Here be dragons. This section should cover the basics:
- Three stages: Key distribution, IPSec setup, GRE setup
- In theory, BGPd can set up IPSec flows itself, but we're not using that here because that prevents you from using another BGP daemon such as bird
Key generation and distribution
Using pre-generated keys
OpenBSD generates keys suitables for IPSec usage during the installation. The public key can be found in
Generating your own keys
If you don't want to use a pre-generated key, refer to isakmpd(8).
Send your public key to your peer, preferrably digitally signed. A signature can be created with
gpg -sb -a local.pub and checked with
gpg --verify local.pub.asc. Since the key is not private, it can be transmitted in the open and on a public forum, such as a Pastebin service.
Once your peer sent you their public key, it under
/etc/isakmpd/ipv6, depending on the ID type the peer is using. The key file should be named after the peers ID. For example, if your peer is
22.214.171.124, you place their public key under
If your peers public key is not in PEM format, you can use pubkey-converter to convert between key formats.
Change the value of the
isakmpd_flags variable in
"-K", or add the
"-K" flag if you already have flags in there.
Next, add the right flow parameters to
/etc/ipsec.conf. We are using the following parameters in this example:
- Encryption: AES-128
- Authentication hash: HMAC-SHA1
- DH Group:
- Phase 1 lifetime: 28800 seconds
- Phase 2 lifetime: 3600 seconds
- Peer address: 126.96.36.199
- Local address: 188.8.131.52
The configuration file should look like this:
mymachine = "184.108.40.206" mypeer = "220.127.116.11" ike esp transport proto gre from $mymachine to $mypeer \ main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \ quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
Load the configuration file into isakmpd:
ipsecctl -f /etc/ipsec.conf. Once the connection is established, the IPSec flows can be listed with
# ipsecctl -sa FLOWS: flow esp in proto gre from 18.104.22.168 to 22.214.171.124 peer 126.96.36.199 srcid 188.8.131.52/32 dstid 184.108.40.206/32 type use flow esp out proto gre from 220.127.116.11 to 18.104.22.168 peer 22.214.171.124 srcid 126.96.36.199/32 dstid 188.8.131.52/32 type require SAD: esp transport from 184.108.40.206 to 220.127.116.11 spi 0xdeadbeef auth hmac-sha1 enc aes esp transport from 18.104.22.168 to 22.214.171.124 spi 0xf00df00d auth hmac-sha1 enc aes
Next, we will set up the GRE device. The gre(4) device encapsulates IPv4 and IPv6 traffic, which allows you to speak both address families over one tunnel if you only have native connectivity for one address family. The addresses configured onto the GRE device should come from a private address range that is not used anywhere in DN42, or a registered transfer net. For IPv6, you should use either ULAs or Link-Local addresses. In this example, we assume you are using 10.20.30.0/31 as the IPv4 transfer "net" (it has only two addresses, so calling it a network is a bit of an overstatement) and Link-Local addresses for IPv6.
# ifconfig gre0 tunnel 126.96.36.199 188.8.131.52 # ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side # ifconfig gre0 inet6 eui64
These settings should also be added to
tunnel 184.108.40.206 220.127.116.11 inet 10.20.30.0 10.20.30.1 inet6 eui64