Setting up IPSEC on LAN between two hosts (OpenBSD)

Solution 1:

Answering my own question like a nerd

Problem 1. OpenIKED (IKEv2) does not support transport mode, so you can only use it for VPNs, and not on a LAN. Use isakmpd (IKEv1)

Problem 2. The documentation for ipsec.conf says that the auth and enc values have defaults, but you seem to need to set them anyways

What else do I need to configure?

You need to set the correct rc.d flags on isakmpd (see below)

Are there logs for IPSEC and iked, and if so, where can I find them?

The logs are at /var/log/daemon

How to tell if IPSEC is working once configured, without looking at packets between the machines?

on B, run tcpdump host A, and on A run ping B . You want to see esp and spi in the tcpdump output

Setup:

Host A (10.0.2.10)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.10 to 10.0.2.11 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp [email protected]:/etc/isakmpd/local.pub 10.0.2.11 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd

Host B (10.0.2.11)

# cat << EOF > /etc/ipsec.conf
ike active esp transport from 10.0.2.11 to 10.0.2.10 \
  main auth hmac-sha1 enc aes \
  quick auth hmac-sha2-256 enc aes 
EOF
# chmod 640 /etc/ipsec.conf

# cd /etc/isakmpd/pubkeys/ipv4
# scp [email protected]:/etc/isakmpd/local.pub 10.0.2.10 `# copy remote's public key`

# rcctl enable ipsec
# rcctl enable isakmpd
# rcctl set isakmpd flags "-KTv" `#K = use ipsec.conf for configuration, T = disable NAT traversal, v = verbose logging`

# ipsecctl -vf /etc/ipsec.conf  `# start ipsec, or reboot`
# rcctl start isakmpd