[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN in OpenBSD-current



             Virtual Private Networks in OpenBSD-current
             -------------------------------------------

OpenBSD can now be used to create Virtual Private Networks with
dynamic rekeying.  Subnets can be connected via an IPSec encrypted
and authenticated tunnel.  The necessary encryption keys are created
dynamically by the Photuris Key Management Daemon which allows for
frequent key changes.

The setup is fairly simple.  Both security gateways need to run the
photurisd(8) daemon in VPN-mode and add a special routing entry
with the ipsecadm(1) tool, see vpn(8).

NOTE: Users of OpenBSD 2.3 need to update their sources with cvs
to current.

More information about OpenBSD can be found at http://www.openbsd.org/.

Here an excerpt from the vpn(8) manpage:

     vpn - configuring the system for virtual private networks

DESCRIPTION
     A virtual private network is used to connect two or more subnets
     via the internet.  For each subnet there is a security gateway
     which is connected via a cryptographically secured tunnel to
     the security gateway of the other subnet.  In OpenBSD ipsec(4)
     is used to provide the necessary cryptographical services.
     This document describes the configuration process for setting
     up a VPN.

     Both subnets need to configure ipsec(4) routes with the
     ipsecadm(1) tool:

     On the security gateway of subnet A:

     ipsecadm flow -dst gatewB -spi 1 -addr netA netAmask netB netBmask -local

     and on the security gateway of subnet B:

     ipsecadm flow -dst gatewA -spi 1 -addr netB netBmask netA netAmask -local

     Additionally both security gateways need to start the photurisd(8)
     key management daemon with the -v flag and have to make sure
     that it is configured properly on both sides to provide
     encryption and authentication.

     Now ipf(1) needs to be configured that all packets from the
     outside are blocked.  Only packets from the security gateways
     either on the enc0 interface or UDP packets with source and
     remote ports of 468 should be allowed in.

SEE ALSO
     ipf(1), ipsecadm(1), ipsec(4), photurisd(8).

-- 
- PHYSnet Rechnerverbund     PGP V2.6 Public key via finger or key server
  Niels Provos               
  Universitaet Hamburg       WWW: http://www.physnet.uni-hamburg.de/provos/   
  Jungiusstrasse 9           E-Mail: provos_(_at_)_wserver_(_dot_)_physnet_(_dot_)_uni-hamburg_(_dot_)_de
  Germany 20355 Hamburg      Tel.:   +49 40 4123-2404     Fax: -6571