Use IPsec the OpenBSD way.
Setting up IPsec in OpenBSD is fairly easy since it's compiled into the kernel that ships with each release and is enabled by default. All that is left to do is to create the appropriate /etc/isakmpd/isakmpd.conf and /etc/isakmpd/isakmpd.policy files and start isakmpd (the IPsec key-management daemon). This may sound daunting, but OpenBSD's outstanding documentation and example configuration files make it easier.
First of all, you'll need to put something similar to this in your /etc/isakmpd/isakmpd.policy:
KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:mypassword" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg == "aes" && esp_auth_alg == "hmac-sha" -> "true";
This sets a password to use for the IPsec connection.
Now you'll need to edit your /etc/isakmpd/isakmpd.conf to contain the following:
[General] Listen-on= 192.168.1.1 Shared-SADB= Defined [Phase 1] Default= ISAKMP-peer-remote #Default= ISAKMP-peer-remote-aggressive [Phase 2] Passive-Connections=IPsec-local-remote [ISAKMP-peer-remote] Phase= 1 Transport= udp Local-address= 192.168.1.1 Configuration= Default-main-mode Authentication= mypassword [ISAKMP-peer-remote-aggressive] Phase= 1 Transport= udp Local-address= 192.168.1.1 Configuration= Default-aggressive-mode Authentication= mypassword [IPsec-local-remote] Phase= 2 ISAKMP-peer= ISAKMP-peer-remote Configuration= Default-quick-mode Local-ID= Net-local Remote-ID= Net-remote [Net-remote] ID-type= IPV4_ADDR Address= 0.0.0.0 [Net-local] ID-type= IPV4_ADDR Address= 0.0.0.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= 3DES-SHA-RSA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE
This configuration will allow anyone to connect with the password mypassword.
After you've edited the configuration files, you can start isakmpd by running this command:
To have isakmpd start up with each system boot, you should edit your /etc/rc.conf.local (or create one if it doesn't exist) and put the following line in it:
That should do it. As usual, check your system logs if your tunnel has trouble connecting.