IPsec is often used for Virtual Private Networks (VPN) but can also be used between computers on a local network. IPsec provides encryption and authentication and prevents replay attacks
Some protocols are useful, but don't have great security, like NFS, NIS, and SNMP. You can run them securely if your LAN is secured with IPsec
OpenBSD supports IPsec natively as well as Internet Key Exchange (IKE) protocol version 1. OpenIKED supports IKEv2, but doesn't support transport mode, meaning it can only be used for VPNs, so we'll use IKEv1 here
Here's how to configure two computers to use IPsec to talk between them. We'll use public keys (without X.509 certificates, for simplicity)
Host ipsecone (10.0.2.4)
# cat << EOF > /etc/ipsec.conf ike active esp transport from 10.0.2.4 to 10.0.2.5 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha2-256 enc aes EOF # chmod 640 /etc/ipsec.conf # cd /etc/isakmpd/pubkeys/ipv4 # scp notRoot@10.0.2.5:/etc/isakmpd/local.pub 10.0.2.5 `# copy remote's public key` # rcctl enable ipsec # rcctl enable isakmpd # rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging` # ipsecctl -vf /etc/ipsec.conf `# start ipsec, or reboot` # rcctl start isakmpd
Host ipsectwo (10.0.2.5)
# cat << EOF > /etc/ipsec.conf ike active esp transport from 10.0.2.5 to 10.0.2.4 \ main auth hmac-sha1 enc aes \ quick auth hmac-sha2-256 enc aes EOF # chmod 640 /etc/ipsec.conf # cd /etc/isakmpd/pubkeys/ipv4 # scp notRoot@10.0.2.4:/etc/isakmpd/local.pub 10.0.2.4 `# copy remote's public key` # rcctl enable ipsec # rcctl enable isakmpd # rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging` # ipsecctl -vf /etc/ipsec.conf `# start ipsec, or reboot` # rcctl start isakmpd
Testing
On ipsecone, run# tcpdump host 10.0.2.5
On ipsectwo, run
# ping 10.0.2.4
On ipsecone, you should see "esp" and "spi" in your tcpdump output
Logging
You can see IPsec / IKE log output at/var/log/daemon