iked(8) OpenBSD road warrior setup anybody?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

iked(8) OpenBSD road warrior setup anybody?

Pavel Korovin
Dead all,

Does anybody use iked(8) for remote access (aka Road Warrior setup)
from OpenBSD clients? There's a lot of info on setting it up for
Windows/Android/iOS clients, but I didn't find anything about
OpenBSD clients setup.

I have such setup but with recent changes to iked my VPN connection is
somewhat unstable.

--
With best regards,
Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Michael Hekeler
> Does anybody use iked(8) for remote access (aka Road Warrior setup)
> from OpenBSD clients?

Yes. I do.


> There's a lot of info on setting it up for
> Windows/Android/iOS clients, but I didn't find anything about
> OpenBSD clients setup.

The Client Setup is the same for all platforms  (AFAIK)
You can build the GUI Client just for create the configfile if you like.

After the creation you can start the client without GUI


> I have such setup but with recent changes to iked my VPN connection is
> somewhat unstable.

For me it works stable.

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Pavel Korovin
Discussed with Michael off-the-list and found that he has different
setup where iked(8) is not involved.

Just in case, my question is about OpenBSD native iked(8) setup for
remote access VPN gateway to serve OpenBSD native iked(8) client.
If anybody has such setup and/or willing to discuss the details, please
send me a message, I'd prefer to discuss this off-the-list.

--
With best regards,
Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Zé Loff-2
In reply to this post by Pavel Korovin
If you mean OpenBSD "at the office" and OpenBSD on a roaming laptop,
this works for me (tm):

"At the office" iked.conf:

ikev2 dion passive esp \
        from 192.168.99.0/24 to 192.168.100.3 \
        local 192.168.99.1 peer any \
        srcid vpn.example.com dstid dion.example.com


On "the wanderer" iked.conf:

ikev2 home active esp \
        from egress to 192.168.99.0/24 \
        local egress peer vpn.example.com \
        srcid dion.example.com dstid vpn.example.com

On the "wanderer" pf.conf:

match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 static-port


Some notes:

- Authentication is made using certificates. See man isakmpd for that.

- The server's running 6.0-stable, the client is on -current, both amd64

- Adding srcnat to the client's iked.conf:
                "from egress (192.168.100.3)..."
        as per the man page actually breaks this setup for me.  The tunnel is
        up but nothing goes through it.  This changed around 6.0 (sorry but
        can't pinpoint it).

- "static-port" on the PF rule is there because I want to mount some NFS
        shares and pf "bumped" the port too high and the server wouldn't take
        it.  You shouldn't use it unless you really need it.

Hope it helps.

Cheers



On Mon, Oct 03, 2016 at 04:48:25PM +0300, Pavel Korovin wrote:

> Dead all,
>
> Does anybody use iked(8) for remote access (aka Road Warrior setup)
> from OpenBSD clients? There's a lot of info on setting it up for
> Windows/Android/iOS clients, but I didn't find anything about
> OpenBSD clients setup.
>
> I have such setup but with recent changes to iked my VPN connection is
> somewhat unstable.
>
> --
> With best regards,
> Pavel Korovin
>

--

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Consus
In reply to this post by Pavel Korovin
On 09:47 Tue 04 Oct, Pavel Korovin wrote:
> Discussed with Michael off-the-list and found that he has different
> setup where iked(8) is not involved.
>
> Just in case, my question is about OpenBSD native iked(8) setup for
> remote access VPN gateway to serve OpenBSD native iked(8) client.
> If anybody has such setup and/or willing to discuss the details, please
> send me a message, I'd prefer to discuss this off-the-list.

It would be nice to have some post-mortem summary (probably a short
description of your setup + iked configuration files). Just in case
someone else will need it.

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Pavel Korovin
In reply to this post by Zé Loff-2
Zé, thank you for your detailed reply!
I put some comments in your message below.

