On 2018-05-31, David Higgs <[email protected]> wrote: > I am looking to configure iked(8) on my OpenBSD router to provide > IPsec services to remote clients. I would like to tunnel (nearly) all > my traffic from my phone or laptop back into my home router, and > leverage the services there (DNS, firewall, etc.), then either access > my local network or the rest of the internet. I think I want my > router to be a VPN proxy - is there more accurate/common terminology? > > I am having difficulty extracting what is and is not relevant from the > iked.conf(5) man page, since this is new terminology to me. I believe > that the first example is most appropriate for my router > configuration, adapted something like this: > > # candidate iked.conf > set mobike > user "test" "password123" > ikev2 esp \ > eap "mschap-v2" \ > config dhcp-server 10.0.0.1 > > The parts I'm confused on are the from/to and peer/local fields. > Which pair describes the IPs of the tunnel endpoints, and which
peer/local > describes the traffic allowed to flow through the tunnel? I guess I from/to > don't know whether "IPsec flow" refers to the encapsulating ESP > packets or the encapsulated traffic. The "flow" is an SADB entry which matches traffic and selects it for encapsulation. The addresses in a flow have to cover the packets sent over the vpn. Here's an iked example from my live config, it allows mobile clients to connect and route all traffic over the VPN, assigning a dynamic address from 192.168.47.160/27, with not-too-terrible ciphers for most typical clients. ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0/0 \ local x.x.x.x \ peer any \ ikesa enc aes-256 enc aes-128 prf hmac-sha2-256 auth hmac-sha2-256 group ecp256 \ ikesa enc aes-256 enc aes-128 prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256 group ecp256 group modp2048 group modp1024 \ childsa enc aes-256-gcm enc aes-128-gcm \ childsa enc aes-256 enc aes-128 auth hmac-sha2-256 auth hmac-sha1 \ srcid "my.host.name" \ eap "mschap-v2" \ config address 192.168.47.160/27 \ config name-server x.x.x.x \ tag "$name-$id" include "/etc/iked.users" If you have any Windows clients note that the default ciphers are absolutely bloody useless, for the powershell snippets needed to fix this see comments in https://github.com/trailofbits/algo/issues/9. If you don't need to support Windows clients you can probably get rid of hmac-sha1/group modp1024 and the non-gcm aes entries. To actually route the traffic you'll need net.inet.ip.forwarding set and depending on setup probably also a nat rule, maybe something like match out on egress from 192.168.47.160/27 nat-to (egress:0)
