OpenBSD 6.0 with ikev2

Here is my config for VPN server with ikev2 on OpenBSD 6.0.

For more details here is the link I use for setup.

http://puffysecurity.com/wiki/openikedoffshore.html

Problems with this that if connection drop that it takes several minutes to reconnect.

Have not tested this with OpenBSD 6.1.

This config may need fixing!

Server Config

Server ip address = A.B.C.D

vi /etc/iked.conf


ikev2 passive ipcomp esp \
from 0.0.0.0/0 to 10.0.0.0/8 \
from 0.0.0.0/0 to 172.16.0.0/12 \
from 0.0.0.0/0 to 192.168.0.0/16 \
local A.B.C.D peer any \
srcid A.B.C.D \
lifetime 3h bytes 2G \
tag IKED

Note The srcid A.B.C.D must match the Client SSL Certificate’s Common Name.

vi /etc/pf.conf

#	$OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf


set limit { states 200000, frags 10000, src-nodes 2000 }
set limit tables 1000
set limit table-entries 100000


SSHipPASS = "{ 1.2.3.4/23, 10.0.0.0/8 }"

set reassemble yes
set block-policy return
#set loginterface egress
set skip on { lo, enc }

match in all scrub (no-df random-id max-mss 1460)

table <bruteforce> persist

block in 

block in quick from urpf-failed label uRPF
block quick from <bruteforce>

pass out all

pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on egress proto { ah, esp }
pass out on egress \
        from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
        to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
        nat-to (egress)

pass in quick inet proto icmp icmp-type { echoreq, unreach }


pass in quick proto tcp from $SSHipPASS \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

block in quick proto tcp from any \
        to (egress) port ssh 

Client Config OpenBSD Router Box.

vi /etc/iked.conf


ikev2 active ipcomp esp \
 from 10.0.0.0/8 to 0.0.0.0/0 \
 from 172.16.0.0/12 to 0.0.0.0/0 \
 from 192.168.0.0/16 to 0.0.0.0/0 \
 peer A.B.C.D \
 srcid client.example.com \
 tag IKED

Note The srcid client.example.com must match the Client SSL Certificate’s Common Name.

vi /etc/pf.conf

set reassemble yes
set block-policy return
set skip on { lo, enc }

lan_if = "re1"
ext_if = "pppoe0"

match in all scrub (no-df random-id max-mss 1440)

block in
block in quick from urpf-failed label uRPF


pass out quick on egress proto { tcp, udp } from any to any port { 53, 123, 443, 500, 4500 }
pass in quick on egress proto { tcp, udp } from any to any port { 53, 123, 443, 500, 4500 }

pass in quick on $lan_if proto { tcp, udp } from 10.1.1.0/24 to 10.1.1.1 port { 22, 53 } rdr-to lo0
pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on egress proto { ah, esp }
# nat rule
pass out on $ext_if from { ! 10.0.0.0/8 } to { 10.0.0.0/8 } nat-to ($ext_if:0)

pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick on $lan_if all

block in quick proto tcp from any to (egress) port ssh

How to add extra FLOWS

I did not use FLOWS just config pf.conf.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *