[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Iked roadwarrior to router
From:       niav () web ! de
Date:       2019-12-28 16:02:03
Message-ID: trinity-6dd32b7e-f8f0-45ff-9377-507fde2771e7-1577548923484 () 3c-app-webde-bs60
[Download RAW message or body]

Hello,
I am struggeling with understanding OpenBSD's implementation of ipsec (v2) fully.
So as far as I have wrapped my head around I have understood the following. When a \
packets destination and origin matches an IPsec flow it is being stolen from iked and \
passed through the tunnel. It does not hit the routing table. So far correct ? That \
implies that all the routing that needs to be done for IPsec tunnels to work is \
happening in iked.conf. Ok. Imagine the following setup. I have got a router and a \
roadwarrior, both are running openbsd (-release). The router has got 3 subnets next \
to it's uplink. In my scenario I need the roadwarrior to pass traffic to one client \
in one of the subnets. Pf is configured to pass traffic on ports 500 and 4500 \
protocol udp. Further NAT is NOT being applied. Pubkeys are according to the manual \
exchanged. The tunnel is being established. Only problem is that the traffic doesn't \
reach the desired destination.

So here a rough markout:
(IPs are examples)
Router: 192.0.0.1
Target subnet: 10.0.1.0/24
Target machine in subnet: 10.0.1.101/32

Roadwarrior: 172.0.0.1

Corresponding iked.confs:
Router iked.conf:
ikev2 'road2router' esp \
 from 0.0.0.0/0 to 10.0.2.1/32 \
 peer 172.0.0.1 local 192.0.0.1 \
 srcid roadwarrior.domain.com \
 dstid router.domain.com

roadwarrior iked.conf:
ikev2 'road2router' esp \
 from 0.0.0.0/0 to 10.0.2.1/32 \
 peer 192.0.0.1 local 172.0.0.1 \
 srcid roadwarrior.domain.com \
 dstid router.domain.com


So .. that is it. I do admit I am slightly confused by the config options in \
iked.conf. When do I need to configure an IP address for the client in iked with \
'config'. Help would be SO much appreciated.

Thanks alot for your time.

Best regards,
Niav


[prev in list] [next in list] [prev in thread] [next in thread]