OpenBSD 6.0 with ikev2

Here is my config for VPN server with ikev2 on OpenBSD 6.0.

For more details here is the link I use for setup.

http://puffysecurity.com/wiki/openikedoffshore.html

Problems with this that if connection drop that it takes several minutes to reconnect.

Have not tested this with OpenBSD 6.1.

This config may need fixing!

Server Config

Server ip address = A.B.C.D

vi /etc/iked.conf


ikev2 passive ipcomp esp \
from 0.0.0.0/0 to 10.0.0.0/8 \
from 0.0.0.0/0 to 172.16.0.0/12 \
from 0.0.0.0/0 to 192.168.0.0/16 \
local A.B.C.D peer any \
srcid A.B.C.D \
lifetime 3h bytes 2G \
tag IKED

Note The srcid A.B.C.D must match the Client SSL Certificate’s Common Name.

vi /etc/pf.conf

#	$OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf


set limit { states 200000, frags 10000, src-nodes 2000 }
set limit tables 1000
set limit table-entries 100000


SSHipPASS = "{ 1.2.3.4/23, 10.0.0.0/8 }"

set reassemble yes
set block-policy return
#set loginterface egress
set skip on { lo, enc }

match in all scrub (no-df random-id max-mss 1460)

table <bruteforce> persist

block in 

block in quick from urpf-failed label uRPF
block quick from <bruteforce>

pass out all

pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on egress proto { ah, esp }
pass out on egress \
        from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } \
        to { ! 10.0.0.0/8, ! 172.16.0.0/12, ! 192.168.0.0/16 } \
        nat-to (egress)

pass in quick inet proto icmp icmp-type { echoreq, unreach }


pass in quick proto tcp from $SSHipPASS \
        to (egress) port ssh \
        flags S/SA modulate state \
        (max-src-conn 15, max-src-conn-rate 15/5, overload <bruteforce> flush global)

block in quick proto tcp from any \
        to (egress) port ssh 

Client Config OpenBSD Router Box.

vi /etc/iked.conf


ikev2 active ipcomp esp \
 from 10.0.0.0/8 to 0.0.0.0/0 \
 from 172.16.0.0/12 to 0.0.0.0/0 \
 from 192.168.0.0/16 to 0.0.0.0/0 \
 peer A.B.C.D \
 srcid client.example.com \
 tag IKED

Note The srcid client.example.com must match the Client SSL Certificate’s Common Name.

vi /etc/pf.conf

set reassemble yes
set block-policy return
set skip on { lo, enc }

lan_if = "re1"
ext_if = "pppoe0"

match in all scrub (no-df random-id max-mss 1440)

block in
block in quick from urpf-failed label uRPF


pass out quick on egress proto { tcp, udp } from any to any port { 53, 123, 443, 500, 4500 }
pass in quick on egress proto { tcp, udp } from any to any port { 53, 123, 443, 500, 4500 }

pass in quick on $lan_if proto { tcp, udp } from 10.1.1.0/24 to 10.1.1.1 port { 22, 53 } rdr-to lo0
pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass in on egress proto { ah, esp }
# nat rule
pass out on $ext_if from { ! 10.0.0.0/8 } to { 10.0.0.0/8 } nat-to ($ext_if:0)

pass in quick inet proto icmp icmp-type { echoreq, unreach }
pass in quick on $lan_if all

block in quick proto tcp from any to (egress) port ssh

How to add extra FLOWS

I did not use FLOWS just config pf.conf.

Cisco access internet with dhcp config

!
! Last configuration change at 18:53:10 EST Tue Sep 20 2016
! NVRAM config last updated at 18:53:17 EST Tue Sep 20 2016
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c1801r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
clock timezone EST 10
clock summer-time EDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool DHCP-LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
ip domain name ipvanquish.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
multilink bundle-name authenticated
!
!
username admin privilege 15 password 0 cisco
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no shutdown
!
interface FastEthernet1
switchport access vlan 50
!
interface FastEthernet2
switchport access vlan 50
!
interface FastEthernet3
switchport access vlan 50
!
interface FastEthernet4
switchport access vlan 50
!
interface FastEthernet5
switchport access vlan 50
!
interface FastEthernet6
switchport access vlan 50
!
interface FastEthernet7
switchport access vlan 50
!
interface FastEthernet8
switchport access vlan 50
!
interface Vlan1
no ip address
!
interface Vlan50
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
!
no ip http server
ip dns server
ip nat inside source list 50 interface FastEthernet0 overload
!
access-list 50 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
line con 0
exec-timeout 480 0
logging synchronous
line aux 0
line vty 0 4
access-class 50 in
privilege level 15
logging synchronous
login local
transport input all
line vty 5 15
access-class 50 in
privilege level 15
logging synchronous
login local
transport input all
!
ntp source FastEthernet0
ntp server 103.242.70.5
ntp server 203.23.237.200
ntp server 203.56.27.253 
end

