vpn linksys befvp41 vpn router to openbsd ipsec server wireless mini how-to

befvp41_files/bef1.jpg




Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini How-To.html

Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini How-To

10 March, 20021. Introduction

2. OpenBSD IPSec Setup

3. Linksys BEFVP41 Setup

4. Troubleshooting

5. IPSec over Wireless for Dummies

6. Links and ACKs

Appendix A - OpenBSD Config Files

A.1 - /etc/isakmpd.policy

A.2 - /etc/isakmpd.conf

A.3 - /etc/nat.conf

1. Introduction

This document describes how to use the Linksys BEFVP41 VPN Router asa VPN Client to an OpenBSD IPSec Server.

OpenBSD is a secure, UNIX-like operating system with integrated cryptography.OpenBSD's integrated crypto feature makes the operating system an idealplatform for an IPSec VPN server / gateway.

The Linksys BEFVP41 VPN router is a highly configurable, 4-port 10/100switch, Cable/DSL router, with VPN support. The Linksys BEFVP41 costsas little as $150 and supports NAT; providing transparent VPN support forany ethernet-connected computer, regardless of the computer's operatingsystem. For the same single-copy price of many VPN software-clients,you can provide VPN support for all of your computers connected behindthe Linksys BEFVP41 VPN router.

Refer to Section 6, "Links and ACKs" for more general information onOpenBSD, IPSec, and the Linksys BEFVP41.

Questions or comments regarding this document should be directed toBeetle ([email protected]).

2. OpenBSD IPSec Setup

This section describes how to setup the OpenBSD IPSec server.For more general information on installing OpenBSD, etc., refer to section6, "Links and ACKs".

The OpenBSD IPSec configuration must allow for a combination of eitherDES or 3DES encryption and / or MD5 or SHA authentication in order forthe Linksys BEFVP41 to establish an IPSec connection. Although manualtunnels could probably be established between an OpenBSD IPSec server andLinksys BEFVP41, the simplest and quickest IPSec setup uses IKE and a sharedpassphrase.

The following instructions assume the following:

- your OpenBSD IPSec server's "external" interface that will be acceptingIPSec connections is rl0

- rl0's IP is 192.168.1.1

- the network the VPN clients will wish to connect to is 192.168.10.0

- the OpenBSD IPSec server's "internal" interface on the 192.168.10.0network is sis0

- sis0's IP is 192.168.10.254

You will undoubtedly have to translate the values in these instructionsto match your configuration as well as any explicit references to thesevalues in the provided configuration files in Appendix A, "OpenBSD ConfigFiles".

Refer to Appendix A, "OpenBSD Config Files" and as the root user, copythe isakmpd.policy and isakmpd.conf files to the /etc/isakmpd directoryon the OpenBSD IPSec server. Change the "Authentication" line ofthe isakmpd.conf to the passphrase you would like to use. Ensurethat the permissions on the isakmpd.policy and isakmpd.conf files are readonly for the root user by using this command, as root:

chmod 600 /etc/isakmpd/isakmpd*

Startup IPSec by entering the command:

isakmpd

Copy the nat.conf file from Appendix A to the /etc directory on theOpenBSD IPSec server. As root, enter this command:

pfctl -F all -N /etc/nat.conf

3. Linksys BEFVP41 Setup

This section describes how to setup the Linksys BEFVP41 VPN router toconnect to the OpenBSD IPSec server configured in Section 2, "OpenBSD IPSecSetup". For more general information on simply setting up the LinksysBEFVP41, refer to section 6, "Links and ACKs".

Ensure that you have properly setup the Linksys BEFVP41 for your networkingenvironment. You should be able to ping the Linksys BEFVP41, logon to the BEFVP41 web-based configuration, and of course, ping or connectto the actual OpenBSD IPSec server normally. It is imperative thatyou have normal networking with the Linksys BEFVP41 working before continuingfurther. A VPN will not work if your normal network does not work.

The following instructions assume the following:

- your local private network behind the Linksys BEFVP41 is 10.0.0.0

- the BEFVP41's internal IP (and your private network's default gateway)is 10.0.0.254.

- your OpenBSD IPSec server's IP is 192.168.1.1

- the remote secure network you wish to connect securely to is 192.168.10.0

From one of the local private IPs behind the Linksys BEFVP41, log onto the Linksys BEFVP41's web-based configuration utility by browsing to10.0.0.254 with a web-browser.

Select the "VPN" tab from the default "Setup" page to begin configuringthe Linksys BEFVP41 to connect to the OpenBSD IPSec server.

Select a tunnel entry - "Tunnel 1".

Enter a name for the tunnel - "Net-B to Net-A" in this case.

Select "Subnet" from the drop-down box "Local Secure Group". Thisshould be your local private network subnet - "10.0.0.0" with a maskof "255.255.255.0".

Select "Subnet" from the drop-down box "Remote Secure Group".This should be the remote network you wish to securely connect to - "192.168.10.0"with a mask of "255.255.255.0".

Select "IP Addr" from the drop-down box "Remote Security Gateway".This should be the IP of the remote OpenBSD IPSec server awaiting IPSecconnections - "192.168.1.1".

Select the "3DES" radio button for "Encryption".

Select the "MD5" radio button for "Authentication".

Select "Auto (IKE)" from the drop-down box "Key Management". DoNOT check the "Perfect Forward Secrecy" checkbox.

Enter the passphrase from your OpenBSD IPSec server's /etc/isakmpd.conffile in the "Pre-shared Key" textbox- "thisisthepassphrase".

Enter "86400" as the time in seconds in the "Key Lifetime" textbox.

Click the "Apply" button. Your setting should be successfullysaved and you will be returned to the "VPN" screen with your new settingsdisplayed and the "Status" will read "Disconnected".

Click the "Connect" button. The "Status" will read "Connected".

Congratulations. You're done. All traffic you now to sendto the 192.168.10.0 subnet will be encrypted and NAT'd to the OpenBSD IPSecserver. The OpenBSD IPSec server will receive the encrypted packetsfrom the external IP of the Linksys BEFVP41 VPN router, decrypt them, discoverthey are from a 10.0.0.0 subnet address and NAT the unencrypted trafficas 192.168.10.254 to the 192.168.10.0 subnet. The OpenBSD IPSec serverwill then receive the unencrypted response packets, encrypt them for your10.0.0.0 subnet address and send them back to the Linksys BEFVP41's externalIP address, which will in turn unencrypt the responses and send them toyour private IP.

For example, a Windows box ethernet-connected as 10.0.0.1 to the LinksysBEFVP41 VPN router on one of the 4 10/100 ports, pinging a 192.168.10.0address over an establish VPN tunnel:

Meanwhile, listening on the OpenBSD's IPSec interface, we can see thetraffic is encrypted.

[root@openbsdbox /]tcpdump -n -i rl0

tcpdump: listening on rl0

08:25:01.413180 esp 192.168.1.31 > 192.168.1.1 spi 0x7AE9A847 seq1 len 92

08:25:01.416102 esp 192.168.1.1 > 192.168.1.31 spi 0xD2F1156F seq1 len 92







And listening on the OpenBSD IPSec server's 192.168.10.0 connected interfacewe can see the traffic* is now unencrypted and NAT'd as 192.168.10.254.

* this tcpdump was run at a different time for a separate ping session,ergo the time difference

[root@openbsdbox /]tcpdump -n -i sis0

tcpdump: listening on sis0

08:30:23.339769 192.168.10.254 > 192.168.10.1: icmp: echo request

08:30:23.342691 192.168.10.1 > 192.168.10.254: icmp: echo reply


08:30:24.341107 192.168.10.1 > 192.168.10.254: icmp: echo reply


08:30:25.342198 192.168.10.1 > 192.168.10.254: icmp: echo reply


08:30:26.343301 192.168.10.1 > 192.168.10.254: icmp: echo reply

4. Troubleshooting and Known Issues

This section gives some quick tips on troubleshooting the IPSec connectionbetween the OpenBSD IPSec server and Linksys BEFVP41 VPN router.Some known issues are mentioned here also. For more general IPSectroubleshooting information, refer to section 6, "Links and ACKs".

- Ensure your general network settings are correct. If your networkdoesn't work when IPSec is not in use, it probably won't work with IPSecenabled.

- If the Linksys BEFVP41 configuration "VPN" tab's status is "Disconnected",you are NOT connected. Your traffic will not be encrypted until yousee "Connected" as the "Status".

- Click the "View Log" button on the "VPN" tab to discover why yourmay not be connecting successfully.

Note: Sometimes the VPN tunnel dies for no apparent reason.The Linksys BEFVP41 must be accessed and the "Apply" and "Connect" buttonmust be clicked for the specific tunnel to re-establish the secure connection.This bug seems random in nature.

Note: Selecting "Any" as "Remote Secure Group" from the "VPN"setup tab does not seem to imply "Any" in the OpenBSD IPSec sense / desiresuch that all outbound traffic would be encrypted to the OpenBSD IPSecserver. Instead, this feature seems to mean "ACCEPT Encrypted Trafficfrom ANY incoming IP", which for the case of attempting to encrypt alloutbound traffic as default, does not help.

5. IPSec over Wireless for Dummies

This section describes how to deploy the Linksys BEFVP41 for local wirelesssites as a means of encrypting their insecure wireless traffic to the centralLAN or corporate Intranet wireless access point. For more informationabout wireless technology or IPSec over wireless, refer to section 6, "Linksand ACKs".

If you have remote corporate campus sites that access the central LANor corporate Intranet by being ethernet-connected to a NAT box or bridgethat connects to the central LAN or corporate Intranet via a wireless workgroupbridge or access point in client mode. You can use the Linksys BEFVP11VPN router to supercede the wireless insecurities of WEP to provide securewireless access for these remote sites.

