Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini How-To




Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini How-To
10 March, 2002
1. Introduction
2. OpenBSD IPSec Setup
3. Linksys BEFVP41 Setup
4. Troubleshooting
5. IPSec over Wireless for Dummies
6. Links and ACKs
Appendix A - OpenBSD Config Files
A.1 - /etc/isakmpd.policy
A.2 - /etc/isakmpd.conf
A.3 - /etc/nat.conf

1. Introduction
This document describes how to use the Linksys BEFVP41 VPN Router as
a VPN Client to an OpenBSD IPSec Server.
OpenBSD is a secure, UNIX-like operating system with integrated cryptography.
OpenBSD's integrated crypto feature makes the operating system an ideal
platform for an IPSec VPN server / gateway.
The Linksys BEFVP41 VPN router is a highly configurable, 4-port 10/100
switch, Cable/DSL router, with VPN support. The Linksys BEFVP41 costs
as little as $150 and supports NAT; providing transparent VPN support for
any ethernet-connected computer, regardless of the computer's operating
system. For the same single-copy price of many VPN software-clients,
you can provide VPN support for all of your computers connected behind
the Linksys BEFVP41 VPN router.
Refer to Section 6, "Links and ACKs" for more general information on
OpenBSD, IPSec, and the Linksys BEFVP41.
Questions or comments regarding this document should be directed to
Beetle (beetle@ruff.cs.jmu.edu).

2. OpenBSD IPSec Setup
This section describes how to setup the OpenBSD IPSec server.
For more general information on installing OpenBSD, etc., refer to section
6, "Links and ACKs".
The OpenBSD IPSec configuration must allow for a combination of either
DES or 3DES encryption and / or MD5 or SHA authentication in order for
the Linksys BEFVP41 to establish an IPSec connection. Although manual
tunnels could probably be established between an OpenBSD IPSec server and
Linksys BEFVP41, the simplest and quickest IPSec setup uses IKE and a shared
passphrase.
The following instructions assume the following:
- your OpenBSD IPSec server's "external" interface that will be accepting
IPSec connections is rl0
- rl0's IP is 192.168.1.1
- the network the VPN clients will wish to connect to is 192.168.10.0
- the OpenBSD IPSec server's "internal" interface on the 192.168.10.0
network is sis0
- sis0's IP is 192.168.10.254
You will undoubtedly have to translate the values in these instructions
to match your configuration as well as any explicit references to these
values in the provided configuration files in Appendix A, "OpenBSD Config
Files".
Refer to Appendix A, "OpenBSD Config Files" and as the root user, copy
the isakmpd.policy and isakmpd.conf files to the /etc/isakmpd directory
on the OpenBSD IPSec server. Change the "Authentication" line of
the isakmpd.conf to the passphrase you would like to use. Ensure
that the permissions on the isakmpd.policy and isakmpd.conf files are read
only for the root user by using this command, as root:
chmod 600 /etc/isakmpd/isakmpd*
Startup IPSec by entering the command:
isakmpd
Copy the nat.conf file from Appendix A to the /etc directory on the
OpenBSD IPSec server. As root, enter this command:
pfctl -F all -N /etc/nat.conf

3. Linksys BEFVP41 Setup
This section describes how to setup the Linksys BEFVP41 VPN router to
connect to the OpenBSD IPSec server configured in Section 2, "OpenBSD IPSec
Setup". For more general information on simply setting up the Linksys
BEFVP41, refer to section 6, "Links and ACKs".
Ensure that you have properly setup the Linksys BEFVP41 for your networking
environment. You should be able to ping the Linksys BEFVP41, log
on to the BEFVP41 web-based configuration, and of course, ping or connect
to the actual OpenBSD IPSec server normally. It is imperative that
you have normal networking with the Linksys BEFVP41 working before continuing
further. A VPN will not work if your normal network does not work.
The following instructions assume the following:
- your local private network behind the Linksys BEFVP41 is 10.0.0.0
- the BEFVP41's internal IP (and your private network's default gateway)
is 10.0.0.254.
- your OpenBSD IPSec server's IP is 192.168.1.1
- the remote secure network you wish to connect securely to is 192.168.10.0
From one of the local private IPs behind the Linksys BEFVP41, log on
to the Linksys BEFVP41's web-based configuration utility by browsing to
10.0.0.254 with a web-browser.


Select the "VPN" tab from the default "Setup" page to begin configuring
the Linksys BEFVP41 to connect to the OpenBSD IPSec server.

Select a tunnel entry - "Tunnel 1".
Enter a name for the tunnel - "Net-B to Net-A" in this case.
Select "Subnet" from the drop-down box "Local Secure Group". This
should be your local private network subnet - "10.0.0.0" with a mask
of "255.255.255.0".
Select "Subnet" from the drop-down box "Remote Secure Group".
This should be the remote network you wish to securely connect to - "192.168.10.0"
with a mask of "255.255.255.0".
Select "IP Addr" from the drop-down box "Remote Security Gateway".
This should be the IP of the remote OpenBSD IPSec server awaiting IPSec
connections - "192.168.1.1".
Select the "3DES" radio button for "Encryption".
Select the "MD5" radio button for "Authentication".
Select "Auto (IKE)" from the drop-down box "Key Management". Do
NOT check the "Perfect Forward Secrecy" checkbox.
Enter the passphrase from your OpenBSD IPSec server's /etc/isakmpd.conf
file in the "Pre-shared Key" textbox- "thisisthepassphrase".
Enter "86400" as the time in seconds in the "Key Lifetime" textbox.
Click the "Apply" button. Your setting should be successfully
saved and you will be returned to the "VPN" screen with your new settings
displayed and the "Status" will read "Disconnected".
Click the "Connect" button. The "Status" will read "Connected".
Congratulations. You're done. All traffic you now to send
to the 192.168.10.0 subnet will be encrypted and NAT'd to the OpenBSD IPSec
server. The OpenBSD IPSec server will receive the encrypted packets
from the external IP of the Linksys BEFVP41 VPN router, decrypt them, discover
they are from a 10.0.0.0 subnet address and NAT the unencrypted traffic
as 192.168.10.254 to the 192.168.10.0 subnet. The OpenBSD IPSec server
will then receive the unencrypted response packets, encrypt them for your
10.0.0.0 subnet address and send them back to the Linksys BEFVP41's external
IP address, which will in turn unencrypt the responses and send them to
your private IP.
For example, a Windows box ethernet-connected as 10.0.0.1 to the Linksys
BEFVP41 VPN router on one of the 4 10/100 ports, pinging a 192.168.10.0
address over an establish VPN tunnel:


Meanwhile, listening on the OpenBSD's IPSec interface, we can see the
traffic is encrypted.
[root@openbsdbox /]tcpdump -n -i rl0
tcpdump: listening on rl0
08:25:01.413180 esp 192.168.1.31 > 192.168.1.1 spi 0x7AE9A847 seq
1 len 92
08:25:01.416102 esp 192.168.1.1 > 192.168.1.31 spi 0xD2F1156F seq
1 len 92
08:25:02.404962 esp 192.168.1.31 > 192.168.1.1 spi 0x7AE9A847 seq
2 len 92
08:25:02.407736 esp 192.168.1.1 > 192.168.1.31 spi 0xD2F1156F seq
2 len 92
08:25:03.406413 esp 192.168.1.31 > 192.168.1.1 spi 0x7AE9A847 seq
3 len 92
08:25:03.409179 esp 192.168.1.1 > 192.168.1.31 spi 0xD2F1156F seq
3 len 92
08:25:04.408903 esp 192.168.1.31 > 192.168.1.1 spi 0x7AE9A847 seq
4 len 92
08:25:04.411738 esp 192.168.1.1 > 192.168.1.31 spi 0xD2F1156F seq
4 len 92
And listening on the OpenBSD IPSec server's 192.168.10.0 connected interface
we can see the traffic* is now unencrypted and NAT'd as 192.168.10.254.
* this tcpdump was run at a different time for a separate ping session,
ergo the time difference
[root@openbsdbox /]tcpdump -n -i sis0
tcpdump: listening on sis0
08:30:23.339769 192.168.10.254 > 192.168.10.1: icmp: echo request
08:30:23.342691 192.168.10.1 > 192.168.10.254: icmp: echo reply
08:30:24.338076 192.168.10.254 > 192.168.10.1: icmp: echo request
08:30:24.341107 192.168.10.1 > 192.168.10.254: icmp: echo reply
08:30:25.339698 192.168.10.254 > 192.168.10.1: icmp: echo request
08:30:25.342198 192.168.10.1 > 192.168.10.254: icmp: echo reply
08:30:26.340946 192.168.10.254 > 192.168.10.1: icmp: echo request
08:30:26.343301 192.168.10.1 > 192.168.10.254: icmp: echo reply

