Date: Tue, 05 Jun 2007 12:27:36 -0400 From: Christopher Hilton <chris@vindaloo.com> To: misc@openbsd.org Cc: User Questions <freebsd-questions@freebsd.org> Subject: Isakmpd setup question. Message-ID: <46658EF8.5080704@vindaloo.com>
next in thread | raw e-mail | index | archive | help
Hi,
I would like to set up isakmpd so I can connect my roaming laptop to my
NATed LAN behind an OpenBSD firewall on a cable modem. I have an ISAKMPD
configuration which allows me to do this but to build it I have setup
the Phase 1 Identifiers to be the IP Addresses that I get. While the
Cable modem side of the connection is reasonably static the laptop side
is anything but. My laptop runs FreeBSD and I have built the isakmpd
port. My laptop also has a constant FQDN via dyndns.org. I would like to
know how to convert my current configuration from relying on IP
addresses to relying on FWDN on both sides.
I grabbed my initial configurations from the OpenBSD examples and
tweaked them until they worked for me but I need to go those few extra
steps.
Here's /etc/isakmpd/isakmpd.conf from my OpenBSD firewall/router:
----------------------------------------------------------------------
# $OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $
# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - #192.168.12.0/24
#
# "west" and "east" are the respective secrity gateways (aka VPN-nodes).
## We are east.
[General]
Listen-on= 192.168.132.1
[Phase 1]
172.17.0.1= ISAKMP-peer-west
[Phase 2]
Passive-Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= 172.17.0.1
Configuration= Default-aggressive-mode
Authentication= *** not my real password ***
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 172.17.0.1
Netmask= 255.255.255.255
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
# End of file
And here's the corresponding /etc/isakmpd/isakmpd.conf from my laptop:
---------------------------------------------------------------------
### We are "west" here
[General]
# Listen-on= 172.17.100.1
[Phase 1]
192.168.132.1= ISAKMP-peer-west
[Phase 2]
Connections= IPsec-east-west
[ISAKMP-peer-west]
Phase= 1
Transport= udp
Address= 192.168.132.1
Configuration= Default-aggressive-mode
Authentication= *** not my real password ***
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
Configuration= Default-quick-mode
Local-ID= Net-west
Remote-ID= Net-east
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 172.17.0.1
Netmask= 255.255.255.255
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-SHA
[Default-aggressive-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= 3DES-SHA
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-SUITE
## End of file
I appreciate any help that someone could provide. I'm especially
interested in developing a better understanding of how isakmpd works
with uses these configurations.
Thank you
-- Chris
--
__o "All I was doing was trying to get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)___________________________________________________________
Christopher Sean Hilton <chris | at | vindaloo.com>
pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46658EF8.5080704>