Tip of the Trade: Easy IPSec

Setting up an open source IPSec implementation has traditionally been difficult and complex, to the point that as a security solution it almost doesn’t make sense. Even high-end commercial implementations tend to cause hair loss and frustration. But finally, there is an open source IPSec implementation that is easy to administer, free of cost and based on a high-quality secure operating system: OpenBSD.

The developers of OpenBSD made security a priority. The system or network administrator does not need to take extra steps to harden the system because it’s already hardened. Even better, the documentation is abundant, excellent and easily available. It has an excellent package manager and an emulation layer for running binaries from other Unix-type operating systems, such as FreeBSD and Linux.

OpenBSD, like the other open source *BSD Unixes and Linux distros, is very customizable. Combined with its strong security model, this makes it a perfect candidate for powering network devices, especially border routers, firewalls and virtual private network (VPN) gateways. Which brings us to IPSec.

OpenBSD includes ipsecctl, which is an excellent abstraction layer on top of the overly complex, confusing IPSec configuration options. It takes just a few steps to configure a OpenBSD-based VPN gateway:

• First, edit /etc/ipsec.conf
• Then, configure OpenBSD’s pf firewall to allow VPN traffic in
• Copy your isakmpd keys to clients
• Configure IPSec to start at boot
• Configure clients — Linux, OpenBSD, Windows and Mac OSX — so that they can all use the OpenBSD VPN

And you’re in business. The actual configurations and steps are simple. See man 5 ipsec.conf and Zero to IPSec in 4 minutes on SecurityFocus to learn more.