VPN On OpenBSD 配置小记

　　·ipf

　　·ipnat 以上三项需要重新链接之前安装内核头文件(include 的时候 "make include")

　　只有升级这些才可以修复OpenBSD 2.8中IPSec的问题，这些问题主要包括isakmpd导致的错误选路，同时也至少崩溃过几次。而且理论上AES的问题也可以得到解决，虽然笔者还没有实验过。

　　为了升级到最新内核，需要

　　·编译和安装libkvm

　　·编译ps,vmstat,top并安装到已经有新内核的机器上

　　读者可以在http://www.openbsd.org/anoncvs.html 查阅最新的更新。

　　新内核开始工作以后，两台可以作OpenBSD VPN的网关就出现了。保证两台系统的/etc/sysctl.conf里面都有"net.inet.esp.enable=1" ，这使esp(Encapsulated Security Protocol)能够工作，以后所有通过VPN隧道到达网关的流量都是以esp形式的。只要应用了正确的密钥，这些esp包就会被根据他们真正的解密协议、端口和内容进行重新处理。

　　下一件需要作的事情是让isakmpd开始工作，这样才可以让两个网关能够找到对方、验证对方的可信度从而开始交换密钥。

　　这部分工作就不详细描述了，man isakmpd应该已经能够解决问题，而且笔者用的是非常标准的配置。两台机器利用商定的公共秘密句子来交换密钥，这个密钥是给AES加密算法用的。下面是笔者的isakmpd的配置文件，依次为isakmpd.policy (适用LAN 1和2), isakmpd.conf.lan1, 和 isakmpd.conf.lan2.

　　1．KeyNote-Version:

　　Comment: This policy accepts ESP SAs from a remote that uses the right password
Authorizer: "POLICY"
Licensees: "passphrase:SecRetPhrasE"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes";
[h4]2. # $OpenBSD: VPN-east.conf,v 1.11 2001/04/09 23:27:29 nick1 Exp $[/h4]
# $EOM: VPN-east.conf,v 1.12 2001/04/09 22:08:30 nick2 Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
[General]
Retransmits= 5
Exchange-max-time= 120
[Phase 1]
Default= ISAKMP-LAN2gw
[Phase 2]
Connections= IPsec-LAN1-LAN2
[ISAKMP-LAN2gw]
Phase= 1
Transport= udp
Configuration= Default-main-mode
Authentication= SecRetPhrasE
[IPsec-LAN1-LAN2]
Phase= 2
ISAKMP-peer= ISAKMP-LAN2gw
Configuration= Default-quick-mode
Local-ID= Net-LAN1
Remote-ID= Net-LAN2
[Net-LAN2]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.105.0
Netmask= 255.255.255.0
[Net-LAN1]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.55.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
[h4]3．# $OpenBSD: VPN-east.conf,v 1.11 2001/04/09 23:27:29 nick1 Exp $[/h4]
# $EOM: VPN-east.conf,v 1.12 2001/04/09 22:08:30 nick2 Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
[General]
Retransmits= 5
Exchange-max-time= 120
Listen-on= 25.50.100.200
[Phase 1]
25.50.100.200= ISAKMP-LAN1gw
[Phase 2]
Connections= IPsec-LAN2-LAN1
[ISAKMP-LAN1gw]
Phase= 1
Transport= udp
Address= 25.50.100.200
Configuration= Default-main-mode
Authentication= SecRetPhrasE
[IPsec-LAN2-LAN1]
Phase= 2
ISAKMP-peer= ISAKMP-LANAgw
Configuration= Default-quick-mode
Local-ID= Net-LAN2
Remote-ID= Net-LAN1
[Net-LAN1]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.35.0
Netmask= 255.255.255.0
[Net-LAN2]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.105.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE