OpenBSD IPSec made easy

Ingredients
Two OpenBSD 4.6 or higher machines, on either side of a network of some kind.

Network
The "network" this guide is based on is two VMware virtual machines running OpenBSD 4.6, connected by a host-only network, each with host-only networks on either side: Host-only (192.168.120.0/24)     /|\       |      \|/ obsd-ipsec-left (192.168.120.130/ 10.255.255.5)     /|\       |      \|/ 10.255.255.4/30      /|\       |      \|/ obsd-ipsec-right (192.168.33.7/ 10.255.255.6)     /|\       |      \|/   Host-only (192.168.33.0/24)

Method
1) copy /etc/isakmpd/local.pub from left side to /etc/isakmpd/pubkeys/ipv4/10.255.255.6 on right

2) copy /etc/isakmpd/local.pub from right side to /etc/isakmpd/pubkeys/ipv4/10.255.255.5 on left

3) on left side, we'll build the configuration: cat >/etc/ipsec.conf </etc/ipsec.conf <<EOF local_ip="10.255.255.6" local_network="192.168.33.0/24" remote_ip="10.255.255.5" remote_network="192.168.120.0/24" ike esp from { \$local_ip \$local_network } to \ { \$remote_ip \$remote_network } peer $remote_ip ike esp from \$local_ip to \$remote_ip EOF

5) To test, run "isakmpd -K -d", then "ipsecctl -f /etc/ipsec.conf" on each side.

6) Route each network to the other side's gateway, eg: obsd-ipsec-left# route add -net 192.168.33/24 10.255.255.6 obsd-ipsec-right# route add -net 192.168.120/24 10.255.255.5

7) Ping each side.

8) Fire up 'tcpdump -ni enc0' and ping each side again. If you get output, then we have succeeded.

9) Make ISAKMPD and IPSec start on boot (both machines): -e 's/^ipsec=NO/ipsec=YES/' /etc/rc.conf
 * 1) sed -e 's/^isakmpd_flags=NO/isakmpd_flags="-K"/' \

10) Make the route setting permanent: obsd-ipsec-left# echo '!route add -net 192.168.33/24 10.255.255.6' \ >> /etc/hostname.vic1 obsd-ipsec-right# echo '!route add -net 192.168.120/24 10.255.255.5' \ >> /etc/hostname.vic1

11) Reboot

12) ...

13) Profit!