This week I’ve spent a lot of time mucking around with IPSec VPNs. I thought I should informally document some of my settings in the hope that in a years time, when I’ve forgotten everything, I have some sort of base to build on.

OS: OpenBSD >= 3.8 / Windows 7

Protocol: IPSec

Part 1 – Common Configuration

Make sure the following are enabled (via /etc/sysctl.conf or the sysctl command)


OpenBSD is awesome thanks to ipsecctl; a 4 line configuration file is all you need for a basic setup. But first we need to start isakmpd the IKEv1 key management daemon. As we are using ipsecctl to manage most of the setup, we use the -K option to ignore the isakmpd.policy file.

To see the log files for isakmpd use -DA=nn to set the debug level of all classes to nn (where nn is between 0 and 99; I’d suggest 50). Combine with with -d to keep the daemon running in the foreground.

isakmpd -K -DA=50 -d > /tmp/isakmpd.log 2>&1

ipsecctl is used in a similar way to everyone favorite tool pfctl. To load a configuration just run:

ipsecctl -f /etc/ipsec.conf

Don’t forget to check your firewall as well, you’ll need to open up port 500 (UDP) and if you want to see the unencrypted traffic set skip on enc0.

(TODO: I also have “pass in on $if_ext inet proto esp from any to $server_me_ext” is this actually needed?)

Part 2 – Site to Site IPSec OpenBSD <-> OpenBSD

Open up /etc/ipsec.conf with vim, and then curse and moan that OpenBSD still doesn’t include vim in a default install.

Our site-site config looks like:

ike esp from to \
        peer \
        main auth hmac-sha1 enc aes \
        quick auth hmac-sha1 enc aes \
        srcid psk "put a real pre shared key here"

Where is the local internal network, is the remote network, is the remote external IP and our eternal IP is

(TODO: Fix this to use macros and define this nicely)

All that’s left is to run ipsecctl and then replicate these settings on your other OpenBSD box (all the settings will just be reversed) and you’re done.

Part 3 – Road Warrior IPSec OpenBSD <-> Windows 7

As you can see, still super simple. We are using passive mode here so our server will not try to make a VPN connection, just listen for one.

ike passive from any to any \
        main auth hmac-sha1 enc aes group modp1024 \
        quick auth hmac-sha1 enc aes \
        psk "good pre shared secrets are important"

(TODO: from any to any, will this give access to the entire network? Wouldn’t from to any be better?)

(TODO: Why do we use DH Group 2 (modep1024) here and not above?)

On the Windows side I’m using Shrew Soft’s VPN client which is not only free, but works well.

I created a new Site Configuration and used the follow settings (click the image for a full view).

Of note:

  • Disable auto configuration
  • Change authentication to mutual PSK and entered the PSK
  • Set exchange type to main
  • Set DH Exchange to Group 2 for both phase 1 and phase 2

Part 4 – Summary

As you can tell I’m still learning this myself, and hopefully I’ll come back to this is a year, call my old-self an idiot and write a far better post.

Note: I wrote this at 5am in the morning, so please excuse all the mistakes