From securityrouter.org, an OpenBSD-based firewall
Revision as of 14:02, 3 January 2019 by Anders (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

We generally recommend L2TP for client and IKE for site-to-site VPN, because they are mature OpenBSD projects. However, recent versions include IKEv2 support implemented by iked and configurable in the "ike" plain-text configuration file scope. Current limitations are:

  • No web administration interface
  • Cannot be used together with IKEv1 or L2TP, and is difficult to use with manual key IPsec because it flushes the flows and SAs on startup

Gateway to gateway

You can use either PKI or pre-shared keys to setup authentication.

ikev2 active esp from to peer srcid myname dstid yourname psk "badsecret"

Client VPN

Windows 7, iOS 9 and OS X 10.11[1] or newer support IKEv2, which is compatible with a simple IKEv2 configuration such as

ike {
   ikev2 "win" esp from to local any peer any srcid config address

where is the office network, is the VPN router IP and is the client's IP address. To generate certificates compatible with Windows, the most convenient way is to enable root access, install Perl, then install ZIP on the system (because it allows the export command to produce Windows-friendly files)

# mount -uw /
# pkg_add zip

and finally generate the certificates with

# ikectl ca vpn create
# ikectl ca vpn install 
# ikectl ca vpn certificate create
# ikectl ca vpn certificate install
# ikectl ca vpn certificate client.example.com create 
# ikectl ca vpn certificate client.example.com export

and copy the client.example.com.zip to the Windows computer where you import "ca" to the "Trusted Root Certification Authorities" and "client.example.com" to the "Personal" local machine certificate MMC. As in the example above, "" is the VPN router IP and "client.example.com" is the Windows client.