openbsd + ipsecctl + nat

so, i've got a few systems spread throughout the country. i've got my desktop and laptop here in california, a macmini at my mom's house in arizona doing bacula, and my colo'd box at a datacenter elsewhere in phoenix. i wanted to be able to get to files remotely and securely, so i started mucking around with afs. however, i thought i could make it even safer and throw ipsec in there, and that way, i could work on my mom's computer through vnc or remote desktop and be even safer still

here's my setup

furball: my desktop
tyrone: my laptop
chelsea: my mac mini
ashley: colo'd box

furball + tyrone - crappy dsl router (dhcp) --- internet
					   |
					ashley (static ip)
					   |
chelsea + mom's pc  - crappy dsl router (dhcp) --- internet

in my setup, ashley will be the remote gateway for everything since it has a static ip. setting up ipsec isn't really that hard if you pay attention. in my case, i could have saved myself a lot of time had i followed the man pages correctly

right now, i only have chelsea connect over ipsec to ashley. however, once i have proper routers here and at my mom's house, the routers themselves will make the ipsec connections and all traffic headed to ashley will go over ipsec

on ashley and chelsea, i added the following to /etc/rc.conf.local

# vpn
isakmpd_flags="-K"     # for normal use: ""
ipsec=                 # IPsec

ashley's /etc/ipsec.conf contains the following:

ike passive esp tunnel from any to any \
local ashley.azbsd.org \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha2-256 enc 3des group modp1024 \
srcid ashley@azbsd.org dstid chelsea@azbsd.org

chelsea's /etc/ipsec.conf likewise contains the following:

ike dynamic esp from any to ashley.azbsd.org \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha2-256 enc 3des group modp1024 \
srcid chelsea@azbsd.org dstid ashley@azbsd.org

so, that's it for configurations. as far as authentication and what not, that's where i had some difficulty and ultimately decided on using USER_FQDNs (hence, "srcid chelsea@azbsd.org" etc etc)

to get the certificates where they needed to be, i scp'd the /etc/isakmpd/local.pub on chelsea to /etc/isakmpd/pubkeys/ufqdn/chelsea@azbsd.org. and likewise from ashley to chelsea. in addition to that, while debugging, i noticed isakmpd was looking for keys in /etc/isakmpd/keynote/USER_FQDN/credentials, so chelsea's /etc/isakmpd/keynote/keynote.pub was scp'd there (and likewise from ashley to chelsea). finally, i also copied each system's local keynote.pub to /etc/isakmpd/keynote/USER_FQDN/credentials. however, and i'm not sure why, that didn't work on ashley, where isakmpd was looking for /etc/isakmpd/keynote/140.99.16.202/credentials i scp'd like a madman!

in the end, this is what i had

ashley:

/etc/isakmpd/keynote/140.99.16.202/credentials (from ashley:/etc/isakmpd/keynote/keynote.pub)
/etc/isakmpd/keynote/chelsea.azbsd.org/credentials (from chelsea:/etc/isakmpd/keynote/keynote.pub)

/etc/isakmpd/pubkeys/ufqdn/chelsea@azbsd.org (chelsea:/etc/isakmpd/local.pub)

chelsea:

/etc/isakmpd/keynote/chelsea.azbsd.org/credentials (from chelsea:/etc/isakmpd/keynote/keynote.pub)

/etc/isakmpd/pubkeys/ufqdn/ashley@azbsd.org (ashley:/etc/isakmpd/local.pub)

finally, after a few debugging isakmpd's (isakmpd -KvdD A=60) and reloading ipsec.conf a number of times (ipsecctl -Ff /etc/ipsec.conf) i finally had ipsec working. case in point:

BEFORE:

$ traceroute ashley.azbsd.org 
traceroute to ashley.azbsd.org (140.99.16.202), 64 hops max, 40 byte packets
 1  160.81.46.162 (160.81.46.162)  45.522 ms  46.768 ms  93.90 ms
 2  160.81.46.161 (160.81.46.161)  66.944 ms  65.25 ms  65.299 ms
 3  144.232.1.29 (144.232.1.29)  70.860 ms  161.598 ms *
 4  144.232.20.67 (144.232.20.67)  119.949 ms  94.289 ms  110.837 ms
 5  64.152.193.73 (64.152.193.73)  98.502 ms  79.52 ms  117.449 ms
 6  * * *
 7  4.69.133.37 (4.69.133.37)  87.722 ms  81.461 ms  88.222 ms
 8  4.79.164.54 (4.79.164.54)  87.536 ms  76.785 ms  99.254 ms
 9  140.99.10.57 (140.99.10.57)  113.265 ms * *
10  140.99.10.57 (140.99.10.57)  85.107 ms * *
11  * * *

(not much i can do about shitty DSL unfortunately)

and

AFTER:

$ traceroute ashley.azbsd.org        
traceroute to ashley.azbsd.org (140.99.16.202), 64 hops max, 40 byte packets
 1  ashley.azbsd.org (140.99.16.202)  76.260 ms  114.861 ms  97.801 ms

once i get my routers setup, i'll update this page with their setups