VPN configuration operation

VPN on OpenBSD configuration note

VPN (vitual Private Network) has been widely used in recent years.

I will not go into details if I already have many special statements. This document only configures the OpenBSD system on a PC.

The VPN is a brief description. It also states that all operations are based on your own configuration experience and are implemented on your own.

There may be slight differences in the process. I believe that readers with certain OpenBSD operation experience are competent to "apply for materials"
Tutorial ".

1. What is VPN?

This problem was raised only for the purpose of "routine". In fact, there are many kinds of VPN discussions.

This, including the china-pub.com emook column has a lot of wonderful discussions. I do not want,

Introduction to basic concepts such as Nat, ipfilter, and PPP is just an introduction to some basic knowledge.

Read related OpenBSD documents (FAQ and manpages) on your own ).

VPN is short for vitual private network, that is, virtual private network. Network used in this article

An environment is a physically separated lan that communicates over a public network (such as the Internet ―

-Of course, the most important thing is to ensure that any communication between the Two LANs cannot be assumed by the public network.
Unauthorized user eavesdropping.
The simplified network topology is shown below:


Figure 1
This is the application of VPN. VPN is the best choice for connecting two physically separated LANs

After configuration, the Two LANs are physically connected! In this case, two

As the main data transmission medium, the Internet transmits data. Both in terms of concept and function
Beyond the original normal connectionProgramWork efficiency.

2. Configure the VPN

First, we need to clarify the author's networking environment. If your environment is almost the same as that of the author,

Congratulations, you can copy the file to your system in the following steps. If there is a difference,

As mentioned above, readers should be able to "ad hoc" to find a solution. What's more
Not difficult.

The network connection is the same as (figure 1. The interval between lan1 and lan2 is about 1600 km.

The two long-distance LANs are designed to highlight the strong performance of the VPN. Both gateway1 and gateway2 are

The router of the OpenBSD system. Gataway1 has a permanent Internet connection and a fixed IP address,

Gateway2 is not so lucky. It is just a dial-up connection to the Internet, and each dial-up is required

The ISP must specify a new IP address (this gateway uses a domain name to work, so do not worry about whether the gateway is

Exist ). The IP address of lan1 is 192.168.35.0/24 (this is written as "borrowed" R. Stevens's TCP/IP

The statement in replicated strated indicates that the network number of lan1 is 192.168.35, the number of hosts is 24, and the IP address is

192.168.35.1 to 192.168.35.24), and lan2 is 192.168.105.0/24.

Gateway1 has an internal IP address 192.168.35.1 for lan1, and the external address is 25.50.100.200 (No

In other words, this is a false one, huh, huh); gateway2 has an internal address 192.168.105.1 and
The external address to be updated.

Configuration starts. First, you have to install the Gateway number openbsd2.8 and configure it as a standard gateway, that is

To forward the IP address and assign the corresponding IP address to the gateway. At the same time, you must note that you do not need to configure

Ipfilter, which can be re-configured after VPN configuration is complete; Do not open any OpenBSD installation missing

Saves startup services, such as FTP, telnet, finger, RPC, and Portmap. This is a secure server.

The necessary conditions for the server, and may affect the VPN configuration process. If you must enable it, go
After the VPN configuration is complete, you must enable it one by one to confirm that the VPN works correctly.

· Then, upgrade OpenBSD 2.8 to OpenBSD-current because

IPSEC/IPF/ipnat implementation problems, so do not try to configure VPN on openbsd2.8. Details

The upgrade mainly includes the following parts to current:
· Kernel. Reconnect to and install USR. sbin/config before linking the new kernel.

· Isakmpd
· IPF
· The above three items of ipnat need to be re-linked before the kernel header file is installed (when the include

"Make include ")
Only by upgrading this can we fix the IPsec issue in OpenBSD 2.8. These problems mainly include:

Isakmpd leads to errors and crashes several times at least. In theory, the AES problem can also be solved.
To solve this problem, although I have not tried it.

To upgrade to the latest kernel, you must
· Compile and install libkvm
· Compile ps, vmstat, top, and install it on a machine with a new kernel

Readers can view the latest updates in http://www.openbsd.org/anoncvs.html.

After the new kernel starts to work, two gateways that can be used as OpenBSD VPN will appear. Ensure Two Systems

The/etc/sysctl. conf file contains "net. inet. esp. Enable = 1", which causes

ESP (encapsulated Security Protocol) can work, and later all will arrive at the gateway through the VPN Tunnel

All traffic is in the form of ESP. Once the correct keys are applied, these ESP packets will be
.

