IPSEC OpenBSD <-> Linux

2022-02-20 (Last Modified: 2022-06-03)

OpenBSD

Page content

Environment

OpenBSD 7.0
Debian 11.2 with Strongswan
IPv4 only
IKE v1

ToDo

IPv6 and Dualstack
IKE v2

Debian

ipsec.conf

conn puffy
   authby      = secret
   ike         = aes256-sha256-modp2048
   keyexchange = ikev1
   ikelifetime = 1h
   keyingtries = 0
   left        = %defaultroute
   right       = 193.xx.xx.xx
   leftid      = 212.xx.xx.xx
   rightid     = 193.xx.xx.xx
   lifetime    = 1200s
   leftsubnet  = 10.11.1.8/30
   rightsubnet = 10.1.6.0/24
   esp         = aes256-sha256-modp2048
   dpddelay    = 30
   dpdtimeout  = 120
   dpdaction   = restart
   auto        = start

OpenBSD

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.gre.allow=1

Apply all Settings

for i in $(cat /etc/sysctl.conf); do sysctl $i;done

/etc/ipsec.conf

# Tunnel to Debian

local_gw    = "193.xx.xx.xx"
local_net   = "10.1.6.0/24"
remote_gw   = "212.xx.xx.xx"
remote_net  = "10.11.1.8/30"
key         = "DAS-SAG-ICH-DIR-NICHT-:)"

ike dynamic esp tunnel from $local_net to $remote_net peer $remote_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $local_gw \
psk $key

ike dynamic esp tunnel from $remote_net to $local_net peer $local_gw \
main    auth $auth1   enc $enc1   group $group1   lifetime $time1 \
quick   auth $auth2   enc $enc2   group $group2   lifetime $time2 \
srcid $remote_gw \
psk $key

start/restart services

rcctl enable ipsec isakmpd
rcctl set isakmpd flags -K
rcctl restart ipsec isakmpd

Enc Interfaces

cat /etc/hostname.enc0
up

FW Rules

# Allow UDP Port 500 and 4500
pass in  on (egress) proto udp from 193.xx.xx.xx to 212.xx.xx.xx port {isakmp, ipsec-nat-t}
pass out on (egress) proto udp from 212.xx.xx.xx to 193.xx.xx.xx {isakmp, ipsec-nat-t}

# Allow ESP encapsulated IPsec traffic on the external interface
pass in  on (egress) proto esp from 193.xx.xx.xx to 212.xx.xx.xx
pass out on (egress) proto esp from 212.xx.xx.xx to 139.xx.xx.xx

# Allow IP in IP Traffic
pass in  on enc0 proto ipencap from 193.xx.xx.xx to 212.xx.xx.xx keep state (if-bound)
pass out on enc0 proto ipencap from 212.xx.xx.xx to 193.xx.xx.xx keep state (if-bound)

Start Services & Apply Setting

… or reboot the Box so all Settings gets applied

rcctl restart isakmpd; ipsecctl -f /etc/ipsec.conf; ipsecctl -s all; tail -f /var/log/daemon /var/log/messages

Check Flows

ipsecctl -s all
FLOWS:
flow esp in  from 10.11.1.8/30 to 10.1.6.0/24  peer 212.xx.xx.xx srcid 193.xx.xx.xx dstid 212.xx.xx.xx type require
flow esp out from 10.1.6.0/24  to 10.11.1.8/30 peer 212.xx.xx.xx srcid 193.xx.xx.xx dstid 212.xx.xx.xx type require

SAD:
esp tunnel from 212.xx.xx.xx to 193.xx.xx.xx spi 0xbexxxxxx auth hmac-sha2-256 enc aes-256
esp tunnel from 193.xx.xx.xx to 212.xx.xx.xx spi 0xc0xxxxxx auth hmac-sha2-256 enc aes-256

Sniffin in the IPSEC Tunnel

the “enc0” Interface shows all Packets passing the IPSEC Tunnel unencrypted

# tcpdump -nettt -i enc0
tcpdump: listening on enc0, link-type ENC
Feb 20 22:22:24.307480 (authentic,confidential): SPI 0xc6xxxxxx: 10.xx.xx.xx > 10.xx.xx.xx: icmp: echo request (encap)
Feb 20 22:22:24.327404 (authentic,confidential): SPI 0xd3xxxxxx: 10.xx.xx.xx > 10.xx.xx.xx: icmp: echo reply (encap)

Any Comments ?

sha256: 95b19f1cc869665d4a59aa450518c67f1eee99c5baeca9dbc9842ec211ac2742