OpenBSD Journal

OpenBSD ISAKMPD.CONF

Contributed by jose on from the help-me-secure-my-IP dept.

Sehsa writes: "I have an OpenBSD Firewall/NAT box & an OpenBSD Workstation.

I have IPsec working between the 2 the of them. If I ping the firewall, it's encrypted. If I ping the workstation, it's encrypted.

But when I ping an address on the web, it's normal.

I know than I probably have to change the isakmpd.conf on the workstation but I don't know what to set it too.

Can someone post a sample isakmpd.conf file I can check. Any help would be most appreciated :)

This is the 1st time I have asked for help since I usually figure things out in time.

Thanks again..."

The ISAKMPD configuration can be a bit tricky. Anyone have any notes they wish to share?

(Comments are closed)

Comments

  1. By Anonymous Coward () on

    (IPsec between 10.0.0.10/32 192.168.20.1/32)

    1. setup ip address and policy (aka. SPD, flow):

    # cat hostname.fxp1
    inet 10.0.0.10
    !ipsecadm flush
    !ipsecadm flow -addr 10.0.0.10/32 192.168.20.1/32 -src 10.0.0.10 -dst 192.168.20.1 -proto esp -out -require
    !ipsecadm flow -addr 192.168.20.1/32 10.0.0.10/32 -src 10.0.0.10 -dst 192.168.20.1 -proto esp -in -require

    2. enable isakmpd (-L for debug in /var/run/isakmpd.pcap):

    # grep isakmpd_flags rc.conf
    isakmpd_flags="-L"

    3. setup allow-all policy file:

    # cat isakmpd/isakmpd.policy
    Authorizer: "POLICY"
    # chmod 600 isakmpd/isakmpd.policy

    4. generate key for IKE authentication

    # openssl genrsa -out isakmpd/private/local.key 1024
    # chmod 600 isakmpd/private/local.key

    5. extract public key:

    # openssl rsa -out /var/tmp/my.pub -in isakmpd/private/local.key -pubout
    # scp /var/tmp/my.pub peer:...

    6. install public key of peers:

    # cp /var/tmp/peer.pub isakmpd/pubkeys/ipv4/192.168.20.1

    # cat isakmpd/pubkeys/ipv4/192.168.20.1
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC73evmkPzOKn4+ZwPvSUbjGorx
    [...]
    W7Uaf6tD6rKxpa06kQIDAQAB
    -----END PUBLIC KEY-----

    no need for an isakmpd.conf file

    7. ping peer

    # ping 192.168.20.1


  2. By Sesha () on

    Thanks for posting my message - Jose?

    It's probably something simple that I am not seeing right in front of me :)

    To the person who posted the 1st reply:
    how would I setup ISAKMPD.CONF to get to the Internet from my workstation.
    I can't set a fixed ip or subnet since it's the Internet but I do thank you for your response.

    I will figure it out someday (hopefully today :)

    thanks again!

    Sesha

  3. By Jeffrey () on

    BTW, I'm not doing ISAKMP right now .. just manual keying. Everything works fine (wireless). I'm just curious about something I noticed...

    I tried switching the encryption algorithm from blf to aes the other day (just for fun) and noticed that when using aes, packets would fragment; it looked like the fragments were not being handled by enc0 but were going directly to the network interface (rl0 in this case).

    I have the MTU set to 1444 for rl0 (only on one machine though). Other machines are using 1500. Does aes encryption require a different MTU..?

    Can anyone give MTU recommendations for interfaces which are intended to handle IPsec traffic? I know there must be something I can read to help with this, but I've yet to find it.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]