The next thing that needs to be done is to let isakmpd start to work so that the two gateways can find
Verify the other party's credibility and begin to exchange keys.

This part of work is not described in detail, man isakmpd should be able to solve the problem, and the author

Use a very standard configuration. The two machines exchange the key using the agreed public secret sentence.

Is to encrypt AESAlgorithm . The following is the configuration file of the author's isakmpd, Which is isakmpd. Policy in turn.

(For lan 1 and 2), isakmpd. conf. lan1, and isakmpd. conf. lan2.

1. Keynote-version: 2

Comment: This Policy accepts esp sas from a remote that uses the right

Password
Authorizer: "policy"
Licensees: "passphrase: secretphrase"

Conditions: app_domain = "IPsec Policy "&&

Esp_present = "yes ";

2. # $ OpenBSD: VPN-east.conf, V 1.11 2001/04/09 23:27:29 nick1 exp $

# $ EOM: VPN-east.conf, V 1.12 2001/04/09 22:08:30 nick2 exp $

# A Configuration sample for the isakmpd ISAKMP/Oakley (aka Ike)

Daemon.
#

[General]
Retransmits = 5

Exchange-max-time = 120

[Phase 1]
Default = ISAKMP-LAN2gw

[Phase 2]
Connections = IPsec-LAN1-LAN2

ISAKMP-LAN2gw

Phase = 1
Transport = UDP
Configuration = default-Main-Mode

Authentication = secretphrase

IPsec-LAN1-LAN2
Phase = 2

Isak-peer = ISAKMP-LAN2gw
Configuration = default-quick-Mode

Local-id = Net-LAN1
Remote-id = Net-LAN2

Net-LAN2

ID-type = ipv4_addr_subnet
Network = 192.168.105.0

Netmask = 255.255.255.0

Net-LAN1
ID-type = ipv4_addr_subnet

Network = 192.168.55.0
Netmask = 255.255.255.0

[Default-Main-mode]

Doi = IPSec
Exchange_type = id_prot
Transforms = 3des-sha

[Default-quick-mode]
Doi = IPSec
Exchange_type = quick_mode

Suites = QM-ESP-AES-SHA-PFS-SUITE

3. # $ OpenBSD: VPN-east.conf, V 1.11 2001/04/09 23:27:29 nick1 exp $

# $ EOM: VPN-east.conf, V 1.12 2001/04/09 22:08:30 nick2 exp $

# A Configuration sample for the isakmpd ISAKMP/Oakley (aka Ike)

Daemon.
#

[General]
Retransmits = 5

Exchange-max-time = 120
Listen-on = 25.50.100.200

[Phase 1]

25.50.100.200 = ISAKMP-LAN1gw

[Phase 2]

Connections = IPsec-LAN2-LAN1

ISAKMP-LAN1gw
Phase = 1

Transport = UDP
Address = 25.50.100.200

Configuration = default-Main-Mode
Authentication = secretphrase

IPsec-LAN2-LAN1
Phase = 2
ISAKMP-peer = ISAKMP-lanagw

Configuration = default-quick-Mode
Local-id = Net-LAN2

Remote-id = Net-LAN1

Net-LAN1
ID-type = ipv4_addr_subnet

Network = 192.168.35.0
Netmask = 255.255.255.0

Net-LAN2

ID-type = ipv4_addr_subnet
Network = 192.168.105.0

Netmask = 255.255.255.0

[Default-Main-mode]
Doi = IPSec

Exchange_type = id_prot
Transforms = 3des-sha

[Default-quick-mode]

Doi = IPSec
Exchange_type = quick_mode

Suites = QM-ESP-AES-SHA-PFS-SUITE

(Other examples can be found in isakmpd. Policy and isakmpd. conf manuals ). These files

It should all be in the/etc/isakmpd of the gateway.
After reading the information of these configuration files, the two gateways have enough information to verify the identity of the other party.

, Exchange keys, and then use the normal process to change and synchronize their encryption keys.
For the first connection, I recommend that you change these files to suit your individual needs.

Make sure that both machines are correctly connected to the Internet.
Isakmpd-D-da = 99

On both servers, this ensures that the isakmpd runs at the front end and displays the most debugging information. You will

After obtaining debugging information on one page and one page, you can see how the encrypted information is stored between machines.
Transmitted.

