[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN in OpenBSD-current

To: announce_(_at_)_openbsd_(_dot_)_org
Subject: VPN in OpenBSD-current
From: Niels Provos <provos_(_at_)_power5_(_dot_)_physnet_(_dot_)_uni-hamburg_(_dot_)_de>
Date: 7 Jun 1998 21:31:43 +0200
Delivery-date: Sun Jun 7 21:38:37 1998
Organization: PHYSnet, Uni Hamburg

Virtual Private Networks in OpenBSD-current
-------------------------------------------

OpenBSD can now be used to create Virtual Private Networks with
dynamic rekeying. Subnets can be connected via an IPSec encrypted
and authenticated tunnel. The necessary encryption keys are created
dynamically by the Photuris Key Management Daemon which allows for
frequent key changes.

The setup is fairly simple. Both security gateways need to run the
photurisd(8) daemon in VPN-mode and add a special routing entry
with the ipsecadm(1) tool, see vpn(8).

NOTE: Users of OpenBSD 2.3 need to update their sources with cvs
to current.

More information about OpenBSD can be found at http://www.openbsd.org/.

Here an excerpt from the vpn(8) manpage:

vpn - configuring the system for virtual private networks

DESCRIPTION
A virtual private network is used to connect two or more subnets
via the internet. For each subnet there is a security gateway
which is connected via a cryptographically secured tunnel to
the security gateway of the other subnet. In OpenBSD ipsec(4)
is used to provide the necessary cryptographical services.
This document describes the configuration process for setting
up a VPN.

Both subnets need to configure ipsec(4) routes with the
ipsecadm(1) tool:

On the security gateway of subnet A:

ipsecadm flow -dst gatewB -spi 1 -addr netA netAmask netB netBmask -local

and on the security gateway of subnet B:

ipsecadm flow -dst gatewA -spi 1 -addr netB netBmask netA netAmask -local

Additionally both security gateways need to start the photurisd(8)
key management daemon with the -v flag and have to make sure
that it is configured properly on both sides to provide
encryption and authentication.

Now ipf(1) needs to be configured that all packets from the
outside are blocked. Only packets from the security gateways
either on the enc0 interface or UDP packets with source and
remote ports of 468 should be allowed in.

SEE ALSO
ipf(1), ipsecadm(1), ipsec(4), photurisd(8).

--
- PHYSnet Rechnerverbund PGP V2.6 Public key via finger or key server
Niels Provos
Universitaet Hamburg WWW: http://www.physnet.uni-hamburg.de/provos/
Jungiusstrasse 9 E-Mail: provos_(_at_)_wserver_(_dot_)_physnet_(_dot_)_uni-hamburg_(_dot_)_de
Germany 20355 Hamburg Tel.: +49 40 4123-2404 Fax: -6571

Prev by Date: Re: OpenBSD 2.3 in German
Next by Date: ssh port updated to version 1.2.25
Previous by thread: Re: OpenBSD 2.3 in German
Next by thread: ssh port updated to version 1.2.25
Index(es):
- Date
- Thread

Visit your host, monkey.org