[Vpn-help] shrew with OpenBSD(4.2) gateway

Matthew Grooms mgrooms at shrew.net
Mon Mar 3 03:14:50 CST 2008 

scott wrote:
> I have installed shrew 2.0.3 on ubuntu 7.10 notebook.  Our
> firewall/gateway is openBSD(4.2).  We've been using ssh as vpn-lite and
> would like to trade up to ipsec.
> 
> I searched the archives for "openbsd" anything and got nothing.
> 
> Can anyone help with the matching the left (shrew) and right (openbsd)
> configs, preferably using ipsecctl/ipsec.conf methods but will glad
> accept anything that "works."
> 

Scott,

Honestly, I don't have any concrete examples to give you at the moment 
for OpenBSD connectivity. I have heard reports that the client works 
with iksampd. How well it works I cannot say. Below is an example I took 
from http://www.allard.nu and modified it to ( hopefully ) work with a 
simplified Shrew Soft client configuration. I'm sure there are all sorts 
of things that can be improved. You could switch to RSA but isakmpd 
would require that a different certificate be created for each client.

The basic idea is that isakmpd appears to only support modecfg ( for 
virtual adapter address assignment, etc .. ) on a per-client id basis. 
That means for each user that connects, they need to have their own user 
fully qualified dn and pre-shared key configured in the isakmpd.conf 
file. Consider the following section ...

[user1 at yourdomain.com]
Authentication= user1presharedkey
Address= 192.168.254.1
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11

... The user is obviously identified as user1 at yourdomain.com and has a 
pre-shared key of user1presharedkey. After phase1 negotiation succeeds, 
isakmpd will assign the 192.168.254.1 virtual address to the client. It 
will also inform the client that there is a private DNS and WINS server 
available at 10.1.1.10 and 10.1.1.11 to be used. That looks to be about 
as sophisticated as you can get with isakmpd.

Setting up the Shrew Soft client shouldn't be any trouble here. You just 
put in the IP address of the gateway and configure aggressive mode. The 
client id type would be set to user fully qualified dn with the user id 
and pre-shared key on a per-client basis. The server id is probably sent 
as an address. The only thing left to do would be to add the appropriate 
networks in the policy tab that match the networks protected by your vpn 
gateway. In the example shown, this would include the 10.1.1/24 network 
as the advertised DNS and WINS servers live there :)

Hope this helps,

-Matthew

---- begin example isakmpd.conf file ----

# Exchange definintions
#######################

[Phase 1]
Default= ISAKMP-clients

[Phase 2]
Passive-Connections= IPsec-clients

# Phase 1 peer sections
#######################

[ISAKMP-clients]
Phase= 1
Transport= udp
Configuration= SS-aggr-mode

# Phase 2 sections
##################

[IPsec-clients]
Phase= 2
Configuration= SS-quick-mode
Local-ID= work-network
Remote-ID= dummy-remote

# Client ISAKMP ID sections
###########################

[user1 at yourdomain.com]
Authentication= user1presharedkey
Address= 192.168.254.1
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11

[user2 at yourdomain.com]
Authentication= user2presharedkey
Address= 192.168.254.2
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11

[user3 at yourdomain.com]
Authentication= user3presharedkey
Address= 192.168.254.3
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11

# Client IPsec ID sections
##########################

[work-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.1.0
Netmask= 255.255.255.0

[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0

# Transform descriptions
########################

[SS-aggr-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms=	3DES-MD5

[SS-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE

# Aggressive mode transforms
############################

[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life=	LIFE_1_DAY

# Lifetimes
###########

[LIFE_1_DAY]
LIFE_TYPE=		SECONDS
LIFE_DURATION=	86400,79200:93600

---- begin example isakmpd.policy file ----

Comment: This policy accepts ESP SAs from a remote that uses the right 
password.
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
		esp_present == "yes" &&
		esp_enc_alg != "null" -> "true";

More information about the vpn-help mailing list