Startsida Utforska Hjälp
Registrera dig Logga in
EPuters_Mirrors
/
almanack_mirror
Bevaka 2
Stjärnmärk 0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Gren: main
Grenar Taggar
almanack_mir...
/
wiki.d
/
Vpn.OpenIKED

Vpn.OpenIKED 10 KB
Permalänk Historik

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 
  1. version=pmwiki-2.2.130 ordered=1 urlencoded=1
    2. 

  2. agent=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
    3. 

  3. author=gloNO
    4. 

  4. charset=UTF-8
    5. 

  5. csum=
    6. 

  6. ctime=1635924188
    7. 

  7. host=176.103.75.121
    8. 

  8. name=Vpn.OpenIKED
    9. 

  9. rev=13
    10. 

  10. targets=
    11. 

  11. text=!! Server configuration%0a%0a[[#iked.conf]]%0a!!! iked.conf%0a%0aAdd this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace '''203.0.113.5''' with your server's public IP address and '''vpn.ircnow.org''' with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%0a[@%0adoas vi /etc/iked.conf%0a@]%0a----%0a%0a%0a[@%0avpn_user_name = "vpn-user" %0avpn_user_password = "vpn-password"%0a%0aremote_gw = "203.0.113.5" %0avpn_id = "vpn.ircnow.org" %0aclient_pool = "10.0.5.0/24" %0aclient_dns = "203.0.113.5" %0a%0auser $vpn_user_name $vpn_user_password%0aikev2 'user_vpn' passive esp \%0a    from any to dynamic \%0a    local $remote_gw peer any \%0a    srcid $vpn_id \%0a    eap "mschap-v2" \%0a    config address $client_pool \%0a    config name-server $client_dns \%0a    tag "ROADW"%0a@]%0a%0aThe value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a%0a!!! pf.conf%0a%0aiked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off:%0a%0a[@%0adoas pfctl -e%0a@]%0a%0aAdd this to /etc/pf.conf:%0a%0a%0a[@%0adoas vi /etc/pf.conf%0a@]%0a----%0a%0a%0a[@%0apass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0apass in inet proto esp tag IKED%0apass on enc0 inet tagged ROADW%0amatch out on $ext_if inet tagged ROADW nat-to ext_if%0amatch in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a@]%0a%0awhere '''ext_if''' is your external interface.%0a%0aTo find your external interface, type:%0a[@%0aifconfig%0a@]%0a%0aThe external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%0aTo reload the new pf ruleset:%0a[@%0adoas pfctl -f /etc/pf.conf %0a@]%0a%0a%0a!!! Certificates%0a%0aAt this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%0a[@%0a# ikectl ca vpn create%0a# ikectl ca vpn install%0a@]%0a%0a''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''\\%0a''CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl''%0a%0a[@%0a# ikectl ca vpn certificate vpn.user.host.ircnow.org create%0a# ikectl ca vpn certificate vpn.user.host.ircnow.org install%0a@]%0a%0a''writing RSA key''%0a%0aReplace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in [[#iked.conf | iked.conf]].%0a%0a!! Client configuration%0a
    12. 

  12. time=1636299929
    13. 

  13. author:1636299929=gloNO
    14. 

  14. diff:1636299929:1636299820:=84,85c84,85%0a%3c %0a%3c ''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''\\%0a---%0a> ''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''%0a> %0a92d91%0a%3c %0a
    15. 

  15. host:1636299929=176.103.75.121
    16. 

  16. author:1636299820=gloNO
    17. 

  17. diff:1636299820:1636299642:=3c3%0a%3c [[#iked.conf]]%0a---%0a> %0a94c94%0a%3c Replace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in [[#iked.conf | iked.conf]].%0a---%0a> Replace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in iked.conf.%0a
    18. 

  18. host:1636299820=176.103.75.121
    19. 

  19. author:1636299642=gloNO
    20. 