4. Troubleshooting and Known Issues
This section gives some quick tips on troubleshooting the IPSec connection
between the OpenBSD IPSec server and Linksys BEFVP41 VPN router.
Some known issues are mentioned here also. For more general IPSec
troubleshooting information, refer to section 6, "Links and ACKs".
- Ensure your general network settings are correct. If your network
doesn't work when IPSec is not in use, it probably won't work with IPSec
enabled.
- If the Linksys BEFVP41 configuration "VPN" tab's status is "Disconnected",
you are NOT connected. Your traffic will not be encrypted until you
see "Connected" as the "Status".
- Click the "View Log" button on the "VPN" tab to discover why your
may not be connecting successfully.
Note: Sometimes the VPN tunnel dies for no apparent reason.
The Linksys BEFVP41 must be accessed and the "Apply" and "Connect" button
must be clicked for the specific tunnel to re-establish the secure connection.
This bug seems random in nature.
Note: Selecting "Any" as "Remote Secure Group" from the "VPN"
setup tab does not seem to imply "Any" in the OpenBSD IPSec sense / desire
such that all outbound traffic would be encrypted to the OpenBSD IPSec
server. Instead, this feature seems to mean "ACCEPT Encrypted Traffic
from ANY incoming IP", which for the case of attempting to encrypt all
outbound traffic as default, does not help.

5. IPSec over Wireless for Dummies
This section describes how to deploy the Linksys BEFVP41 for local wireless
sites as a means of encrypting their insecure wireless traffic to the central
LAN or corporate Intranet wireless access point. For more information
about wireless technology or IPSec over wireless, refer to section 6, "Links
and ACKs".
If you have remote corporate campus sites that access the central LAN
or corporate Intranet by being ethernet-connected to a NAT box or bridge
that connects to the central LAN or corporate Intranet via a wireless workgroup
bridge or access point in client mode. You can use the Linksys BEFVP11
VPN router to supercede the wireless insecurities of WEP to provide secure
wireless access for these remote sites.
For example, a wireless ISP (WISP) has potential customers that would
like a simple, yet secure means of connecting to the WISP. Because
WEP is so insecure, IPSec is the only available solution to securing their
remote connections--barring expensive hardware, EAP / LEAP with commercial
RADIUS back-end, etc. However, IPSec adds a layer of client complexity
that could make client configuration and troubleshooting a veritable nightmare.
The customers want to simply have a box that maintains a wireless
connection
to the WISP, and a NAT router they can plug their network card equipped
PCs into that gives them transparent access to the Internet. Theoretical
instructions for a basic configuration that provides this simple solution
for customer premises equipment (or corporate remote sites) follow:
Setup the OpenBSD IPSec server at the WISP central office. The
primary interface connects to the Intranet or Internet. The OpenBSD
server's secondary interface should connect via a cross-over cable to a
Linksys WAP11 wireless access point.
At the remote site, setup a Linksys WAP11 in client mode to access the
WISP's WAP11. Connect a crossover cable from the client-mode WAP11
to the a Linksys BEFVP41 VPN router. Connect remote site client PCs
to the Linksys VPN router directly or a hub dropping off the Linksys VPN
router.
Test networking. Follow the above instructions (Sections 2-4)
for using a Linksys BEFVP41 VPN router to connect to an OpenBSD IPSec server,
creating a tunnel for your corporate LAN or Intranet. To ensure that
most default Internet traffic is encrypted, simply specify corporate DNS,
HTTP proxies, and mail servers, to provide name resolution, web content
delivery, and email services respectively. As these servers should
be in your corporate LAN or Intranet and all traffic to that network is
encrypted via IPSec, your remote sites have a predominantly secure wireless
connection.
I currently have this "theoretical" architecture in place. A diagram
that visually explains this setup follows:


6. Links and ACKs
Here are links that may prove useful for topics mentioned in this document:
OpenBSD - http://www.openbsd.org
Using IPSec - http://www.openbsd.org/faq/faq13.html
Linksys BEFVP41 VPN Router - http://www.linksys.com/products/vpnrouter.asp
Using IPSec Clients with OpenBSD - http://www.allard.nu/openbsd/
Replacing WEP with IPSec - http://rt.fm/~jcs/ipsec_wep.html
I would like to acknowledge the following entities for various reasons:
Google - for quickly providing relevant search results on terms such
as "openbsd", "wireless", and "ipsec".
Linksys - for making inexpensive feature-rich network equipment - the
WAP11 and BEFVP41 especially.
Allard Consulting - for providing info and a mailing list on OpenBSD
IPSec clients and example isakmpd.conf files that were modified for use
with the Linksys BEFVP41.

Appendix A - OpenBSD Config Files
A.1 - /etc/isakmpd.policy
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the
right password
Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&

esp_present == "yes" &&

esp_enc_alg != "null" -> "true";

A.2 - /etc/isakmpd.conf
[Phase 1]
Default= HostB
[Phase 2]
Connections= HostA-HostB
[HostB]
Phase= 1
Transport= udp
Configuration= Default-main-mode
Authentication= thisisthepassphrase
[HostA-HostB]
Phase= 2
ISAKMP-peer= HostB
Configuration= Default-quick-mode
Local-ID= Net-A
Remote-ID= Net-B
[Net-A]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[Net-B]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI=
IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
[Default-quick-mode]
DOI=
IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-SUITE
[3DES-MD5]
ENCRYPTION_ALGORITHM= 3DES_CBC
HASH_ALGORITHM=
MD5
AUTHENTICATION_METHOD= PRE_SHARED
GROUP_DESCRIPTION= MODP_1024
Life=
LIFE_1_DAY
[LIFE_1_DAY]
LIFE_TYPE=
SECONDS
LIFE_DURATION=
86400,79200:93600

A.3 - /etc/nat.conf
# $OpenBSD: nat.conf,v 1.4 2001/07/09
23:20:46 millert Exp $
#
# See nat.conf(5) for syntax and examples
#
# replace ext0 with external interface name, 10.0.0.0/8 with internal
network
# and 192.168.1.1 with external address
#
# nat: packets going out through ext0 with source address 10.0.0.0/8
will get
# translated as coming from 192.168.1.1. a state is created for
such packets,
# and incoming packets will be redirected to the internal address.
# nat on ext0 from 10.0.0.0/8 to any -> 192.168.1.1
# rdr: packets coming in through ext0 with destination 192.168.1.1:1234
will
# be redirected to 10.1.1.1:5678. a state is created for such packets,
and
# outgoing packets will be translated as coming from the external
address.
# rdr on ext0 proto tcp from any to 192.168.1.1/32 port 1234 ->
10.1.1.1 port 5678
nat on sis0 from 10.0.0.0/8 to any -> 192.168.10.254