14 April

openbsd ipsec.conf roadwarrior puzzlestone

Took me a while to notice...

When setting up the IPSec NAT on my "roadwarrior" laptop, I was baffled for quite some time with the question: How do I set up the src address, without having to edit ipsec.conf whenever I am on a different network in a different RFC1918 private natted address range? One day I would be on and the next on

# this can't be it!! wtf?
# ike dynamic from iwn0 to any
# ike dynamic from iwn0 to any
ike dynamic from iwn0 to any

Add up DHCP on all those networks and this really can't be it.

Turns out the information / solution actually is in the man page (yay for OpenBSD man pages):

Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names, interface names, or interface group names.

So basically what you can do is to start your ipsec.conf setup with your interface name as something like:

ike dynamic esp from iwn0 to any

Which means that the ipsec tunnel will get set up on whatever address that interface gets assigned. And you could even create an interface group "vpn" to cover both your wifi and ethernet interfaces. Neat.

The next thing to find out for me is how I can do from iwn0 to any but not to my local subnet... but I guess I'll figure that out too some day.

BTW: having OpenBSD IPSec on both sides of my VPN made the setup really easy.

Posted by betabug at 17:55 | Comments (0) | Trackbacks (0)
<< xrandr example script | Main | Getting the current session name from tmux >>
There are no comments.
Please send trackback to: http://betabug.ch/blogs/bsdcow/47/tbping
There are no trackbacks.
Leave a comment
Please note: Comments are moderated. Your comment will not show up until I can have a look at it and decide it's not SPAM. Sorry for the inconvenience.