  20. diff:1636299642:1636299312:=65c65%0a%3c ifconfig%0a---%0a> $ ifconfig%0a74,94d73%0a%3c %0a%3c %0a%3c !!! Certificates%0a%3c %0a%3c At this point, we need to create PKI and X.509 certificates that the vpn client can use to verify the server. From the command line, run:%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn create%0a%3c # ikectl ca vpn install%0a%3c @]%0a%3c ''certificate for CA 'vpn' installed into /etc/iked/ca/ca.crt''%0a%3c %0a%3c ''CRL for CA 'vpn' installed to /etc/iked/crls/ca.crl''%0a%3c %0a%3c [@%0a%3c # ikectl ca vpn certificate vpn.user.host.ircnow.org create%0a%3c # ikectl ca vpn certificate vpn.user.host.ircnow.org install%0a%3c @]%0a%3c ''writing RSA key''%0a%3c %0a%3c Replace '''vpn.user.host.ircnow.org''' with the hostname you picked for the value of '''vpn_id''' in iked.conf.%0a
    21. 

  21. host:1636299642=176.103.75.121
    22. 

  22. author:1636299312=gloNO
    23. 

  23. diff:1636299312:1636299282:=70a71%0a> %0a
    24. 

  24. host:1636299312=176.103.75.121
    25. 

  25. author:1636299282=gloNO
    26. 

  26. diff:1636299282:1636299216:=64c64%0a%3c [@%0a---%0a> %0a66,67d65%0a%3c @]%0a%3c %0a72,75c70%0a%3c [@%0a%3c doas pfctl -f /etc/pf.conf %0a%3c @]%0a%3c %0a---%0a> $ doas pfctl -f /etc/pf.conf %0a
    27. 

  27. host:1636299282=176.103.75.121
    28. 

  28. author:1636299216=gloNO
    29. 

  29. diff:1636299216:1636283832:=10a11%0a> %0a44,46d44%0a%3c Add this to /etc/pf.conf:%0a%3c %0a%3c %0a49a48%0a> %0a53,70d51%0a%3c [@%0a%3c pass in inet proto udp to port {isakmp, ipsec-nat-t} tag IKED%0a%3c pass in inet proto esp tag IKED%0a%3c pass on enc0 inet tagged ROADW%0a%3c match out on $ext_if inet tagged ROADW nat-to ext_if%0a%3c match in quick on enc0 inet proto { tcp, udp } to port 53 rdr-to 127.0.0.1 port 53%0a%3c @]%0a%3c %0a%3c where '''ext_if''' is your external interface.%0a%3c %0a%3c To find your external interface, type:%0a%3c %0a%3c $ ifconfig%0a%3c The external interface is the one with the public IP address. If OpenBSD is run on a virtual machine, the external interface is probably vio0.%0a%3c %0a%3c To reload the new pf ruleset:%0a%3c %0a%3c $ doas pfctl -f /etc/pf.conf %0a
    30. 

  30. host:1636299216=176.103.75.121
    31. 

  31. author:1636283832=gloNO
    32. 

  32. diff:1636283832:1635959010:=9,15d8%0a%3c doas vi /etc/iked.conf%0a%3c @]%0a%3c %0a%3c ----%0a%3c %0a%3c %0a%3c [@%0a36,50d28%0a%3c %0a%3c !!! pf.conf%0a%3c %0a%3c iked depends upon packet filter being enabled. First, you must make sure to enable packet filter if it is off:%0a%3c %0a%3c [@%0a%3c doas pfctl -e%0a%3c @]%0a%3c %0a%3c [@%0a%3c doas vi /etc/pf.conf%0a%3c @]%0a%3c %0a%3c ----%0a%3c %0a
    33. 

  33. host:1636283832=176.103.75.121
    34. 

  34. author:1635959010=gloNO
    35. 

  35. diff:1635959010:1635958871:=
    36. 

  36. host:1635959010=31.0.25.119
    37. 

  37. author:1635958871=gloNO
    38. 

