Manual Keying IPSec on OpenBSD 2.9 Summed up by KoAps(Edited by Jeremy C. Reed, Sponsered By AngryPacket Security ) This is basically an explanation of doing manual keyed IPSec between two OpenBSD 2.9 servers. Due to errors I have found in all IPsec documentation, not to mention much confusion reading them, I have compiled together what worked for me from all of the man pages. (Note: This doesn't cover using ISAKMPD -- that will be documented later on) This isn't the most easy way or flexible way of setting up IPSec, but it is a clearer way and a more controlled way. I went this route when I was having problems with ISAKMPD. First step is to edit the file /etc/sysctl.conf. These must be turned on for IPsec: sysctl -w net.inet.esp.enable=1 sysctl -w net.inet.ah.enable=1 And for routing: sysctl -w net.inet.ip.forwarding=1 Generate the keys. These must be the same on both servers, so put them in files and then copy the files to the other server. These examples are for 3des which uses a 160 bit(sha1) Auth Key and a 192 bit (3des) Encode key. openssl rand 24 | hexdump -e '24/1 "%02x"' > enc_key openssl rand 20 | hexdump -e '20/1 "%02x"' > auth_key Now create a script: You have to be careful about whitespace after the command lines, as they can cause problems; also put the keys in the same dir as the script. The top half of the scripts are identical -- see below. -------------------------------------------------------------------------------- #!/bin/sh # Network Settings for Hosts # IP is the outside IP as seen by the Internet # NET is the Inside network you wish to tunnel to # MASK is the network mask for that inside network IP_A=10.0.20.1 NET_A=192.168.1.0 MASK_A=255.255.255.0 IP_B=10.0.30.1 NET_B=192.168.3.0 MASK_B=255.255.255.0 # Clear out SA's ipsecadm flush # Establish new SA's # Notice the SPI lines -- if you want to add in more SA's, you will need # to keep increasing that number; no two SA's can have the same SPI. ipsecadm new esp -spi 1000 -src $IP_A -dst $IP_B -forcetunnel -enc 3des \ -auth sha1 -keyfile enc_key -authkeyfile auth_key ipsecadm new esp -spi 1001 -src $IP_B -dst $IP_A -forcetunnel -enc 3des \ -auth sha1 -keyfile enc_key -authkeyfile auth_key # Now comes the parts that are end point specific; meaning the settings # are specific to Host A and Host B.... # On host A You add in these lines ipsecadm flow -dst $IP_B -proto esp -addr $IP_A 255.255.255.255 \ $IP_B 255.255.255.255 -require -out -src $IP_A ipsecadm flow -dst $IP_B -proto esp -addr $NET_A $MASK_A $NET_B $MASK_B \ -require -out -src $IP_A ipsecadm flow -dst $IP_B -proto esp -addr $IP_A 255.255.255.255 \ $NET_B $MASK_B -require -out -src $IP_A ipsecadm flow -dst $IP_B -proto esp -addr $NET_A $MASK_A $IP_B \ 255.255.255.255 -require -out -src $IP_A ipsecadm flow -dst $IP_B -proto esp -addr $IP_B 255.255.255.255 \ $IP_A 255.255.255.255 -require -in -src $IP_A ipsecadm flow -dst $IP_B -proto esp -addr $NET_B $MASK_B $NET_A $MASK_A \ -require -in -src $IP_A ipsecadm flow -dst $IP_A -proto esp -addr $IP_B 255.255.255.255 $NET_A \ $MASK_A -require -in -src $IP_A ipsecadm flow -dst $IP_B -proto esp -addr $NET_B $MASK_B $IP_A \ 255.255.255.255 -require -in -src $IP_A # On host B You add in these lines ipsecadm flow -dst $IP_A -proto esp -addr $IP_B 255.255.255.255 $IP_A \ 255.255.255.255 -out -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $NET_B $MASK_B $NET_A $MASK_A \ -out -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $IP_B 255.255.255.255 $NET_A \ $MASK_A -out -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $NET_B $MASK_B $IP_A \ 255.255.255.255 -out -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $IP_A 255.255.255.255 $IP_B \ 255.255.255.255 -in -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $NET_A $MASK_A $NET_B $MASK_B \ -in -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $IP_A 255.255.255.255 $NET_B \ $MASK_B -in -require -src $IP_B ipsecadm flow -dst $IP_A -proto esp -addr $NET_A $MASK_A $IP_B \ 255.255.255.255 -in -require -src $IP_B -------------------------------------------------------------------------------- If you make any changes or need to start over you will need to do this: ipsecadm flush That's why I added it to the script, so you can just run the script each time and not have to worry about flushing SA's. That's really it for manual keying. To test it out. One way is to use tcpdump on your WAN interface and look for SPI lines. tcpdump -i ep1 ip host 192.168.2.1 08:19:55.877741 esp 192.168.1.1 > 192.168.2.1 spi 0x00001000 seq 144 len 76 08:19:55.914816 esp 192.168.2.1 > 192.168.1.1 spi 0x00001001 seq 96 len 76 Another way is this: ifconfig enc0 up tcpdump -i enc0 11:00:28.264341 (authentic,confidential): SPI 0x00001000: 192.168.1.1.38562 > 192.168.2.10.telnet: . ack 67 win 16678 (DF) [tos 0x10] (encap) 11:00:28.440442 (authentic,confidential): SPI 0x00001001: 192.168.2.10.telnet > 192.168.1.1.38562: . 67:623(556) ack 33 win 4050 [tos 0xc0] (encap) 11:00:28.524366 (authentic,confidential): SPI 0x00001001: 192.168.2.10.telnet > 192.168.1.1.38562: P 623:679(56) ack 33 win 4050 [tos 0xc0] (encap) 11:00:28.555247 (authentic,confidential): SPI 0x00001000: 192.168.1.1.38562 > 192.168.2.10.telnet: . ack 679 win 16680 (DF) [tos 0x10] (encap)