[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
VPN in OpenBSD-current
- To: announce_(_at_)_openbsd_(_dot_)_org
- Subject: VPN in OpenBSD-current
- From: Niels Provos <provos_(_at_)_power5_(_dot_)_physnet_(_dot_)_uni-hamburg_(_dot_)_de>
- Date: 7 Jun 1998 21:31:43 +0200
- Delivery-date: Sun Jun 7 21:38:37 1998
- Organization: PHYSnet, Uni Hamburg
Virtual Private Networks in OpenBSD-current
OpenBSD can now be used to create Virtual Private Networks with
dynamic rekeying. Subnets can be connected via an IPSec encrypted
and authenticated tunnel. The necessary encryption keys are created
dynamically by the Photuris Key Management Daemon which allows for
frequent key changes.
The setup is fairly simple. Both security gateways need to run the
photurisd(8) daemon in VPN-mode and add a special routing entry
with the ipsecadm(1) tool, see vpn(8).
NOTE: Users of OpenBSD 2.3 need to update their sources with cvs
More information about OpenBSD can be found at http://www.openbsd.org/.
Here an excerpt from the vpn(8) manpage:
vpn - configuring the system for virtual private networks
A virtual private network is used to connect two or more subnets
via the internet. For each subnet there is a security gateway
which is connected via a cryptographically secured tunnel to
the security gateway of the other subnet. In OpenBSD ipsec(4)
is used to provide the necessary cryptographical services.
This document describes the configuration process for setting
up a VPN.
Both subnets need to configure ipsec(4) routes with the
On the security gateway of subnet A:
ipsecadm flow -dst gatewB -spi 1 -addr netA netAmask netB netBmask -local
and on the security gateway of subnet B:
ipsecadm flow -dst gatewA -spi 1 -addr netB netBmask netA netAmask -local
Additionally both security gateways need to start the photurisd(8)
key management daemon with the -v flag and have to make sure
that it is configured properly on both sides to provide
encryption and authentication.
Now ipf(1) needs to be configured that all packets from the
outside are blocked. Only packets from the security gateways
either on the enc0 interface or UDP packets with source and
remote ports of 468 should be allowed in.
ipf(1), ipsecadm(1), ipsec(4), photurisd(8).
- PHYSnet Rechnerverbund PGP V2.6 Public key via finger or key server
Universitaet Hamburg WWW: http://www.physnet.uni-hamburg.de/provos/
Jungiusstrasse 9 E-Mail: provos_(_at_)_wserver_(_dot_)_physnet_(_dot_)_uni-hamburg_(_dot_)_de
Germany 20355 Hamburg Tel.: +49 40 4123-2404 Fax: -6571