vpn between OpenBSD and Linux/Openswan with x509 certs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

vpn between OpenBSD and Linux/Openswan with x509 certs

Tom K-2
I'm a complete beginner with OpenBSD, and I've just installed 3.8 on my
laptop principally to learn the OpenBSD way of doing IPsec i.e. isakmpd
and ipsecctl. My goal is to create a tunnel between OpenBSD and my
existing Openswan system (IPCop 1.4.10) using x509 certs. I have a
reasonably good understanding of Openswan, so basically I'm trying to
understand the specifics of isakmpd/ipsecctl, rather than the underlying
concepts.

Here's where I am so far:
ipsecctl has just been intoduced in 3.8 to simplify ipsec operations. It
obsoletes isakmpd.conf. I can run isakmpd with no conf file, and
ipsecctl with the following ipsec.conf file:

ike esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1
                             |                                           |
                         laptop                                    ipcop

and I get some familiar-looking responses in Openswan's logs - so far so
good. No tunnel, but that's OK for the moment.

What I'm not clear on is where I define the certs, if isakmpd.conf is no
longer in use. There's no mention of them in man ipsecctl. Maybe I still
need something like this in isakmpd.conf:

# Certificates stored in PEM format
   [X509-certificates]
   CA-directory=    /etc/isakmpd/ca/
   Cert-directory=    /etc/isakmpd/certs/
   Private-key=        /etc/isakmpd/private/openbsd1.as10.net.priv

Am I on the right track? I would really appreciate any suggestions.

Thanks
Tom K.

Reply | Threaded
Open this post in threaded view
|

Re: vpn between OpenBSD and Linux/Openswan with x509 certs

Tom K-2
Apologies for my formatting. To clarify:

laptop = 10.12.62.99
ipcop = 10.12.62.1

Tom K wrote:

> I'm a complete beginner with OpenBSD, and I've just installed 3.8 on
> my laptop principally to learn the OpenBSD way of doing IPsec i.e.
> isakmpd and ipsecctl. My goal is to create a tunnel between OpenBSD
> and my existing Openswan system (IPCop 1.4.10) using x509 certs. I
> have a reasonably good understanding of Openswan, so basically I'm
> trying to understand the specifics of isakmpd/ipsecctl, rather than
> the underlying concepts.
>
> Here's where I am so far:
> ipsecctl has just been intoduced in 3.8 to simplify ipsec operations.
> It obsoletes isakmpd.conf. I can run isakmpd with no conf file, and
> ipsecctl with the following ipsec.conf file:
>
> ike esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1
>                             |                                           |
>                         laptop                                    ipcop
>
> and I get some familiar-looking responses in Openswan's logs - so far
> so good. No tunnel, but that's OK for the moment.
>
> What I'm not clear on is where I define the certs, if isakmpd.conf is
> no longer in use. There's no mention of them in man ipsecctl. Maybe I
> still need something like this in isakmpd.conf:
>
> # Certificates stored in PEM format
>   [X509-certificates]
>   CA-directory=    /etc/isakmpd/ca/
>   Cert-directory=    /etc/isakmpd/certs/
>   Private-key=        /etc/isakmpd/private/openbsd1.as10.net.priv
>
> Am I on the right track? I would really appreciate any suggestions.
>
> Thanks
> Tom K.

Reply | Threaded
Open this post in threaded view
|

Re: vpn between OpenBSD and Linux/Openswan with x509 certs

Tom K-2
In reply to this post by Tom K-2
> Maybe I still need something like this in isakmpd.conf:
>
> # Certificates stored in PEM format
>    [X509-certificates]
>    CA-directory=    /etc/isakmpd/ca/
>    Cert-directory=    /etc/isakmpd/certs/
>    Private-key=        /etc/isakmpd/private/openbsd1.as10.net.priv
>
> Am I on the right track? I would really appreciate any suggestions.
>

Well, I worked it out, in case anyone's interested.

First, I did it the old way, using man isakmpd.conf and various online
examples to guide me. I started with a simple PSK tunnel, then generated certs and
modified isakmpd.conf accordingly. Some tinkering was
required to accomodate subjectAltName and my FQDN ID i.e. they had to
match, and the cert at the IPCop end had to include subjectAltName, even
though IPCop doesn't usually use this.

Once that was working OK, I reread man ipsecctl and man ipsec.conf. My
ipsec.conf now looks like this:

flow esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1

ike esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1 srcid tk-i5kb.tk-on.net

and I've got rid of isakmpd.conf. I still have a basic isakmpd.policy i.e.

Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";

So now I run isakmpd -a, and ipsecctl -vv -f /etc/ipsec.conf, and I get
the following output:

@0 flow esp out from 10.12.62.98 to 0.0.0.0/0 peer 10.12.62.1
        type require
@1 flow esp in from 0.0.0.0/0 to 10.12.62.98 peer 10.12.62.1
        type use
@2 C set [peer-10.12.62.1]:Phase=1 force
C set [peer-10.12.62.1]:Address=10.12.62.1 force
C set [peer-10.12.62.1]:ID=local-ID force
C set [local-ID]:ID-type=FQDN force
C set [local-ID]:Name=tk-i5kb.tk-on.net force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Phase=2 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:ISAKMP-peer=peer-10.12.62.1 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Configuration=qm-10.12.62.98-0.0.0.0/0 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Local-ID=lid-10.12.62.98 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
C set [qm-10.12.62.98-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.12.62.98-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
C set [lid-10.12.62.98]:ID-type=IPV4_ADDR force
C set [lid-10.12.62.98]:Address=10.12.62.98 force
C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
t IPsec-10.12.62.98-0.0.0.0/0
c IPsec-10.12.62.98-0.0.0.0/0

IPCop's log shows a successful connection, and everything works as
expected. I'm guessing that as long as the certs are in the default
location, isakmpd finds them, without the kind of explicit declaration
referred to previously.

I'm very happy. :)