On 10/04, Zé Loff wrote:

> If you mean OpenBSD "at the office" and OpenBSD on a roaming laptop,
> this works for me (tm):
>
> "At the office" iked.conf:
>
> ikev2 dion passive esp \
> from 192.168.99.0/24 to 192.168.100.3 \
> local 192.168.99.1 peer any \
> srcid vpn.example.com dstid dion.example.com

My config is similar:
    ikev2 passive ipcomp esp \
        from 192.168.240.0/21 to 192.168.248.0/24 \
        local <my-real-ip> peer any \
        srcid <my-real-ip>
        tag "$id"
 
> On "the wanderer" iked.conf:
> ikev2 home active esp \
> from egress to 192.168.99.0/24 \
        ^^^^^^^^^^^
        A-ha. Didn't know it's possible and AFAIK it's undocumented
> local egress peer vpn.example.com \
> srcid dion.example.com dstid vpn.example.com

My wanderer iked.conf:
    ikev2 active ipcomp esp \
        from 192.168.248.231 to 192.168.240.0/21 \
        peer <my-real-ip> \
        srcid client.my.vpn

> On the "wanderer" pf.conf:
>
> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 static-port
 
My /etc/pf.conf config:
  match out on enc0 to 192.168.240/21 nat-to 192.168.248.231

I was concerned about client's dynamic IP and to deal with the issue I
created loopback interface and set up route to LAN behind VPN via this
interface:

/etc/hostname.iwn0
    !ifconfig lo248 inet 192.168.248.231 255.255.255.255 mtu 1400 up
    route add -net 192.168.240.0/21 192.168.248.231 -mtu 1400

I'll try to get rid of this lo248 interface and see if it works for me,
thanks!

--
With best regards,
Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Pavel Korovin
In reply to this post by Zé Loff-2
On 10/04, Zé Loff wrote:

> On "the wanderer" iked.conf:
>
> ikev2 home active esp \
> from egress to 192.168.99.0/24 \
> local egress peer vpn.example.com \
> srcid dion.example.com dstid vpn.example.com
>
> On the "wanderer" pf.conf:
>
> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3 static-port

Zé, do you have an interface with the address 192.168.100.3 on your
wanderer?

--
With best regards,
Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Zé Loff-2
> On 04/10/2016, at 11:58, Pavel Korovin <[hidden email]> wrote:
>
>> On 10/04, Zé Loff wrote:
>> On "the wanderer" iked.conf:
>>
>> ikev2 home active esp \
>>    from egress to 192.168.99.0/24 \
>>    local egress peer vpn.example.com \
>>    srcid dion.example.com dstid vpn.example.com
>>
>> On the "wanderer" pf.conf:
>>
>> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3
static-port
>
> Zé, do you have an interface with the address 192.168.100.3 on your
> wanderer?

No

> --
> With best regards,
> Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Pavel Korovin
On 10/04, Zé Loff wrote:

> > On 04/10/2016, at 11:58, Pavel Korovin <[hidden email]> wrote:
> >
> >> On 10/04, Zé Loff wrote:
> >> On "the wanderer" iked.conf:
> >>
> >> ikev2 home active esp \
> >>    from egress to 192.168.99.0/24 \
> >>    local egress peer vpn.example.com \
> >>    srcid dion.example.com dstid vpn.example.com
> >>
> >> On the "wanderer" pf.conf:
> >>
> >> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3
> static-port
> >
> > Zé, do you have an interface with the address 192.168.100.3 on your
> > wanderer?
>
> No

Then how your pf rewrites the address to 192.168.100.3? I believe there
must be an interface with the address specified in the rewrite rules.
Otherwise, pf rule won't do anything.
Did you check "tcpdump -i enc0" output?

