14 April
2012

openbsd ipsec.conf roadwarrior puzzlestone

Took me a while to notice...

When setting up the IPSec NAT on my "roadwarrior" laptop, I was baffled for quite some time with the question: How do I set up the src address, without having to edit ipsec.conf whenever I am on a different network in a different RFC1918 private natted address range? One day I would be on 192.168.1.17 and the next on 10.0.1.28:

# this can't be it!! wtf?
# ike dynamic 192.168.1.17 from iwn0 to any
# ike dynamic 10.0.2.5 from iwn0 to any
ike dynamic 10.0.1.28 from iwn0 to any

Add up DHCP on all those networks and this really can't be it.

Turns out the information / solution actually is in the man page (yay for OpenBSD man pages):

Addresses can be specified in CIDR notation (matching netblocks), as
symbolic host names, interface names, or interface group names.

So basically what you can do is to start your ipsec.conf setup with your interface name as something like:

ike dynamic esp from iwn0 to any

Which means that the ipsec tunnel will get set up on whatever address that interface gets assigned. And you could even create an interface group "vpn" to cover both your wifi and ethernet interfaces. Neat.

The next thing to find out for me is how I can do from iwn0 to any but not to my local subnet... but I guess I'll figure that out too some day.

BTW: having OpenBSD IPSec on both sides of my VPN made the setup really easy.


Posted by betabug at 17:55 | Comments (0) | Trackbacks (0)
<< xrandr example script | Main | Getting the current session name from tmux >>
Comments
There are no comments.
Trackbacks
Please send trackback to: http://betabug.ch/blogs/bsdcow/47/tbping
There are no trackbacks.
Leave a comment
Please note: Comments are moderated. Your comment will not show up until I can have a look at it and decide it's not SPAM. Sorry for the inconvenience.