Ipsec gre between OpenBSD en Linux
Linux Side:
Tools u need are:
racoon
ipsec-tools
/etc/ipsec-tools.conf
spdadd <Remote IP> <Local IP> any
-P in ipsec esp/transport/<Remote IP>-<Local IP>/require;
spdadd <Local IP> <Remote IP> any
-P out ipsec esp/transport/<Local IP>-<Remote IP>/require;
/etc/racoon/psk.txt
<Remote IP> <Your PSK>
/etc/racoon/racoon.conf
remote <Remote IP> {
exchange_mode main;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo address <Local IP>/32 any address <Remote IP>/32 any {
pfs_group modp1024;
encryption_algorithm blowfish;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address <Remote IP>/32 any address <Local IP>/32 any {
pfs_group modp1024;
encryption_algorithm blowfish;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Configuration on the OpenBSD side:
Keep in mind the if PF is enabled you need to add firewall rules for the ipsec traffic
proto ah
proto esp
proto ipencap
port 500 udp
and check the rules for interface enc0 its advised to set skip on that interface
/etc/ipsec.conf
ike esp transport from <Local IP> to <Remote IP> peer <Remote IP> \ main auth hmac-md5 enc blowfish group modp1024 \ quick auth hmac-md5 enc blowfish group modp1024 \ psk <Your PSK>
/etc/isakmpd/isakmpd.policy
Authorizer: "POLICY" Comment: This bare-bones assertion accepts everything
/etc/sysctl.conf
net.inet.gre.allow=1 net.inet.ipip.allow=1 net.inet.ah.enable=1 net.inet.esp.enable=1
/etc/rc.conf
isakmpd_flags="" ipsec=YES