For example, a wireless ISP (WISP) has potential customers that wouldlike a simple, yet secure means of connecting to the WISP. BecauseWEP is so insecure, IPSec is the only available solution to securing theirremote connections--barring expensive hardware, EAP / LEAP with commercialRADIUS back-end, etc. However, IPSec adds a layer of client complexitythat could make client configuration and troubleshooting a veritable nightmare.The customers want to simply have a box that maintains a wireless connectionto the WISP, and a NAT router they can plug their network card equippedPCs into that gives them transparent access to the Internet. Theoreticalinstructions for a basic configuration that provides this simple solutionfor customer premises equipment (or corporate remote sites) follow:

Setup the OpenBSD IPSec server at the WISP central office. Theprimary interface connects to the Intranet or Internet. The OpenBSDserver's secondary interface should connect via a cross-over cable to aLinksys WAP11 wireless access point.

At the remote site, setup a Linksys WAP11 in client mode to access theWISP's WAP11. Connect a crossover cable from the client-mode WAP11to the a Linksys BEFVP41 VPN router. Connect remote site client PCsto the Linksys VPN router directly or a hub dropping off the Linksys VPNrouter.

Test networking. Follow the above instructions (Sections 2-4)for using a Linksys BEFVP41 VPN router to connect to an OpenBSD IPSec server,creating a tunnel for your corporate LAN or Intranet. To ensure thatmost default Internet traffic is encrypted, simply specify corporate DNS,HTTP proxies, and mail servers, to provide name resolution, web contentdelivery, and email services respectively. As these servers shouldbe in your corporate LAN or Intranet and all traffic to that network isencrypted via IPSec, your remote sites have a predominantly secure wirelessconnection.

I currently have this "theoretical" architecture in place. A diagramthat visually explains this setup follows:

6. Links and ACKs

Here are links that may prove useful for topics mentioned in this document:

OpenBSD - http://www.openbsd.org

Using IPSec - http://www.openbsd.org/faq/faq13.html

Linksys BEFVP41 VPN Router - http://www.linksys.com/products/vpnrouter.asp

Using IPSec Clients with OpenBSD - http://www.allard.nu/openbsd/

Replacing WEP with IPSec - http://rt.fm/~jcs/ipsec_wep.html

I would like to acknowledge the following entities for various reasons:

Google - for quickly providing relevant search results on terms suchas "openbsd", "wireless", and "ipsec".

Linksys - for making inexpensive feature-rich network equipment - theWAP11 and BEFVP41 especially.

Allard Consulting - for providing info and a mailing list on OpenBSDIPSec clients and example isakmpd.conf files that were modified for usewith the Linksys BEFVP41.

Appendix A - OpenBSD Config Files

A.1 - /etc/isakmpd.policy

KeyNote-Version: 2

Comment: This policy accepts ESP SAs from a remote that uses theright password

Authorizer: "POLICY"

Conditions: app_domain == "IPsec policy" &&

esp_present == "yes" &&

esp_enc_alg != "null" -> "true";

A.2 - /etc/isakmpd.conf

[Phase 1]

Default= HostB

[Phase 2]

Connections= HostA-HostB

[HostB]

Phase= 1

Transport= udp

Configuration= Default-main-mode

Authentication= thisisthepassphrase

[HostA-HostB]

Phase= 2

ISAKMP-peer= HostB

Configuration= Default-quick-mode

Local-ID= Net-A

Remote-ID= Net-B

[Net-A]

ID-type= IPV4_ADDR_SUBNET

Network= 0.0.0.0

Netmask= 0.0.0.0

[Net-B]

ID-type= IPV4_ADDR_SUBNET

Network= 10.0.0.0

Netmask= 255.255.255.0

[Default-main-mode]

DOI=IPSEC

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-MD5

[Default-quick-mode]

DOI=IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-3DES-MD5-SUITE

[3DES-MD5]

ENCRYPTION_ALGORITHM= 3DES_CBC

HASH_ALGORITHM=MD5

AUTHENTICATION_METHOD= PRE_SHARED

GROUP_DESCRIPTION= MODP_1024

Life=LIFE_1_DAY

[LIFE_1_DAY]

LIFE_TYPE=SECONDS

LIFE_DURATION=86400,79200:93600

A.3 - /etc/nat.conf

# $OpenBSD: nat.conf,v 1.4 2001/07/0923:20:46 millert Exp $

#

# See nat.conf(5) for syntax and examples

#

# replace ext0 with external interface name, 10.0.0.0/8 with internalnetwork

# and 192.168.1.1 with external address

#

# nat: packets going out through ext0 with source address 10.0.0.0/8will get

# translated as coming from 192.168.1.1. a state is created forsuch packets,

# and incoming packets will be redirected to the internal address.

# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1

# rdr: packets coming in through ext0 with destination 192.168.1.1:1234will

# be redirected to 10.1.1.1:5678. a state is created for such packets,and

# outgoing packets will be translated as coming from the externaladdress.

# rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 ->10.1.1.1 port 5678

nat on sis0 from 10.0.0.0/8 to any -> 192.168.10.254

vpn linksys befvp41 vpn router to openbsd ipsec server wireless mini how-to

Documents