Fast and Secure VPN setup with OpenBSD 4.5


Setting up VPN with IPsec using public / private key authentication between two networks using OpenBSD firewalls.


Each VPN concentrator will have the public key fo the other machine, and one of the VPN concentrators will be designated as the active requester. The other will be set up in a passive role, to accept the connection initiation, like a central VPN gateway at a datacenter would.

Practical steps

  1. Set up proper rules so that the firewalls pass proper traffic. That is done by adding the line in pf.conf to allow for the gateways to communicate:
    pass quick on $ext_if from $remote_vpn_gw_ip
  2. Set up the public key for each firewall on it’s counterpart:
    mkdir -p /etc/isakmpd/pubkeys/ipv4
    cp /etc/isakmpd/pubkeys/ipv4/

    where is the IP address of the remote gateway. (See below how to generate the public / private keys.)

  3. Create the ipsec.confconfiguration file on the active VPN gateway:
    LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
    REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"
    ike esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
    ike esp from $GW_LOCAL to $GW_REMOTE
  4. Create the ipsec.confconfiguration file on the passive VPN gateway:
    LOCAL_NETWORKS="{ local_net1/mask1, local_net2/mask2, ... }"
    REMOTE _NETWORKS="{ remote_net1/mask1, local_net2/mask2, ... }"
    ike passive esp from $LOCAL_NETWORKS to $REMOTE_NETWORKS peer $GW_REMOTE
    ike passive esp from $GW_LOCAL to $REMOTE_NETWORKS peer $GW_REMOTE
    ike passive esp from $GW_LOCAL to $GW_REMOTE
  5. Start the VPN on each VPN gateway:
    isakmpd -K
    ipsecctl -f /etc/ipsec.conf
  6. Test the connections:
    ipsecctl -sa

    it may take a few minutes for the VPN channels to get established.

Public / Private Keys

Generating Public / Private keys with OpenSSL (on full OpenBSD install, this is already done automatically):

openssl genrsa -out /etc/isakmpd/private/local.key
chmod 600 /etc/isakmpd/private/local.key
openssl rsa -out /etc/isakmpd/private/ -in /etc/isakmpd/private/local.key -pubout

If you are running a lightweight distro like flashdist, then you might need to generate these keys on a different machine.


Installing IBM Systems Director on an AIX 6.1 LPAR with a DB2 back-end

IBM Systems Director is a very powerful management tool that comes free with PowerVM (that is: free to anyone that purchases a Power System). I have gathered here the different steps. Most of the information comes from the official documentation: Installing IBM Systems Director on the management server. In this guide I focus on the installation using AIX 6.1 in an LPAR with DB2 as the back-end database server.

  • First, prepare the database as described in Preparing the IBM DB2 Universal Database. The DB2 client can be installed following the steps described in Installing the DB2 9.5 Client on AIX 6.1
  • Then, make a note of the following configuration parameters for the Director installer:

    DbmsApplication = DB2
    DbmsServerName = fqdn_of_db2_server
    DbmsTcpIpListenerPort=database_port (for example 50000)
    DbmsDatabaseName = database_name
    DbmsDatabaseAppHome = path_to_sqllib (for example /home/db2inst1/sqllib)
    DbmsUserId = database_user_name
    DbmsPassword = (encrypted_user_password populated by /opt/ibm/director/bin/

    Create a database for IBM Systems Director (ISD), and make sure you can connect to the DB2 database from the AIX LPAR that will serve for the ISD install.

  • Next, the network is prepared, as described in Preparing firewalls and proxies for IBM Systems Director. Remember to also open up access from the management server to the other LAPRs and servers that ISD will have to access.
  • make sure the ports needed for ISD are available:
    netstat -an | grep LISTEN | egrep "951(0|4|5)"
    If the ports are in use, modify them as follows:
    netstat -an | grep LISTEN | egrep "991(0|4|5)"
    if there is no output, then:
    /var/opt/tivoli/ep/runtime/agent/toolkit/bin/ -unmanaged -port 9910 -jport 9914 -nport 9915 -force
  • Next, AIX needs to be patched if necessary, as described in Preparing to install IBM Systems Director Server on AIX. Since we are on AIX 6.1, there is little to do if all the fixpacks are up to date. Installing CSM is one step I recommend if you have IVM managed systems (having csm.hc_utils already installed from the install CD is necessary):

    mkdir csm
    wget ''
    gtar xvzf csm-aix-
    cd installp/ppc
    inutoc .
    installp -acgXYd . csm.hc_utils
    cd ../../../director (where you unpacked the director download see below if you haven't done that part yet)
    installp -acgXYd . Director.Server.ext.FSPProxy.rte

