How to Build Your Own Router using Soekris and OpenBSD

[Builder]

http://glozer.net/soekris/soekris.html<--Everything below is taken from here. There are a lot of links to add and formatting to do. Please allow a day or so for me to finish it completely.

 

This document no longer reflects my configuration, but rather than delete possibly useful information, I've made notes of my changes on a new errata page.

 

Introduction

 

Typically there are two choices when setting up a small network: buy consumer grade commercial hardware, or find an old machine and install unix. A small wireless router and firewall from NetGear or Linksys could hardly be easier to install and has many pretty blinken lights. It isn't very flexible though, often two or more different boxes are needed, upgrading means buying another one, and some "enterprise" features are plain not available at the low end. On the other hand, a full fledged computer makes a lot of noise and has many moving parts to fail.

The solution: create a custom network device running on silent hardware designed for embedded systems. Select the best hardware and software available to create a device unparalleled by anything in the commercial marketplace.

 

1. Stateful packet filtering with NAT
2. High power 802.11b wireless access point
3. Routing
4. Network services (DHCP, NTP, SSH, caching DNS)
5. IPsec endpoint
6. Upgradable (802.11g, IPv6, etc)

The real selling point however is that this network device will be running a full unix operating system, which provides nearly infinite flexibility. All aspects of operation can be fine tuned, comprehensive monitoring is possible, and arbitrary programs may be installed.

 

The Platform

 

Soekris Engineering produces an excellent line of tiny, x86 compatible, embedded computers complete with cases. So first on the list, one net4521 which has the following key specifications:

 

-AMD Elan SC520 486 class 133mhz CPU, 64 megs of RAM
-Two 10/100 megabit ethernet ports
-Two PCMCIA/PCCard/CardBus slots
-One Mini-PCI slot, filled with a vpn1211 hardware crypto board
-A CompactFlash card slot for permanent storage of the system software

 

The Soekris boards support all the free *BSD variants, Linux, and probably anything else that runs on standard PC compatible hardware. Soekris has quite a following amongst the wireless networking community, and so has a lively mailing list with volumes of information about how to get everything working.

 

The Wireless Card

 

Next is an 802.11b wireless card. Many aren't capable of acting as an access point, and some aren't even supported under open source operating systems. Fortunately there is a wonderful chipset called Prism from Intersil that is very well supported under *BSD and Linux, and it supports an access point mode.

 

One of the people on the Soekris mailing list happens to have a company named NetGate, and this company just happens to ship a 802.11b PC-Card based on the Prism 2.5 chipset which puts out 200mw with excellent sensitivity ratings. Not only that but they sell kits which include:

 

-The card itself
-A "pigtail" which connects the card to a connector on the outside of the Soekris case
-An antenna which greatly increases the range

 

Great stuff!

 

The Operating System

 

Choosing the right network operating system may be the toughest task. Linux and the *BSDs (FreeBSD, NetBSD, OpenBSD) will all run on this hardware, as will other non-free operating systems which I gave no thought to. The HostAP driver and software are what allow a Prism based 802.11b card to act as an access point. Apparently this was written for Linux but it is available on BSD too.

 

OpenBSD has a hard won reputation for security, stability, and everything else I am looking for. It was the natural choice, and many other people on the Soekris mailing list have discovered the same thing. There is even a project called OpenSoekris which will help set up a Soekris based system from an existing OpenBSD install.

 

Some of the key features of OpenBSD are:

 

-A great packet filter with which to make a firewall and NAT engine
-An IPsec engine
-Plus hardened services like a DNS server

 

Security

 

Sure WEP can be cracked, so can a copper cable network, it just requires more intrusive physical access. Even more intrusive is tapping into fiberoptic cables, but that too is possible. Real security requires top strength crypto and a great solution is IPsec.