Now, you should have a running VPN. Of course, further tests are required.

. If it still cannot run, check and find out the problem. A simple Tester

Ping a machine in the Peer LAN. Note: you cannot perform this test on the gateway. For example

192.168.35.2 Ping 192.168.105.2, Then ping 192.168.35.2 from 192.168.105.2,

You should see that the two machines are the same as the general ping machines, just like the two machines in a LAN (no more

(TTL ). If you are interested, you can also look at FTP/telnet and so on. If your ping Engineer
Failed. You can refer to the "test and debugging" mentioned at the end of this article ".

3. automate the process
To avoid configuring a lot of things every time you need to use a VPN, some steps can be automated. We

You should be able to automatically ping the other machine and enable the VPN to automatically start working. Required:
· Whenever the VPN at the other end needs to be accessed, the dialing PPP connection here should be established

· Automatically run isakmpd
Establishing a PPP connection is not difficult: in the/etc/rc. Local file of the gateway using the dial-up connection

Added "PPP-auto-Nat ISP ". In this way, once the lan2 machine is connected to the LAN, the gateway 2
A ppp connection is established.

Running isakmpd is complicated. It works on static gateways and gateways that require dial-up connections.

Different methods. For static gateways, you only need to modify/etc/rc. conf to 'isakmpd _ flags = "" ', and then

Isakmpd can automatically run every restart. But on the gateway of the dial-up connection, this method will

It's useless because he just restarted and has no Internet connection. At this time, if we need

After a PPP connection is established, isakmpd is automatically run and isakmpd is disabled when the PPP connection is canceled.

You can add a line in/etc/PPP. linkup and/etc/PPP. linkdown. In/etc/PPP.
Add in linkup

Myaddr:
! BG isakmpd
In/etc/PPP. linkdown, add
Myaddr:

! BG/etc/PPP/killisakmpd
Here, killisakmpd is a shell script with the following content:
#! /Bin/sh

Kill 'cat/var/run/isakmpd. Pi'
In this way, the VPN configuration can be fully automated and convenient.

4. Test and debug
If the reader's VPN does not run normally for the first time, you have to debug it. If some functions of isakmpd
are not correctly configured, that is, although routes can be set up, all keys cannot be encrypted, then this
is extremely dangerous.
first, ping the machine on the LAN of the peer. As mentioned above. If the operation is abnormal,
do it on gateway1:
tcpdump-I [network external interface name, such as fxp1, tun0, etc.] host [gateway2 IP address]
This command can display all traffic from gateway2 to gateway1. Theoretically, only the encrypted
Ping Command is transmitted, as shown in the following figure:
16:10:07. 543323 ESP d7-lp-23.dial-up.net> gateway.whatever.com SPI
0xefbf34aa seq 146 Len 132
16:10:07. 712902 ESP gateway.whatever.com SPI> d7-lp-23.dial-up.net
0xb17f45a2 seq 146 Len 132
This indicates that all incoming information is encrypted in ESP mode, and your VPN works properly. For example,
if you do not see any ICMP information, your Internet connection is still not encrypted by the VPN.
when my VPN does not work properly, the above information is obtained, but no ping is returned.
, indicates that the encrypted information is not processed on the gateway of the other party. The reason is simple: the other gateway runs the OpenBSD 2.8 system.
!

5. Interaction with Nat and firewall (IPF)
When all the above work is completed and works normally without ipfilter, I will open

Nat and IPF. No changes were made to the standard Nat settings. Add a few lines to/etc/IPF. Rules.
Used to allow encryption of information through the gateway

# VPN: allow any traffic on the ISAKMP Port

Pass in on fxp1 proto UDP from any port = 500 to 25.50.100.200 Port =

500

Pass out on fxp1 proto UDP from 25.50.100.200 Port = 500 to any port =

500

# VPN: Allow all traffic in ESP form

Pass in proto esp from any to 25.50.100.200

Pass out proto esp from 25.50.100.200 to any

These rules allow all key exchanges through isakmpd and subsequent ESP encryption processes to work normally.
.

6. conclusion
from the above description, a reader who has a basic understanding of networks, gateways, Nat, IPF, and PPP
, configuring a VPN is not difficult. When everything is set, you can also try to use a variety of encryption and authentication methods.