  38. diff:1635958871:1635958412:=6,7c6,7%0a%3c Add this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace '''203.0.113.5''' with your server's public IP address and '''vpn.ircnow.org''' with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a> %0a9,11d8%0a%3c vpn_user_name = "vpn-user" %0a%3c vpn_user_password = "vpn-password"%0a%3c %0a16c13,15%0a%3c %0a---%0a> vpn_user_name = "vpn-user" %0a> vpn_user_password = "vpn-password"%0a> %0a27,28d25%0a%3c %0a%3c The value for the vpn_id macro parameter MUST be different from your IRCnow hostname. For example, if your IRCNow hostname is "user.host.ircnow.org", you should pick something like "vpn.user.host.ircnow.org". Whatever you pick should be a valid hostname that resolves to an IP address. The 'from' rule allows any user to connect. The name-server provides the name-server that vpn clients will use. So in this example, you must have a valid caching name server running on IP 203.0.113.5. Note that these packets will get tagged as ROADW.%0a
    39. 

  39. host:1635958871=31.0.25.119
    40. 

  40. author:1635958412=gloNO
    41. 

  41. diff:1635958412:1635957754:=6,7c6,7%0a%3c Add this to /etc/iked.conf (replace '''vpn_user_name''' and '''vpn_user_password''' with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a---%0a> Add this to /etc/iked.conf (replace USERNAME_HERE and PASSWORD_HERE with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a> %0a13,16c13,16%0a%3c vpn_user_name = "vpn-user" %0a%3c vpn_user_password = "vpn-password"%0a%3c %0a%3c user $vpn_user_name $vpn_user_password%0a---%0a> vpn_user_name_1 = "vpn-user" %0a> vpn_user_password_1 = "vpn-password"%0a> %0a> user $vpn_user_name_1 $vpn_user_password_1%0a
    42. 

  42. host:1635958412=31.0.25.119
    43. 

  43. author:1635957754=gloNO
    44. 

  44. diff:1635957754:1635957480:=8,16c8,15%0a%3c [@%0a%3c remote_gw = "203.0.113.5" %0a%3c vpn_id = "vpn.ircnow.org" %0a%3c client_pool = "10.0.5.0/24" %0a%3c client_dns = "203.0.113.5" %0a%3c vpn_user_name_1 = "vpn-user" %0a%3c vpn_user_password_1 = "vpn-password"%0a%3c %0a%3c user $vpn_user_name_1 $vpn_user_password_1%0a---%0a> remote_gw = "203.0.113.5"%0a> vpn_id = "vpn.ircnow.org"%0a> client_pool = "10.0.5.0/24"%0a> client_dns = "203.0.113.5"%0a> user_name_1 = "vpn-user"%0a> user_password_1 "vpn-password"%0a> %0a> user $user_name_1 $user_password_1%0a25c24%0a%3c @]%0a---%0a> %0a
    45. 

  45. host:1635957754=31.0.25.119
    46. 

  46. author:1635957480=gloNO
    47. 

  47. diff:1635957480:1635924188:=0a1%0a> %0a2,24d2%0a%3c %0a%3c %0a%3c !!! iked.conf%0a%3c %0a%3c Add this to /etc/iked.conf (replace USERNAME_HERE and PASSWORD_HERE with the username and password you will use to connect, and replace 203.0.113.5 with your server's public IP address and vpn.ircnow.org with vpn.your.domain, i.e.: vpn.user.host.ircnow.org):%0a%3c %0a%3c remote_gw = "203.0.113.5"%0a%3c vpn_id = "vpn.ircnow.org"%0a%3c client_pool = "10.0.5.0/24"%0a%3c client_dns = "203.0.113.5"%0a%3c user_name_1 = "vpn-user"%0a%3c user_password_1 "vpn-password"%0a%3c %0a%3c user $user_name_1 $user_password_1%0a%3c ikev2 'user_vpn' passive esp \%0a%3c     from any to dynamic \%0a%3c     local $remote_gw peer any \%0a%3c     srcid $vpn_id \%0a%3c     eap "mschap-v2" \%0a%3c     config address $client_pool \%0a%3c     config name-server $client_dns \%0a%3c     tag "ROADW"%0a%3c %0a
    48. 

  48. host:1635957480=31.0.25.119
    49. 

  49. author:1635924188=gloNO
    50. 

  50. diff:1635924188:1635924188:=1,4d0%0a%3c %0a%3c !! Server configuration%0a%3c %0a%3c !! Client configuration%0a
    51. 

  51. host:1635924188=80.51.171.233
    52. 

  52.