 

IPsec, via the ISAKMP protocol, can handle client authentication via passphrases or x.509 certificates. No need to worry about 802.1x or proprietary enhancements to WEP. IPsec is extremely strong and isn't tied to wireless networks. So, the security portion of the plan is:

 

1. Deny all access from the internet interface
2. Allow all local clients access to DHCP and ISAKMP
3. Deny all other unencrypted communications to wireless clients
4. Allow IPsec traffic from authenticated wireless clients
5. Allow local administration via SSH

Sections

 

The project is divided into the following sections:

 

Introduction

OpenBSD Configuration

Diskless Booting

CompactFlash Installation

 

There are also client configuration how-tos:

 

Mac OS X IPSec
 

[Builder]

The first step is to install OpenBSD on a regular computer. This installation may be used to prototype what will eventually be placed on the Soekris, perfect for setting up while waiting for the hardware to arrive. Keeping this installation around for future upgrades as new versions of OpenBSD are released or security flaws are fixed is a good idea.

Support OpenBSD by purchasing the CD set.

Almost everything necessary, and much more, is included in a default install of OpenBSD. However there are a few other important or useful things to include:

The kernel source tree, for compiling a net4521 specific kernel
The ports source tree
NTP port which will keep the local network time extremely accurate
pftop to monitor what is happening in the packet filter
Read-Only Configuration

Since Compact Flash has a finite write cycle and is fairly slow, the root filesystem will be mounted read-only. /var will be mounted as a memory filesystem where a compressed tar containing a prototype filesystem will be extracted at boot.

      /etc/fstab:

      /dev/wd0a       /       ffs     ro                      1 1    
      swap            /var    mfs     rw,nosuid,-s=8192       0 0

      /etc/rc:
      ...
      umount -a >/dev/null 2>&1
      mount -a -t nonfs

      mkdir /var/tmp    
      tar xzpf /var.tar.gz
      ...
   
Some devices in /dev are modified by various daemons so they need to either be links to /var or union mounted.

      lrwxr-xr-x  1 root  wheel  12 Jan 1 00:00 /dev/log -> /var/dev/log
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ptyp0 -> /var/dev/ptyp0
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ptyp1 -> /var/dev/ptyp1
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ttyp0 -> /var/dev/ttyp0
      lrwxr-xr-x  1 root  wheel  14 Jan 1 00:00 /dev/ttyp1 -> /var/dev/ttyp1
   
Also the /tmp filesystem

      lrwxr-xr-x  1 root  wheel   8 Jan 19 13:30 /tmp -> /var/tmp
   
Isakmp Configuration

The following configuration allows IPSec clients on the wireless network to authenticate via a shared secret password. Other options exist including X.509 certificates which are a good choice if access is being allowed by untrusted users. 3DES is used because the vpn1211 accelerator handles it. Another cipher such as AES might use a lot less CPU for the clients.

isakmpd.conf:

      [Phase 1]
      Default         = local-peers

      [Phase 2]
      Passive-connections     = authenticated-peers
     
      [local-peers]
      Phase           = 1
      Local-address   = 192.168.1.1
      Authentication  = pAsswOrd
      Configuration   = isakmp-main-mode
     
      [authenticated-peers]
      Phase           = 2
      ISAKMP-peer     = local-peers
      Local-ID        = local-network
      Remote-ID       = remote-network
      Configuration   = ipsec-quick-mode
     
      [local-network]
      ID-type         = IPV4_ADDR_SUBNET
      Network         = 0.0.0.0
      Netmask         = 0.0.0.0
     
      [remote-network]
      ID-type         = IPV4_ADDR_SUBNET
      Network         = 192.168.1.0
      Netmask         = 255.255.255.0
     
      [isakmp-main-mode]
      EXCHANGE_TYPE   = ID_PROT
      Transforms      = 3des-sha
     
      [ipsec-quick-mode]
      EXCHANGE_TYPE   = QUICK_MODE
   
isakmpd.policy ensures that encryption is used:

      KeyNote-Version:  2
      Authorizer:       "POLICY"
      Conditions:       app_domain == "IPsec policy"  &&
                        esp_present == "yes"          &&
                        esp_enc_alg == "3des"         -> "true";
   
Packet Filter Configuration

Last of all but likely the most important is configuring pf, the OpenBSD packet filter. The primary rule is to block all incoming traffic on all interfaces, NAT outgoing traffic on the Internet interface, and allow:

DHCP and ISAKMP traffic from all clients
Encrypted IPSec traffic from authenticated wireless clients
All traffic from wired clients
pf.conf:

      # wireless network
      wi_if   = "wi0"
      wi_net  = "192.168.1.0/24"
     
      # wired network
      en_if   = "sis0"
      en_net  = "192.168.2.0/24"

      # internet interface
      inet_if = "sis1"

      # ----------------------------------------------------------------------

      scrub in all

      # NAT outgoing traffic from wireless and
      wired networks

      nat on $inet_if from $wi_net to any -> $inet_if
      nat on $inet_if from $en_net to any -> $inet_if

      # block incoming traffic, allow and keep
      state on outgoing

      block in all
      pass out all
      pass out on $inet_if all keep state

      # allow DHCP and ISAKMP so wireless clients
      can get an IPSec connection

      pass in on $wi_if proto udp from $wi_net to $wi_if port = bootps
      pass in on $wi_if proto udp from $wi_net to $wi_if port = isakmp
     
      # allow ipsec tunneled traffic from wireless
      clients
     
      pass in on $wi_if proto esp from $wi_net to $wi_if
     
      # allow incoming ipsec traffic
     
      pass in on enc0 from $wi_net to any
     
      # allow all traffic on wired network and
      loopback interface

      pass in on $en_if from $en_net to any
      pass in on lo0 all
   
Next: Diskless Booting

Introduction
OpenBSD Configuration
Diskless Booting
CompactFlash Installation
Mac OS X IPSec
Errata
email address

[Builder]

The final target for an OpenBSD install on the net4521 is a CompactFlash card. However during development it would be inefficient to continually update the image, plus CF has a limited number of writes per sector. A better solution is to boot over the network.

The network boot sequence is documented in diskless(8) which is a good starting point. However the process described there is geared towards booting Unix servers, booting on Intel machines is potentially a bit different:

The network card loads a built in PXE loader
The PXE loader gets an IP address and boot loader from DHCP
The boot loader downloads the OpenBSD kernel via TFTP
The kernel boots and mounts its root and swap on NFS
From that point the system boots as usual.

Firmware and the Boot Loader

i386 compatible PCs have a very primitive firmware, the BIOS, which usually doesn't support advanced features like network booting. However Intel developed a proprietary booting solution called PXE. Some network cards come with a PXE loader in ROM and those cards can boot an operating system from the network. Naturally, the Soekris also supports PXE and so will load the boot loader from the network

Since version 3.5 OpenBSD has come with a PXE boot loader called pxeboot. Prior to that you needed a third party boot loader like grub, an older version of this page describes how to use it.

pxeboot

In order to find an operating system's boot loader the PXE loader consults a DHCP server. The DHCP server must be configured to not only give out an IP address but also the boot loader. This is done simply by adding a "filename" option to dhcpd.conf:

      shared-network WIRED-NET {
      option domain-name-servers 192.168.1.1;

      subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers 192.168.1.1;
       
        filename "pxeboot";
       
        range 192.168.1.100 192.168.1.254;
      }
   
The PXE loader will retrieve the specified filename via TFTP and execute it.

The server that served up the DHCP response also needs to be running TFTP so that the "pxeboot" file can be download and later the kernel as well. It is possible to offload this task to another server with the dhcpd.conf next-server option but in this example one server will handle the entire boot process. The TFTP server should be chroot'd to a directory with the boot loader and the OpenBSD kernel:

      ls -al /home/tftp
     
      -rwxr-xr-x  1 root  wheel   939090 Jan  5 16:44 bsd.gz
      -rw-r--r--  1 root  wheel       71 Jan  4 20:08 menu.lst
      -rw-r--r--  1 root  wheel   127040 Jan  5 02:06 pxeboot
      drwxr-xr-x  1 root  wheel   127040 Jan  5 02:06 etc     
   
Now when the PXE loader executes it will download and launch pxeboot which will look for a file named 'etc/boot.conf' on the same TFTP server. This is a standard boot.conf configuration file:

      set tty com0
      boot bsd.gz
   
Booting OpenBSD

The GENERIC kernel does not support diskless booting, for that you need the DISKLESS configuration which will load the root and swap filesystems from NFS. The following extra kernel options are also useful:

      option      PCCOMCONSOLE
      option      CONSPEED=19200
   
When a *BSD diskless kernel is booted it consults:

rarpd - for the system's IP address
rpc.bootparamd - for the root and swap NFS share names
mountd to connect to the NFS shares
OpenBSD is quite secure upon default install. The following steps will open the system up to many new attacks via TFTP, RPC, NFS, and likely others. It would be wise to make sure the server is inaccessible outside of the local network during this vulnerable phase.

