OpenBSD Journal
Contributed by deanna on from the carpal tunnel dept.
Mathieu Sauve-Frankel (msf@): Recent Improvements in OpenBSD's IPsec Support.
Besides containing plenty of info about OpenBSD's IPsec implementation, it also contains an excellent rebuttal of the old "Windows is easy, UNIX is hard" myth.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Anonymous Coward (85.178.96.32) on
http://openbsd.org/papers/asiabsdcon07-ipsec/mgp00013.html
Click on "next" and you`ll get to the last page.
Just tell me if I need to write an advisory... ;]
Comments
By Anonymous Coward (85.178.96.32) on
>
> http://openbsd.org/papers/asiabsdcon07-ipsec/mgp00013.html
> Click on "next" and you`ll get to the last page.
>
> Just tell me if I need to write an advisory... ;]
There`s even a Bug in the Bugreport...
Seams everything related to oBSD is bggy today.. omg. ;]
Just cancel it. ;]
By Anonymous Coward (69.3.44.234) on
Comments
By Anonymous Coward (24.37.242.64) on
Could you share some examples, .bat files, or anything else...? :)
By Marc Balmer (210.138.62.130) on
I guess that still holds for today's windows. But you have to install this addidional software. You could also use SoftRemote to make things easy.
By Mathieu Sauve-Frankel (210.138.62.130) msf@openbsd.org on
But then it's not a default install anymore is it ? That was kind of the point behind that particular sequence of slides. Also, you're missing the point that I do NOT consider isakmpd.conf to be an example of a good config file format. isakmpd.conf is pretty horrible, the only redeeming quality it has is the concept of reasonable default phase1 and phase2 ciphers. If you ask Niklas why he chose that particular style of config file he will gladly tell you "I couldn't be bothered to write a UI, I wanted someone else to do it"
We're doing this 8 years late IMO
Comments
By Anonymous Coward (68.76.122.144) on
> But then it's not a default install anymore is it ? That was kind of the point behind that particular sequence of slides. Also, you're missing the point that I do NOT consider isakmpd.conf to be an example of a good config file format. isakmpd.conf is pretty horrible, the only redeeming quality it has is the concept of reasonable default phase1 and phase2 ciphers. If you ask Niklas why he chose that particular style of config file he will gladly tell you "I couldn't be bothered to write a UI, I wanted someone else to do it"
True that it isn't a default install anymore, but it's no tougher than adding a package. The thing is, most typical windows users would find that simple batch file more intimidating than the clicky-clicky million-window wizard. My point was, for technical users capable of setting it up in OpenBSD, it wasn't really anymore difficult or time consuming to set it up in windows as of about two years ago. Gladly, OpenBSD makes it better now, but then your slides should have been why do other OS's *and older versions of OpenBSD* make IPSec hard then. The slides seemed to indicate it's always been this easy to do it in OpenBSD as compared to other OS's.
Basically I think you were taking a bit of a slanted view on things, and not being quite fair.
>
> We're doing this 8 years late IMO
>
I agree.
Comments
By Steven (198.166.227.91) on
>
I agree that the author's view was slanted, but I think it was done that way to make a point about how the view that UNIX is harder than Windows is itself slanted. So, while slanted, I disagree that the author was being unfair.
By Anonymous Coward (85.178.126.87) on
Also Propably with a HowTo for WIndows 2k/XP?
This would HELP a lot because it`s what I was looking for for a week now.
It helps to secure WLANs :)
Just the WIndows configuration drives me nuts :/
Comments
By Anonymous Coward (68.104.220.48) on
> Also Propably with a HowTo for WIndows 2k/XP?
Unlikely. HOWTOs typically have limited scope and go stale; they've never had a place in the official documentation of the project. There used to be an IPsec FAQ that was difficult to keep current and had a hard time presenting enough information to suit every possible use case. You'll more likely find that the information you need to do what you need can already be gleaned from the provided documentation, and if not there then the archives and Google.
By Nick Holland (68.43.117.34) nick@openbsd.org on http://www.openbsd.org/faq/
> included into the OpenBSD FAQ?
That's a goal. Feel free to contribute good work. BTW: if you spend a couple hours working on it, you either write a lot faster than me, or are about to contribute bad work, which doesn't help.
http://holland-consulting.net/obsd/faq-help.html
> Also Propably with a HowTo for WIndows 2k/XP?
Not likely. Other than a great distaste for the non-word "howto", the OpenBSD FAQ is for documenting OpenBSD. This isn't to say that such documentation couldn't be done and provided from other websites, or that a couple sentences of tips couldn't be provided for guidance for connecting to other OSs, such as, "For DoofOS, you may find the XXX mode with option Y most productive"
Nick.
By Renaud Allard (renaud) renaud@llorien.org on
Comments
By Anonymous Coward (85.158.44.149) on
well spotted. actually it shows a nonexistent file, the file to copy is /etc/isakmpd/local.pub - the private key generated by /etc/rc is stored in /etc/isakmpd/private/local.key
By Mathieu Sauve-Frankel (210.138.62.130) msf@openbsd.org on
oops. thanks.. I've just updated the slides
Comments
By matvey (222.228.90.52) matvey@journal.kmv.ru on http://matvey.org.ru
>
> oops. thanks.. I've just updated the slides
Could you please give full steps to make http://openbsd.org/papers/asiabsdcon07-ipsec/mgp00065.txt
working.
Includeing copeing keys, checking SA and FLOWS, watching traffic on enc interface, checking routes. Seems I'am stuck with this slide.
Thank You!
Comments
By sthen (85.158.44.148) on
> working.
We have documentation for that...here are some pointers:
> Includeing copeing keys,
isakmpd(8): section headed "PUBLIC KEY AUTHENTICATION"
> checking SA and FLOWS
ipsecctl(8)
> watching traffic on enc interface, checking routes.
tcpdump(8), netstat(8)
Comments
By matvey (222.228.90.52) on
> > working.
>
> We have documentation for that...here are some pointers:
>
> > Includeing copeing keys,
>
> isakmpd(8): section headed "PUBLIC KEY AUTHENTICATION"
>
> > checking SA and FLOWS
>
> ipsecctl(8)
>
> > watching traffic on enc interface, checking routes.
>
> tcpdump(8), netstat(8)
>
copied keys, done sz written in example, but do not see SA with ipsecctl -s all, and not routes present with netstat...
Can I have DETAILED EXAMPLE for roaming user obsd-obsd?
By Anonymous Coward (208.123.8.36) on
The ipsecctl commands also need a -f:
hostA# ipsecctl -vf /etc/ipsec.conf