How to generate Cisco IOURC licence key on GNS3 VM with Python 3

CiscoIOUKeygen3f.py


#! /usr/bin/python3
print("*********************************************************************")
print("Cisco IOU License Generator - Kal 2011, python port of 2006 C version")
import os
import socket
import hashlib
import struct
# get the host id and host name to calculate the hostkey
hostid=os.popen("hostid").read().strip()
hostname = socket.gethostname()
ioukey=int(hostid,16)
for x in hostname:
 ioukey = ioukey + ord(x)
print("hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:])
# create the license using md5sum
iouPad1 = b'\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A'
iouPad2 = b'\x80' + 39*b'\0'
md5input=iouPad1 + iouPad2 + struct.pack('!i', ioukey) + iouPad1
iouLicense=hashlib.md5(md5input).hexdigest()[:16]

print("\nAdd the following text to ~/.iourc:")
print("[license]\n" + hostname + " = " + iouLicense + ";\n")
with open("iourc.txt", "wt") as out_file:
 out_file.write("[license]\n" + hostname + " = " + iouLicense + ";\n")
print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nAlready copy to the file iourc.txt\n ")

print("You can disable the phone home feature with something like:")
print(" echo '127.0.0.127 xml.cisco.com' >> /etc/hosts\n")

To run this python script copy text to CiscoIOUKeygen3f.py or
wget http://www.ipvanquish.com/download/CiscoIOUKeygen3f.py

‘python3 CiscoIOUKeygen3f.py’

Here is a link for Cisco IOU gen for Python 2

Here is a link for Routing Loop

Cisco ADSL config

conf t
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ASDL-R
!
boot-start-marker
boot-end-marker
!
logging buffered 16256
logging rate-limit 15
enable secret ciscosecret
!
no aaa new-model
clock timezone EST 10
clock summer-time EDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.100
!
ip dhcp pool 10.1.1.0/24
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
dns-server 10.1.1.1
!
!
ip domain retry 0
ip domain timeout 1
ip domain name example.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
multilink bundle-name authenticated
!
!
username admin privilege 15 password cisco
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description My LAN Interface
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no shutdown
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
no shutdown
!
dsl operating-mode auto
!
interface Vlan1
no ip address
shutdown
!
interface Dialer1
description WIC1-ADSL Dialer to Zen
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname username@isp.com
ppp chap password 0 isp-password
ppp pap sent-username username@isp.com password 0 isp-password
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
!
!
no ip http server
ip dns server
ip nat inside source list 10 interface Dialer1 overload
!
access-list 10 permit 10.1.1.0 0.0.0.255
!
control-plane
!
!
line con 0
password cisco
logging synchronous
login local
line aux 0
line vty 0 15
access-class 10 in
exec-timeout 480 0
password cisco
logging synchronous
login local
!
ntp clock-period 17180148
ntp source Dialer1
ntp master 5
ntp server 103.242.70.5 source Dialer1
ntp server 203.23.237.200 source Dialer1
ntp server 203.56.27.253 source Dialer1
ntp server 203.0.178.191 source Dialer1
ntp server 202.6.116.123 source Dialer1
ntp server 125.255.139.115 source Dialer1
end

Cisco PPPOE config


conf t
!
! No configuration change since last restart
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PPPOE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
clock timezone EST 10
clock summer-time EDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
no network-clock-participate wic 1 
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.100
!
ip dhcp pool DHCP-LAN
 network 10.1.1.0 255.255.255.0
 default-router 10.1.1.1 
 dns-server 10.1.1.1 
 netbios-name-server 10.1.1.213 
!
!
ip domain name yourdomain.com
ip name-server 208.67.220.220
ip name-server 208.67.222.222
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
username admin privilege 15 password 0 cisco
archive
 log config
 hidekeys
! 
!
!
!
!
!
!
!
interface Gi0/0
 description PPPOE (Facing the ISP)
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
 no shut
!
interface Gi0/1
 description interface LAN
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no shut
!
interface Dialer1
 description interface WAN
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly max-reassemblies 64
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 2
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname username@isp.com
 ppp chap password 0 isp-password
 ppp pap sent-username username@isp.com password 0 isp-password
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 50 interface Dialer1 overload
!
access-list 50 permit 10.1.1.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 480 0
 logging synchronous
 login local
line aux 0
line vty 0 4
 access-class 50 in
 exec-timeout 480 0
 privilege level 15
 logging synchronous
 login local
 transport input all
line vty 5 15
 access-class 50 in
 exec-timeout 480 0
 privilege level 15
 logging synchronous
 login local
 transport input all
!
scheduler allocate 20000 1000
ntp clock-period 17180284
ntp source Dialer1
ntp server 208.67.220.220
ntp server 103.51.68.133
ntp server 59.167.252.133
!
end