/etc/ethers:

      00:01:02:03:04:05      bootclient
   
/etc/hosts:

      192.168.1.1            server
      192.168.1.100          bootclient
   
/etc/bootparams:

      bootclient  root=192.168.1.1:/export/root         \
      swap=192.168.1.1:/export/swap
   
/etc/exports:

      /export  -maproot=root -alldirs bootclient
      /usr     -ro                    bootclient
   
/export contains a swap file and a root filesystem

      ls -al /export

      drwxr-xr-x   8 root  wheel       512 Jan  5 14:00 root
      -rw-r--r--   1 root  wheel  16777216 Jan  5 16:45 swap
   
After completing the configuration it is time to load all of the daemons. Starting them from the command line makes sense since this is a temporary configuration for bootstrapping. Order matters because some daemons depend on services provide by others ala RPC.

      # rarpd <interface>
      # portmap
      # rpc.bootparamd
      # mountd
      # nfsd -t -u
   
Thats it!

At this point the target machine can be started. The PXE loader should load pxeboot and the OpenBSD kernel will be downloaded and executed. If the root filesystem is set up properly then a diskless OpenBSD system should soon be up and running.

Next: CompactFlash Installation

Introduction
OpenBSD Configuration
Diskless Booting
CompactFlash Installation
Mac OS X IPSec
Errata
email address

[Builder]

Actually getting the system onto CompactFlash can be a bit difficult. Each brand of Compact Flash card may have a different disk geometry, and some cards are reported as not working at all. Many details are available on the soekris-tech mailing list.

The following steps are derived from the very helpful flashdist by Chris Cappuccio which is used by OpenSoekris to create a disk image. Those scripts automate the manual process described here. Flashing the Compact Flash card with a disk image will spread the writes out, one per sector, which may be beneficial to the lifetime of the flash.

Compact Flash Geometry

CF cards emulate ATA disk drives and so emulate a certain drive geometry as well. Different size cards, ones from different vendors, and even an apparently identical card that was made in a different batch, may all have differing geometries. The easiest way to figure out the proper geometry is to install the Compact Flash card into the net4521 and see what it reports to disklabel.

For a SanDisk 128MB card:

      # disklabel wd0
      ...
      bytes/sector: 512
      sectors/track: 32
      tracks/cylinder: 8
      sectors/cylinder: 256
      cylinders: 978
      total sectors: 250368
      ...
   
These numbers will be used later when running fdisk, disklabel, and biosboot.

Creating a Virtual Disk

vnconfig allows a file containing a disk image to to be mounted as a virtual disk. The first step in creating a disk image is to create an empty file the exact size of the image. This file is created by using dd if=/dev/zero of=image bs=bytes/sector count=sectors:

      # dd if=/dev/zero of=disk.image bs=512 count=250368
   
The image can then be mounted as a virtual disk

      # vnconfig -c svnd0 disk.image
   
Creating a Disklabel

Once a disk image is created a BSD disklabel must be installed on the virtual disk. The disk setup process is well documented in OpenBSD's installation guide. Using disklabel two partitions will be created: a large parition for the root filesystem and a small, one block, swap partition which is necessary for the memory file system even though it isn't used as swap.

The first step is to modify the device parameters to match what was reported by disklabel on the net4521. New values are in blue:

      # disklabel -E svnd0
      ...
      > e
      Changing device parameters for /dev/rvnd0c:
      disk type: [sCSI] ESDI
      label name: [fictitious] net4521
      sectors/track: [100] 32
      tracks/cylinder: [1] 8
      sectors/cylinder: [100] 256
      number of cylinders: [2503] 978
      total sectors: [250368]
      rpm: [3600]
      interleave: [1]
   
Next the root and swap partitions are created. Note that the first partition is placed after the first sector to leave room for the MBR:

      > a a
      offset: [0] 32
      size: [250336] 250335
      FS type: [4.2BSD]
      > a b
      offset: [250367]
      size: [1]
      FS type: [swap]
      > p
      ...