--
With best regards,
Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Zé Loff-2
> On 04/10/2016, at 18:48, Pavel Korovin <[hidden email]> wrote:
>
> On 10/04, Zé Loff wrote:
>>> On 04/10/2016, at 11:58, Pavel Korovin <[hidden email]> wrote:
>>>
>>>> On 10/04, Zé Loff wrote:
>>>> On "the wanderer" iked.conf:
>>>>
>>>> ikev2 home active esp \
>>>>   from egress to 192.168.99.0/24 \
>>>>   local egress peer vpn.example.com \
>>>>   srcid dion.example.com dstid vpn.example.com
>>>>
>>>> On the "wanderer" pf.conf:
>>>>
>>>> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3
>> static-port
>>>
>>> Zé, do you have an interface with the address 192.168.100.3 on your
>>> wanderer?
>>
>> No
>
> Then how your pf rewrites the address to 192.168.100.3? I believe there
> must be an interface with the address specified in the rewrite rules.
> Otherwise, pf rule won't do anything.
> Did you check "tcpdump -i enc0" output?

Hey, like I said, it works for me. I don't know enough to give you a proper
answer to that, I just know that it works like this. I could speculate, but it
would probably amount to noise, so I won't.

Also, like I indicated, adding srcnat to the roaming machine's iked.conf
breaks the setup for me, as the tunnel is established but nothing goes
through.

> --
> With best regards,
> Pavel Korovin

Reply | Threaded
Open this post in threaded view
|

Re: iked(8) OpenBSD road warrior setup anybody?

Pavel Korovin
Zé, thank you for your answers!

I hope my question didn't offence you; as you remember I asked for
help and you kindly offered your configs, which I really appreciate,
especially since it seems to be quite a rare setup.

I asked you because I tried to replicate your config with "egress"
keyword; iked(8) didn't blame at my modified config, but VPN didn't
work this way, I could see the SAs created but with wrong addresses, so
it was filtered out by pf.
I checked tcpdump ouput, and it showed that pf rewrite didn't happen
since I didn't have an interface with the address I rewrite to.
So I wondered how it works in your case. And that was a reason for me
to setup a loopback interface in order to have what I'd call "consistent
though ugly" configiration.

By saying "consistent" I mean that I have an IP range specified for RA
VPN clients and I can filter it with pf(4).
By saying "ugly" I mean I need to have an additional manually assigned
loopback interface and to route VPN traffic via this interface.
May be I'm doing it all wrong, maybe somebody can shed light on how to
do it properly.

On 10/04, Zé Loff wrote:

> > On 04/10/2016, at 18:48, Pavel Korovin <[hidden email]> wrote:
> >
> > On 10/04, Zé Loff wrote:
> >>> On 04/10/2016, at 11:58, Pavel Korovin <[hidden email]> wrote:
> >>>
> >>>> On 10/04, Zé Loff wrote:
> >>>> On "the wanderer" iked.conf:
> >>>>
> >>>> ikev2 home active esp \
> >>>>   from egress to 192.168.99.0/24 \
> >>>>   local egress peer vpn.example.com \
> >>>>   srcid dion.example.com dstid vpn.example.com
> >>>>
> >>>> On the "wanderer" pf.conf:
> >>>>
> >>>> match out on enc0 from any to 192.168.99.0/22 nat-to 192.168.100.3
> >> static-port
> >>>
> >>> Zé, do you have an interface with the address 192.168.100.3 on your
> >>> wanderer?
> >>
> >> No
> >
> > Then how your pf rewrites the address to 192.168.100.3? I believe there
> > must be an interface with the address specified in the rewrite rules.
> > Otherwise, pf rule won't do anything.
> > Did you check "tcpdump -i enc0" output?
>
> Hey, like I said, it works for me. I don't know enough to give you a proper
> answer to that, I just know that it works like this. I could speculate, but it
> would probably amount to noise, so I won't.
>
> Also, like I indicated, adding srcnat to the roaming machine's iked.conf
> breaks the setup for me, as the tunnel is established but nothing goes
> through.
>
> > --
> > With best regards,
> > Pavel Korovin
>

--
With best regards,
Pavel Korovin