Re: iked.conf basics

On 2018-05-31, David Higgs <higgsd@gmail.com> wrote:
> I am looking to configure iked(8) on my OpenBSD router to provide
> IPsec services to remote clients. I would like to tunnel (nearly) all
> my traffic from my phone or laptop back into my home router, and
> leverage the services there (DNS, firewall, etc.), then either access
> my local network or the rest of the internet. I think I want my
> router to be a VPN proxy - is there more accurate/common terminology?
>
> I am having difficulty extracting what is and is not relevant from the
> iked.conf(5) man page, since this is new terminology to me. I believe
> that the first example is most appropriate for my router
> configuration, adapted something like this:
>
> # candidate iked.conf
> set mobike
> user "test" "password123"
> ikev2 esp \
> eap "mschap-v2" \
> config dhcp-server 10.0.0.1
>
> The parts I'm confused on are the from/to and peer/local fields.
> Which pair describes the IPs of the tunnel endpoints, and which

peer/local

> describes the traffic allowed to flow through the tunnel? I guess I

from/to

> don't know whether "IPsec flow" refers to the encapsulating ESP
> packets or the encapsulated traffic.

The "flow" is an SADB entry which matches traffic and selects it for
encapsulation. The addresses in a flow have to cover the packets sent
over the vpn.

Here's an iked example from my live config, it allows mobile clients to
connect and route all traffic over the VPN, assigning a dynamic address
from 192.168.47.160/27, with not-too-terrible ciphers for most typical
clients.

ikev2 "vpn" passive esp from 0.0.0.0/0 to 0.0.0.0/0 \
local x.x.x.x \
peer any \
ikesa enc aes-256 enc aes-128 prf hmac-sha2-256 auth hmac-sha2-256 group ecp256 \
ikesa enc aes-256 enc aes-128 prf hmac-sha2-256 prf hmac-sha1 auth hmac-sha2-256 group ecp256 group modp2048 group modp1024 \
childsa enc aes-256-gcm enc aes-128-gcm \
childsa enc aes-256 enc aes-128 auth hmac-sha2-256 auth hmac-sha1 \
srcid "my.host.name" \
eap "mschap-v2" \
config address 192.168.47.160/27 \
config name-server x.x.x.x \
tag "$name-$id"

include "/etc/iked.users"

If you have any Windows clients note that the default ciphers are
absolutely bloody useless, for the powershell snippets needed to fix
this see comments in https://github.com/trailofbits/algo/issues/9.
If you don't need to support Windows clients you can probably get
rid of hmac-sha1/group modp1024 and the non-gcm aes entries.

To actually route the traffic you'll need net.inet.ip.forwarding
set and depending on setup probably also a nat rule, maybe something
like

match out on egress from 192.168.47.160/27 nat-to (egress:0)