Configuracion Ipsec (site-to-site)

Hola a todos!

A continuacion describo como configurar  ipsec VPN en 2 maquinas de laboratorio en modo site-to-site  con OpenBSD. Durante el laboratorio no se tienen reglas de firewall con pf o ningun software de firewall. La topologia es la siguiente:

NODO1=192.168.0.12
LAN1=192.168.100.0/24

NODO2=192.168.0.16
LAN2=172.16.0.0/16

LAN1<--------->NODO1<------------------------>NODO1<----------------------->LAN2

Partiendo de esto, seteamos los siguientes parametros del kernel en cada nodo

#sysctl net.inet.esp.enable=1
#sysctl net.inet.ah.enable=1
#sysctl net.inet.ip.forwarding=1
#sysctl net.inet.ipcomp.enable=1

agregar los siguientes parametros o descomentarear al archivo "/etc/sysctl.conf"

net.inet.esp.enable=1
net.inet.ah.enable=1
net.inet.ip.forwarding=1
net.inet.ipcomp.enable=1

ahora iniciamos la interfaz enc0

#ifconfig enc0 up

nos aseguramos que inicie con el sistema de la sguiente manera:

#echo "up" > /etc/hostname.enc0

En NODO1
configuramos /etc/ipsec.conf

ike esp from 192.168.100.0/24 to 172.16.0.0/16 peer 192.168.0.16
ike esp from 192.168.100.0/24 to 192.168.0.16  peer 192.168.0.16
ike esp from 192.168.0.12 to 172.16.0.0/16 peer 192.168.0.16
ike esp from 192.168.0.12 to 192.168.0.16

y copiamos

NODO1#scp 192.168.0.16:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/192.168.0.16

en NODO2
configuramos /etc/ipsec.conf

ike passive esp from 172.16.0.0/16 to 192.168.100.0/24 peer 192.168.0.12
ike passive esp from 172.16.0.0/16 to 192.168.0.12  peer 192.168.0.12
ike passive esp from 192.168.0.16 to 192.168.100.0/24 peer 192.168.0.12
ike passive esp from 192.168.0.16 to 192.168.0.12

y copiamos

NODO2#scp 192.168.0.12:/etc/isakmpd/local.pub /etc/isakmpd/pubkeys/ipv4/192.168.0.12

ahora iniciamos el demonio isakmpd en modo daemon backgrown para ver si hay algun error en ambos servers.

# isakmpd -K -d &

verificamos que el fichero ipsec.conf no contenga ningun error.

# ipsecctl -n -f /etc/ipsec.conf

e iniciamos ipsec en los nodos.

# ipsecctl -f /etc/ipsec.conf

verificamos si se establecio la vpn

# ipsecctl -s all

FLOWS:
flow esp in from 192.168.0.12 to 192.168.0.16 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type use
flow esp out from 192.168.0.16 to 192.168.0.12 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type require
flow esp in from 192.168.0.12 to 172.16.0.0/16 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type use
flow esp out from 172.16.0.0/16 to 192.168.0.12 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type require
flow esp in from 192.168.100.0/24 to 192.168.0.16 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type use
flow esp out from 192.168.0.16 to 192.168.100.0/24 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type require
flow esp in from 192.168.100.0/24 to 172.16.0.0/16 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type use
flow esp out from 172.16.0.0/16 to 192.168.100.0/24 peer 192.168.0.12 srcid 192.168.0.16/32 dstid 192.168.0.12/32 type require

SAD:
esp tunnel from 192.168.0.16 to 192.168.0.12 spi 0x108345d2 auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.12 to 192.168.0.16 spi 0x1dce7872 auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.16 to 192.168.0.12 spi 0x30b9c665 auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.12 to 192.168.0.16 spi 0x35f11aac auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.12 to 192.168.0.16 spi 0x3eba41c7 auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.16 to 192.168.0.12 spi 0x46db0e47 auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.12 to 192.168.0.16 spi 0xd92d4487 auth hmac-sha2-256 enc aes
esp tunnel from 192.168.0.16 to 192.168.0.12 spi 0xda25de2a auth hmac-sha2-256 enc aes

por ultimo hacemos ping desde cada nodo a las respectivas lans

NODO1# ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1): 56 data bytes
64 bytes from 172.16.0.1: icmp_seq=0 ttl=255 time=13.510 ms
64 bytes from 172.16.0.1: icmp_seq=1 ttl=255 time=10.768 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=255 time=10.699 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=255 time=9.242 ms
--- 172.16.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 9.242/11.054/13.510/1.548 ms

NODO2# ping 192.168.100.1

PING 192.168.100.1 (192.168.100.1): 56 data bytes

64 bytes from 192.168.100.1: icmp_seq=0 ttl=255 time=8.247 ms

64 bytes from 192.168.100.1: icmp_seq=1 ttl=255 time=6.937 ms

64 bytes from 192.168.100.1: icmp_seq=2 ttl=255 time=37.540 ms

64 bytes from 192.168.100.1: icmp_seq=3 ttl=255 time=13.060 ms

--- 192.168.100.1 ping statistics ---

4 packets transmitted, 4 packets received, 0.0% packet loss

round-trip min/avg/max/std-dev = 6.937/16.446/37.540/12.390 ms

Ahora para que todo esto arranque al iniciar los equipos agregamos las siguientes lineas en "/etc/rc.conf.local"

isakmpd_flags="-K" 

ipsec=YES

Listo, espero les sirva. Nos vemos en otra ocasion.