      #        size   offset    fstype   [fsize bsize   cpg]
      a:   250335       32    4.2BSD     1024  8192    16   # (Cyl.    0*- 977*)
      b:        1   250367      swap                        # (Cyl.  977*- 977)
      c:   250368        0    unused        0     0         # (Cyl.    0 - 977)
      > q
      Write new label?: [y] y
   
Creating a Filesystem

Next up is creating a filesystem on the disk image. This is accomplished using newfs -S bytes/sector -u sectors/track -z tracks/cylinder -q raw-device.

      # newfs -S 512 -u 32 -z 8 -q /dev/rsvnd0a
   
Then the partition table is updated with fdisk -c cylinders -h heads -s sectors/track -f master-boot-record -e device:

      # fdisk -c 978 -h 8 -s 32 -f /usr/mdec/mbr -e svnd0
      fdisk: 1> reinit
      fdisk: 1> update
      fdisk: 1> print
      Disk: wd0       geometry: 978/8/32 [250368 Sectors]
      Offset: 0       Signature: 0xAA55
               Starting       Ending       LBA Info:
      #: id    C   H  S -    C   H  S [       start:      size   ]
      ------------------------------------------------------------------------
      0: 00    0   0  0 -    0   0  0 [           0:           0 ] unused     
      1: 00    0   0  0 -    0   0  0 [           0:           0 ] unused     
      2: 00    0   0  0 -    0   0  0 [           0:           0 ] unused     
     *3: A6    0   1  1 -  977   7 32 [          32:      250336 ] OpenBSD    
      fdisk: 1> write
      fdisk: 1> quit
   
Installing OpenBSD

At last the new virtual disk can be mounted and OpenBSD can be installed! The second stage boot loader and kernel will be copied first, then the first stage boot loader will be installed followed by the rest of the system. The NET4521 kernel should be compiled and ready at this stage.

      # mount /dev/svnd0a /mnt/net4521
      # cp /usr/mdec/boot /mnt/net4521/
      # cp /usr/src/sys/arch/i386/compile/NET4521/bsd /mnt/net4521/
   
Install the boot loaders using installboot stage-2-loader stage-1-loader device

      # /usr/mdec/installboot /mnt/net4521/boot /usr/mdec/biosboot svnd0
   
Extract the OpenBSD system tar, umount the filesystem, and discard the virtual drive

      # tar xpvf openbsd.tar -C /mnt/net4521
      # umount /mnt/net4521
      # vnconfig -u svnd0
   
Flashing the Image

The very last step in the process is flashing the newly created image onto the compact flash card. I used an ATA PCMCIA/PC Card adapter which simply allows to access the CF as a PCMCIA device. Using a USB or other adapter may not work. Assuming that the card shows up as wd1, dd is again used to place the image on the card:

      # dd if=disk.image of=/dev/rwd1c bs=512
   
Thats it! Place the card back into the net4521 and the boot loader should load the new installation. The following dmesg is from my system:

      OpenBSD 3.2-stable (NET4521) #0: Sat Jan  1 00:00:00 EST 2003
      root@localhost:/usr/src/sys/arch/i386/compile/NET4521
      cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
      cpu0: FPU
      real mem  = 66695168 (65132K)
      avail mem = 60063744 (58656K)
      using 839 buffers containing 3436544 bytes (3356K) of memory
      mainbus0 (root)
      bios0 at mainbus0: AT/286+(00) BIOS, date 20/21/13, BIOS32 rev. 0 @ 0xf00c0
      pcibios0 at bios0: rev. 2.0 @ 0xf0000/0x10000
      pcibios0: pcibios_get_intr_routing - function not supported
      pcibios0: PCI IRQ Routing information unavailable.
      pcibios0: PCI bus #2 is the last bus
      bios0: ROM list: 0xc8000/0xa000
      pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
      pchb0 at pci0 dev 0 function 0 "AMD ElanSC520 Host-PCI" rev 0x00
      hifn0 at pci0 dev 16 function 0 "Hifn 7951" rev 0x01: 128KB sram, irq 10
      cbb0 at pci0 dev 17 function 0 "Texas Instruments PCI1420 PCI-CardBus" rev 0x00: irq 11
      cbb1 at pci0 dev 17 function 1 "Texas Instruments PCI1420 PCI-CardBus" rev 0x00: irq 11
      sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00: irq 5 address 00:00:00:00:00:01
      nsphyter0 at sis0 phy 0: DP83815 10/100 integrated, rev. 1
      sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00: irq 9 address 00:00:00:00:00:02
      nsphyter1 at sis1 phy 0: DP83815 10/100 integrated, rev. 1
      cardslot0 at cbb0 slot 0 flags 0
      cardbus0 at cardslot0: bus 1 device 0 cacheline 0x10, lattimer 0x3f
      pcmcia0 at cardslot0
      cardslot1 at cbb1 slot 1 flags 0
      cardbus1 at cardslot1: bus 2 device 0 cacheline 0x10, lattimer 0x3f
      pcmcia1 at cardslot1
      isa0 at mainbus0
      isadma0 at isa0
      wdc0 at isa0 port 0x1f0/8 irq 14
      wd0 at wdc0 channel 0 drive 0: <SanDisk SDCFB-128>
      wd0: 1-sector PIO, LBA, 122MB, 978 cyl, 8 head, 32 sec, 250368 sectors
      wd0(wdc0:0:0): using BIOS timings
      npx0 at isa0 port 0xf0/16: using exception 16
      pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
      pccom0: console
      pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
      biomask 4800 netmask 4e20 ttymask 4e20
      dkcsum: wd0 matched BIOS disk 80
      root on wd0a
      rootdev=0x0 rrootdev=0x300 rawdev=0x302
      wi0 at pcmcia1 function 0 "INTERSIL, HFA384x/IEEE, Version 01.02" port 0xa000/64
      wi0: PRISM 2.5 ISL3873, Firmware 1.1.0 (primary), 1.4.9 (station), address 00:00:00:00:00:02
   
Next: MacOS X IPSec Config

Introduction
OpenBSD Configuration
Diskless Booting
CompactFlash Installation
Mac OS X IPSec
Errata
email address

[Builder]

The main computer on this network is an Apple Titanium PowerBook G4. This is running the excellent Mac OS X operating system which includes a large subset of FreeBSD including the kame IPv6/IPSec stack.

ISAKMP Configuration

Setting up IPSec under Mac OS X is the same as any other system that uses kame, notably FreeBSD. Kame is also available for OpenBSD, but OpenBSD's implementation may make better use of the Soekris hardware crypto accelerator. The kame ISAKMP daemon is named racoon and the configuration files are in /etc/racoon. OS X comes with a reasonable configuration just waiting to be enabled, but there are a few changes that need to be made. In the following snippets the original configuration is blue and modifications are green.

/etc/racoon/psk.txt contains "pre shared secrets", or passwords. This file tells racoon which password to use when negotiating with an IPSec endpoint. The hostname and password need to be added:

      # host          password
      192.168.1.1     secret
   
/etc/racoon/racoon.conf specifies ISAKMP negotiation parameters. This should be modified to prefer main mode in phase 1 negotiations. As of OSX 10.2 the layout of racoon configuration files has changed. The following configuration blocks were moved from racoon.conf to /etc/racoon/remote/anonymous.conf.

      remote anonymous
      {
          # Use main mode to force authentication
          exchange_mode main,aggressive;
          #exchange_mode aggressive,main;
          ...
      }
   
The following change keeps racoon from renegotiating a new session key every 30 seconds. The more frequent the rotation the more secure the session, but it is unlikely that anyone will be cracking 3DES in 30 minutes...

      sainfo anonymous
      {
          pfs_group 1;
       
          # Don't rekey so frequently
          lifetime time 30 minutes;
          #lifetime time 30 sec;
        ...
      }
   
Security Policy Configuration

Once racoon is configured to negotiate IPSec connections, security policy database (SPD) entries are needed. The SPD entries will ensure that packets are routed over a secure channel. IPsec may be tunneled as a packet within a packet, or with the IP header in plaintext and only the payload encrypted. The second choice allows normal routing with encryption only being handled at the source and destination. The AH protocol may be used to ensure that the header is not tampered with.

