IPSec, is it possible?

[Olivier Debré]

Le samedi 07 octobre 2006 à 22:33 +0200, MK a écrit :

> I have Windows XP SP2 installed, IPsec should not be problem.

Okay. So SSL is also an option : OpenVPN works perfectly between Win XP
and OpenVPN, and is easier to configure.

> I was considered following situation. Let's say that interface on OpenBSD 
> gateway which leads to LAN has IP address 192.168.0.1 and my PC has 
> 192.168.0.2. For my PC is gateway on 192.168.0.1 and if I create IPsec 
> tunnel between 192.168.0.1 and 192.168.0.2 only the traffic between these 
> two points will be encrypted at least I think. In case I will want to access 
> the internet from my PC the destination won't be address 192.168.0.1 but IP 
> of the server placed in internet.
> In this case the traffic will not be encrypted, am I right or am I still 
> missing something. My questions are maybe a little bit stupid but I'm not 
> experienced with IPsec very much.

The only experience I have with the Windows XP side of an IPsec VPN is
with the WatchGuard MUVPN client, which I find a bit confusing.

Now, on the OpenBSD side, the configuration takes places mainly in two
places : pf.conf, and isakmpd.conf(5). Let's focus on the second one,
given your very question of : what will be encrypted, and what will not.

Among other details, isakmpd.conf specifies which traffic is to be
applied crypto (through the Local-ID and Remote-ID tags), with which
partner (through the ISAKMP-peer tag). In your case, I think that both
the ISAKMP-peer and the Remote-ID (as viewed by the OpenNSD box) are the
XP box. The Local-ID is what network your gateway encrypt/decrypt for :
in your case, the whole Internet, which I'm not sure how I would code
(Network=0.0.0.0?, Netmask=0.0.0.0?). I'm more used to the other way
around: site-to-site, tunnel outside.

Now also comes the important question of NAT, after all. To browse the
Internet, you need your firewall to NAT your non routable/RFC 1918
address, after decryption. Do not forget the corresponding lines in
pf.conf.

Read carrefully the isakmpd.conf man page. It's intimidating, but
everything is in there.

In any case, the configurations on both sides of the tunnel must match
perfectly, or it won't work.

I hope some other folks will correct me if I'm wrong.

P.S. : BTW, on you LAN, on which you're afraid of others peeking at your
traffic, is the risk really that high? Are you still using hubs instead
of switches? Are those guys skilled enough to sniff in promiscuous mode?
ARP redirect? If yes, okay, okay, but still, ask yourself the question.
Security means using commensurate means as compared to the risk.