Date: Tue, 05 Jun 2007 12:27:36 -0400 From: Christopher Hilton <chris@vindaloo.com> To: misc@openbsd.org Cc: User Questions <freebsd-questions@freebsd.org> Subject: Isakmpd setup question. Message-ID: <46658EF8.5080704@vindaloo.com>
next in thread | raw e-mail | index | archive | help
Hi, I would like to set up isakmpd so I can connect my roaming laptop to my NATed LAN behind an OpenBSD firewall on a cable modem. I have an ISAKMPD configuration which allows me to do this but to build it I have setup the Phase 1 Identifiers to be the IP Addresses that I get. While the Cable modem side of the connection is reasonably static the laptop side is anything but. My laptop runs FreeBSD and I have built the isakmpd port. My laptop also has a constant FQDN via dyndns.org. I would like to know how to convert my current configuration from relying on IP addresses to relying on FWDN on both sides. I grabbed my initial configurations from the OpenBSD examples and tweaked them until they worked for me but I need to go those few extra steps. Here's /etc/isakmpd/isakmpd.conf from my OpenBSD firewall/router: ---------------------------------------------------------------------- # $OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $ # $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. # # The network topology of the example net is like this: # # 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - #192.168.12.0/24 # # "west" and "east" are the respective secrity gateways (aka VPN-nodes). ## We are east. [General] Listen-on= 192.168.132.1 [Phase 1] 172.17.0.1= ISAKMP-peer-west [Phase 2] Passive-Connections= IPsec-east-west [ISAKMP-peer-west] Phase= 1 Transport= udp Address= 172.17.0.1 Configuration= Default-aggressive-mode Authentication= *** not my real password *** [IPsec-east-west] Phase= 2 ISAKMP-peer= ISAKMP-peer-west Configuration= Default-quick-mode Local-ID= Net-east Remote-ID= Net-west [Net-west] ID-type= IPV4_ADDR_SUBNET Network= 172.17.0.1 Netmask= 255.255.255.255 [Net-east] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE # End of file And here's the corresponding /etc/isakmpd/isakmpd.conf from my laptop: --------------------------------------------------------------------- ### We are "west" here [General] # Listen-on= 172.17.100.1 [Phase 1] 192.168.132.1= ISAKMP-peer-west [Phase 2] Connections= IPsec-east-west [ISAKMP-peer-west] Phase= 1 Transport= udp Address= 192.168.132.1 Configuration= Default-aggressive-mode Authentication= *** not my real password *** [IPsec-east-west] Phase= 2 ISAKMP-peer= ISAKMP-peer-west Configuration= Default-quick-mode Local-ID= Net-west Remote-ID= Net-east [Net-west] ID-type= IPV4_ADDR_SUBNET Network= 172.17.0.1 Netmask= 255.255.255.255 [Net-east] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE ## End of file I appreciate any help that someone could provide. I'm especially interested in developing a better understanding of how isakmpd works with uses these configurations. Thank you -- Chris -- __o "All I was doing was trying to get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)___________________________________________________________ Christopher Sean Hilton <chris | at | vindaloo.com> pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46658EF8.5080704>