MrKernel Network

IPSec in Linux/Unix distrabutions have made great strides in there IPSec implementations. It is now relativly easy to create an IPSec tunnel between two boxes of the same type. For example, [http://www.securityfocus.com/infocus/1859?ref=rss]. But, interoperbility between platforms still requires the user to whild dark the dark magic of IPSec. OpenBSD has a very nice IPSec implementation.Read more for sample config files for a OpenBSD to Linux tunnel

The example will be a site to site tunnel between OpenBSD 3.9 and Linux with OpenSWAN using a PSK. This is for simpliscity sake only.

10.10.100.x/24 –[OpenBSD]4.4.4.1—–{Internet}—–3.3.3.1[Linux]–192.168.1.0/24

We will start with a fresh installation of OpenSWAN [http://www.openswan.org/] on Centos [http://www.centos.org/]. Very simple configureation

/etc/ipsec.conf

—Start—

version 2.0
config setup

conn ahfmr-to-test
pfs=no
left=4.4.4.1
leftsubnet=10.10.100.0/24
leftid=@openbsd.domain.local
leftnexthop=%defaultroute
right=3.3.3.1
rightsubnet=192.168.1.0/24
rightid=@linux.domain.local
rightnexthop=%defaultroute
authby=secret
auto=start

—End—

/etc/ipsec.secrets

—Start—

@openbsd.domain.local @linux.domain.local : PSK “testing123″

—End—

For the OpenBSD configuration we will start with a stock 3.9 install.

/etc/isakmpd/isakmpd.conf

—Start—

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.

[General]
Listen-on= 4.4.4.1

# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
3.3.3.1= ISAKMP-peer-west

# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
connections= IPsec-east-west
passive-connections= IPsec-east-west
[my-fqdn]
ID-type= FQDN
Name= openbsd.domain.local

[my-ipv4-addr]
ID-type= IPV4_ADDR
Address= 4.4.4.1

# Default values are commented out.
[ISAKMP-peer-west]
Phase= 1
Address= 3.3.3.1
authentication= testing123
Configuration= main-mode
ID= my-fqdn
Remote-ID= freeswan-fqdn

[freeswan-fqdn]
ID-type= FQDN
Name= linux.domain.local
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= quick-mode
Local-ID= Net-east
Remote-ID= Net-west

[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.100.0
Netmask= 255.255.255.0

[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
netmask= 255.255.255.0

[main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA-RSA_SIG, 3DES-SHA

[quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-SUITE, QM-ESP-3DES-SHA-SUITE
—End—

/etc/isakmpd/isakmpd.policy

—Start—

Authorizer: “POLICY”
Comment: This bare-bones assertion accepts everything

—End—

Then to start the tunnel “service ipsec start” on the linux box and “isakmpd” on the OpenBSD box. two usefull debuging commands are “ipsec whack –status” on linux and on OpenBSD run isakmpd in the forground with “isakmpd -d”.
This solution is by no means the as secure as it could be. It is just a starting point. Hope this is of some interest.