IPSec between OpenBSD and Mac OS X Howto

This Howto will give some basics about how to setup a roadwarrior style IPSec VPN between your OpenBSD gateway, and your road-warrior Mac OS X machine.

What is road warrior? – This means your IP is changing all the time. It doesn’t necessarily mean that you carry bazookas to a knife fight on the road.

Configuring OpenBSD

Edit your /etc/rc.conf to contain the following:

isakmpd_flags=”-K4dv”

Create the file /etc/ipsec.conf . Here’s what mine looks like… Kinda.

ike passive from any to any \
main auth hmac-sha1 enc aes group modp1024 \
quick auth hmac-sha1 enc aes psk YOURSHAREDKEYHERE

Run the following command to get the ipsecctl command to configure your ISAKMPD using the /etc/ipsec.conf file we just created

ipsecctl -f /etc/ipsec.conf

Configuring Mac OS X

First download IPSecuritas from Lobotomo Software

Import the following config file, and be sure to change the line: sainfo subnet 172.16.175.4/32 any subnet 10.20.30.0/23 any to your local IP, and remote Subnet you want access to.

log notify;
path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt";
path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs";

padding
{
        maximum_length 20;
        randomize on;
        strict_check off;
        exclusive_tail on;
}

timer
{
        counter 5;
        interval 5 seconds;
        persend 1;
        phase1 15 seconds;
        phase2 15 seconds;
}

# Connection "OpenBSD Gateway"
remote 192.149.131.95
{
        verify_cert off;
        verify_identifier off;
        initial_contact on;
        passive off;
        support_proxy off;
        generate_policy off;
        verify_cert off;
        send_cert on;
        send_cr on;
        mode_cfg off;
        ike_frag on;
        doi ipsec_doi;
        situation identity_only;
        nat_traversal off;
        exchange_mode main;
        proposal_check obey;
        nonce_size 16;
        my_identifier address;
        peers_identifier address;
        proposal
        {
                lifetime time 1800 seconds;
                encryption_algorithm aes 256;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo subnet 172.16.175.4/32 any subnet 10.20.30.0/23 any
{
        lifetime time 1800 seconds;
        pfs_group modp1024;
        encryption_algorithm des, 3des, aes 256, aes 192, aes 128;
        authentication_algorithm hmac_md5, hmac_sha256;
        compression_algorithm deflate;
}

listen
{
        isakmp 172.16.175.4 [500];
        isakmp_natt 172.16.175.4 [4500];
        adminsock "/Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock";

}

You should be in really good shape from this point.