OpenBSD:: IPsec Heaven
So recently I set about the arduous task of condensing 8 standalone VPN gateways into one unit. I had decided to merge all that functionality into our main OpenBSD router/gateway/packet filter. I was dreading the task because in the past configuring IPsec by hand was quite the nightmare, mostly involving checking and rechecking multiple config files until my eyes and brain were bleeding, and I was ripping the hair from my scalp in ever increasingly large handfuls.
I am happy to report that the addition of the ipsecctl utility in combination with ipsec.conf has turned this procedure into a relative breeze.
I still had several pitfalls:
- As per usual I scanned the net for howtos, there were some. It turned out all I really had to do was read the ipsec.conf man page. Even if you know nothing about IPsec, if you read the man page you should be able to gain the understanding necessary to implement at least a basic configuration.
- On the remote end the lifetime values for phase1 were too short. Briefly examining the logs on both systems pointed me to the problem. Also ipsecctl is pretty great for debugging issues.
- After fixing this the OpenBSD messages log was filling up with failed connection attempts every minute or so. The VPN was still up however? Flushing the SA’s on both sides resolved this issue.
So I was able to eliminate a stack of hardware, saving both space, and energy with the added bonus of segmenting all the local client systems onto their own little VLANs to enhance managability from our internal network.
OpenBSD truly is an amazing product. It has allowed me to avoid paying boatloads of cash for Cisco PIX hardware, and still maintain a somewhat similar feature parity. The only caveate is that when it comes to advanced configuration you actually have to understand what you are doing, you can’t just look up the commands in a vendor playbook. (note: this is not a bad thing, and makes for better admins)