  • Download IBM Systems Director if not already done from IBM, unpack it, and run the installer:
    mkdir director
    gtar xvzf path_to_download/SysDir6_1_Server_AIX.tar.gz
  • Configure the database access:
    cd /opt/ibm/director/proddata/
    cp cfgdbcmd.rsp cfgdbcmd.rsp-dist
    vi cfgdbcmd.rsp

    Edit the file cfgdbcmd.rsp and select the lines that apply to DB2. Then populate the password with:
    /opt/ibm/director/bin/ -dbAdmin db2_instance_user -dbAdminPW db2_instance_user_pass
    this will take a while to complete, as there are over 1,000 tables to create, with constraints and indexes, and then the tables are pre-populated.
  • Then a final configuration to create the resource manager user ID
    This is very simple, just provide a user id and a password for the ISD to use internally.
  • Now you are ready to start the ISD:
    This will take a while, and it will probably hang if you don’t have enough memory. A minimum of 2GB is necessary.
  • Follow the startup progress:
    /opt/ibm/director/bin/smstatus -r
    The output should be as follows:
    I didn’t time, but it takes over 10 minutes for the ISD to become ready in a small LPAR on a p5

That’s it, from here, you can continue on with the ISD documentation: Configuring IBM Systems Director Server after installation.
Let me know how it goes and how you like ISD.

Mount CD/DVD in an AIX or Linux LPAR

To mount a CD or DVD in an LPAR, first you need to use the media library to assign one of the CDs in the library to the LPAR. For example, using the ivm inteface:

  1. Click on the lpar name in the “View/Modify Partitions” section
  2. Select the optical devices tab
  3. Create a virtual optical device if there isn’t one yet
  4. Click modify under current media
  5. Select the CD or DVD from the library
  6. Click OK

Then, you need to mount the media inside the AIX or Linux partition:

  1. Create the /mnt/cdrom directory if it doens’t exist yet: mkdir /mnt/cdrom
  2. Mount the media device: mount -v cdrfs -r /dev/cd0 /mnt/cdrom (on Linux the mount command is slightly different)

Note: on AIX you can edit the file “/etc/cdromd.conf” and add the line “device cd0 /mnt/cdrom” to have the CD or DVD mounted automatically.

Installing the DB2 9.5 Client on AIX 6.1

  • In case an application such as the IBM Systems Director needs the DB2 client to be installed, the process has a couple of pitfalls. Here are steps that make the installation very simple.
  • Download the DB2 client from IBM:
  • Create a directory and unpack the tarball in that directory, and install the client:
    wget ''
    mkdir db2
    cd db2
    gtar xvzf ../v9.5_aix64_client.tar.gz
    cd client
  • Create users in the system for the client to use:
    mkgroup -'A' id='999' db2iadm1
    mkgroup -'A' id='998' db2fadm1
    mkgroup -'A' id='997' dasadm1
    useradd -u 1004 -g db2iadm1 -m -d /home/db2inst1 db2inst1
    useradd -u 1003 -g db2fadm1 -m -d /home/db2fenc1 db2fenc1
    useradd -u 1002 -g dasadm1 -m -d /home/dasusr1 dasusr1
  • Create a client instance for the client to use:
    /opt/ibm/db2/V9.5/instance/db2icrt -a server -u db2fenc1 db2inst1
  • Add the db2 profile to the default profile:
    echo ". /home/db2inst1/sqllib/db2profile" >> /etc/profile
  • Test the db2 client:
    su - someuser
  • Add DB2 servers to the catalog:
    db2 catalog tcpip node node_name remote fqdn_of_db2_server server port_number_of _server_instance
    db2 catalog database database_name at node node_name authentication server
  • At that point you are ready to test the database connection:
    db2 connect to database_name user user_name using user_password