Hey Tom,
Yes, I have this working right now using static routes, but it wouldn’t be
a difficult change to use something like OSPF. This config should get you
most of the way there. Please note the sections marked with <some_info> and
replace with yours.
In this case the OpenBSD router is acting as the hub end (albeit on a
dynamic IP — hence the DDNS settings). The remote side is my cabin
(FortiGate).
OPENBSD config
/etc/hostname.sec0
inet 10.250.0.1 255.255.255.252 10.250.0.2
up
!route add -net 10.1.5/24 10.250.0.2
/etc/ipsec.conf
ike passive interface sec0 \
aggressive auth hmac-sha2-256 enc aes-128 group modp2048 \
quick auth hmac-sha2-256 enc aes-128 group modp2048 \
srcid [email protected] dstid [email protected] \
psk "<your_psk>"
/etc/rc.conf.local
ipsec=YES
isakmpd_flags=-K
/etc/pf.conf
pass in log on sec0 from 10.250.0.2/32 to 10.250.0.1/32
FORTIGATE config
config system interface
edit "to-home-gw"
set vdom "root"
set ip 10.250.0.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 10.250.0.1 255.255.255.252
set snmp-index 17
set interface "wan1"
next
end
config firewall address
edit "to-home-gw_local_subnet_1"
set uuid 9e0d5ac4-671e-51ef-925d-c2053b310739
set allow-routing enable
set subnet 10.1.5.0 255.255.255.0
next
edit "to-home-gw_remote_subnet_1"
set uuid 9e1737ec-671e-51ef-b2db-702042d3ba9d
set allow-routing enable
set subnet 10.1.1.0 255.255.255.0
next
end
config vpn ipsec phase1-interface
edit "to-home-gw"
set type ddns
set interface "wan1"
set mode aggressive
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid "[email protected]"
set comments "To home OpenBSD gateway"
set dhgrp 14
set nattraversal disable
set remotegw-ddns "ddns.example.com"
set peerid "[email protected]"
set psksecret ENC <your_encrypted_secret>
next
end
config vpn ipsec phase2-interface
edit "to-home-vpn"
set phase1name "to-home-gw"
set proposal aes256gcm
set dhgrp 14
set auto-negotiate enable
next
end
config firewall policy
edit 1
set uuid 181a978e-f058-51e9-7e5b-3dc213632414
set srcintf "internal"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "to-home-gw-vpn"
set uuid e0bdc5a8-6993-51ef-86a4-44836c93b4ad
set srcintf "internal"
set dstintf "to-home-gw"
set action accept
set srcaddr "to-home-gw_local_subnet_1"
set dstaddr "to-home-gw_remote_subnet_1" "to-home-gw_remote_subnet_2"
set schedule "always"
set service "ALL"
next
edit 5
set name "from-minto-gw-vpn"
set uuid 4dcad17a-69a5-51ef-3eab-b45a46d72b99
set srcintf "to-home-gw"
set dstintf "internal"
set action accept
set srcaddr "to-home-gw_remote"
set dstaddr "to-home-gw_local"
set schedule "always"
set service "ALL"
next
end
config router static
edit 1
set device "to-home-gw"
set dstaddr "to-home-gw_remote"
next
edit 4
set distance 254
set blackhole enable
set dstaddr "to-home-gw_remote"
set vrf 0
next
end
On Nov 18, 2024 at 6:07:11 PM, Tom Smyth <[email protected]>
wrote:
> Folks
> did anyone have success using sec(4) interfaces on Site to Site VPNs
> between OpenBSD and Fortinet ? I want to route via the sec interface
> rather than specify static policies in iked.conf
>
> or should I be using gre(4) gif(4) or some other tunnel device to
> bring up an interface which I can put an ip address on and route over
> ,
>
> any pointers would be really appreciated
>
> thanks
>
> Tom Smyth
>
>
> --
> Kindest regards,
> Tom Smyth.
>
>
