Weitere Beiträge
Heureka, es ist ist möglich eine VPN-Verbindung mit SSH Sentinel und einem preshared secret auf ein folgendermassen konfiguriertes OpenBSD Gateway zu etablieren.
Verwendet wurde OpenBSD 3.3
# vi /etc/sysctl.conf
net.inet.esp.enable=1
net.inet.ah.enable=1
# sysctl -w net.inet.esp.enable=1
# sysctl -w net.inet.ah.enable=1
# vi /etc/isakmpd/isakmpd.conf
[Phase 1]
Default= ISAKMP-clients
[Phase 2]
Passive-Connections= IPsec-clients
[ISAKMP-clients]
Phase= 1
Configuration= Default-main-mode
Authentication= some-secret-passphrase
[IPsec-clients]
Phase= 2
Configuration= Default-quick-mode
Local-ID= Local-net
Remote-ID= Remote-host
[Local-net]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.1.0
Netmask= 255.255.255.0
[Remote-host]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Default-main-mode]
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOID= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Transforms= 3DES-SHA
Suites= QM-ESP-3DES-SHA-PFS-SUITE
# vi /etc/isakmpd/isakmpd.policy
Keynote-version: 2
Authorizer: “POLICY”
Conditions: app_domain == “IPsec policy” &&
esp_present == “yes” &&
esp_enc_alg != “null” -> “true”;
# vi /etc/pf.conf
# VPN
pass in proto esp from any to any
pass in on $ext_if proto udp from any to any port = 500
# /sbin/isakmpd
# echo /sbin/isakmpd >> /etc/rc.local