trick to bypass some nasty firewalls that
+block low ports. That is because the isakmpd server uses UDP port 500
+for key management.
+
+ $ grep isakmp /etc/services
+ isakmp 500/udp # ISAKMP key management
+
+/etc/pf.conf:
+
+ # Rewrite outgoing src port isakmp to src port 5000 and back
+ pass out on egress proto udp from any port isakmp to any port isakmp \
+ nat-to (egress) port 5000
+
+#### Notes
+
+There is no actual server and client in the protocol, however in this
+setup the server knows all other hosts, and they only know the server.
+The server is configured as passive while others start negotiation
+immediately. The server needs to know all peers in order to correctly
+setup the Encap routes. A config with `peers=any` will create a default
+route pointing to the peer negotiated last. Such a setup is broken!
+
+That is certainly not all folks!
+
+Cheers!
+
+lostd@