This example creates an IPSec tunnel which prevents a potential sniffer from analysing network traffic based on the final destination of the packet. The statements are 'sh' shell script, and a complete script is available here.

First define the local and remote destinations to apply the policy to, and determine the local IP address.

      IF=en1                        # the interface being secured

      any=0.0.0.0/0                 # the default route
      gateway=192.168.1.1           # the default gateway

      # local ip address on interface $IF

      my_addr=`ifconfig $IF | grep "inet " | cut -d " " -f 2`
   
Use setkey to configure the SPD database. The following is one big block that will be executed by setkey upon reaching the EOF line:

      setkey -c << EOF
     
      # flush any existing entries

      flush;
      spdflush;

      # require traffic from $my_addr to $any be tunneled via $gateway

      spdadd $my_addr $any any -P out ipsec esp/tunnel/$my_addr-$gateway/require;

      # require traffic from $any to $my_addr be tunneled via $gateway
     
      spdadd $any $my_addr any -P in ipsec esp/tunnel/$gateway-$my_addr/require;

      EOF
   
Finally start the ISAKMP daemon!

      # racoon
   
After racoon starts, which may take a little while, there will be messages in /var/log/system.log showing the Phase 1 and Phase 2 ISAKMP negotiation. Success is indicated by messages saying that the IPsec-SA has been established:

      Jan 1 00:00:00 host racoon: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 192.168.1.1->192.168.1.2 spi=1234567(0x1A3BC4)
      Jan 1 00:00:00 host racoon: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 192.168.1.2->192.168.1.1 spi=7654321(0x4CB3A1)
   
MTU

Since the 802.11b interface 'en1' defaults to a MTU of 1500, packets larger than this will need to be fragmented. The interface is not aware IPSec encapsulation is being used and will send out packets of MTU size. The additional data needed for IPSec will cause cause fragmentation. Also, Internet services will send max MTU packets which will be rejected as requiring fragmentation, and that will lead to packet loss. A more comprehensive description, including more details about IPSec secured 802.11b, is available here.

It is simple to change the MTU using ifconfig

      # ifconfig <if> mtu 1350
   
This is done in the IPSec configuration script

Next: Errata

Introduction
OpenBSD Configuration
Diskless Booting
CompactFlash Installation
Mac OS X IPSec
Errata
email address

[Builder]

Since writing this document I have upgraded my hardware platform to a net4801 which has:

NSC (now AMD) Geode GX1/SC1100 586 class 266mhz CPU
128 megabytes of RAM
Three 10/100 megabit ethernet ports
One PCI slot
UltraDMA IDE adapter
USB 1.1 port
No PCMCIA slots
Rationale

The 802.11b card in my net4521 burnt out, and a new one would have cost more than an 802.11g access point. Hardware access points also provide fancier features that HostAP doesn't support, like WPA, MAC filtering, etc. Having one box that does everything is nice, but in this case it makes more sense to use a commercial AP.

On top of that, OpenBSD doesn't yet support 802.11a or 802.11g, and when it does the CPU on a small embedded machine may not keep up. The new wireless radios are apparently software driven and require a lot of horsepower. The chipsets are also proprietary, as vendors don't want to give away information about their software radios. Many of the vendors refuse to allow open source developers to write drivers. Fortunately Atheros has provided enough details to build open source drivers, while keeping the core code secret. That isn't the ideal solution, but worth supporting if you want to run 802.11a/g.

Extras

The net4521 was only able to handle around 2Mbps worth of IPSec traffic with the vpn1211. That reduced real 802.11b throughput by about 1Mbps. In contrast the net4801 can do 9.8Mbps with the same crypto card. FreeBSD or Linux might have better performance, but OpenBSD is very nice.

The net4801 also can support a hard drive, could act as a print server for USB printers, and is further expandable through a low-profile PCI card.

Next: Back to Introduction

Introduction
OpenBSD Configuration
Diskless Booting
CompactFlash Installation
Mac OS X IPSec
Errata
email address

[PillowSmoke]

Damn quite long and detailed guide. +1 .

[Builder]

Damn quite long and detailed guide. +1 .

It's not mine. I thought people would like to see it here so I copied it in and am formatting it.