[Vpn-help] shrew with OpenBSD(4.2) gateway
Matthew Grooms
mgrooms at shrew.net
Mon Mar 3 03:14:50 CST 2008
scott wrote:
> I have installed shrew 2.0.3 on ubuntu 7.10 notebook. Our
> firewall/gateway is openBSD(4.2). We've been using ssh as vpn-lite and
> would like to trade up to ipsec.
>
> I searched the archives for "openbsd" anything and got nothing.
>
> Can anyone help with the matching the left (shrew) and right (openbsd)
> configs, preferably using ipsecctl/ipsec.conf methods but will glad
> accept anything that "works."
>
Scott,
Honestly, I don't have any concrete examples to give you at the moment
for OpenBSD connectivity. I have heard reports that the client works
with iksampd. How well it works I cannot say. Below is an example I took
from http://www.allard.nu and modified it to ( hopefully ) work with a
simplified Shrew Soft client configuration. I'm sure there are all sorts
of things that can be improved. You could switch to RSA but isakmpd
would require that a different certificate be created for each client.
The basic idea is that isakmpd appears to only support modecfg ( for
virtual adapter address assignment, etc .. ) on a per-client id basis.
That means for each user that connects, they need to have their own user
fully qualified dn and pre-shared key configured in the isakmpd.conf
file. Consider the following section ...
[user1 at yourdomain.com]
Authentication= user1presharedkey
Address= 192.168.254.1
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11
... The user is obviously identified as user1 at yourdomain.com and has a
pre-shared key of user1presharedkey. After phase1 negotiation succeeds,
isakmpd will assign the 192.168.254.1 virtual address to the client. It
will also inform the client that there is a private DNS and WINS server
available at 10.1.1.10 and 10.1.1.11 to be used. That looks to be about
as sophisticated as you can get with isakmpd.
Setting up the Shrew Soft client shouldn't be any trouble here. You just
put in the IP address of the gateway and configure aggressive mode. The
client id type would be set to user fully qualified dn with the user id
and pre-shared key on a per-client basis. The server id is probably sent
as an address. The only thing left to do would be to add the appropriate
networks in the policy tab that match the networks protected by your vpn
gateway. In the example shown, this would include the 10.1.1/24 network
as the advertised DNS and WINS servers live there :)
Hope this helps,
-Matthew
---- begin example isakmpd.conf file ----
# Exchange definintions
#######################
[Phase 1]
Default= ISAKMP-clients
[Phase 2]
Passive-Connections= IPsec-clients
# Phase 1 peer sections
#######################
[ISAKMP-clients]
Phase= 1
Transport= udp
Configuration= SS-aggr-mode
# Phase 2 sections
##################
[IPsec-clients]
Phase= 2
Configuration= SS-quick-mode
Local-ID= work-network
Remote-ID= dummy-remote
# Client ISAKMP ID sections
###########################
[user1 at yourdomain.com]
Authentication= user1presharedkey
Address= 192.168.254.1
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11
[user2 at yourdomain.com]
Authentication= user2presharedkey
Address= 192.168.254.2
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11
[user3 at yourdomain.com]
Authentication= user3presharedkey
Address= 192.168.254.3
Netmask= 255.255.255.0
Nameserver= 10.1.1.10
WINS-server= 10.1.1.11
# Client IPsec ID sections
##########################
[work-network]
ID-type= IPV4_ADDR_SUBNET
Network= 10.1.1.0
Netmask= 255.255.255.0
[dummy-remote]
ID-type= IPV4_ADDR
Address= 0.0.0.0
# Transform descriptions
########################
[SS-aggr-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-MD5
[SS-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE
# Aggressive mode transforms
############################
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM= MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_1_DAY
# Lifetimes
###########
[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600
---- begin example isakmpd.policy file ----
Comment: This policy accepts ESP SAs from a remote that uses the right
password.
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg != "null" -> "true";
More information about the vpn-help
mailing list