Contributed by jose on from the help-me-secure-my-IP dept.
I have IPsec working between the 2 the of them. If I ping the firewall, it's encrypted. If I ping the workstation, it's encrypted.
But when I ping an address on the web, it's normal.
I know than I probably have to change the isakmpd.conf on the workstation but I don't know what to set it too.
Can someone post a sample isakmpd.conf file I can check. Any help would be most appreciated :)
This is the 1st time I have asked for help since I usually figure things out in time.
Thanks again..."
The ISAKMPD configuration can be a bit tricky. Anyone have any notes they wish to share?
(Comments are closed)
By Anonymous Coward () on
1. setup ip address and policy (aka. SPD, flow):
# cat hostname.fxp1
inet 10.0.0.10
!ipsecadm flush
!ipsecadm flow -addr 10.0.0.10/32 192.168.20.1/32 -src 10.0.0.10 -dst 192.168.20.1 -proto esp -out -require
!ipsecadm flow -addr 192.168.20.1/32 10.0.0.10/32 -src 10.0.0.10 -dst 192.168.20.1 -proto esp -in -require
2. enable isakmpd (-L for debug in /var/run/isakmpd.pcap):
# grep isakmpd_flags rc.conf
isakmpd_flags="-L"
3. setup allow-all policy file:
# cat isakmpd/isakmpd.policy
Authorizer: "POLICY"
# chmod 600 isakmpd/isakmpd.policy
4. generate key for IKE authentication
# openssl genrsa -out isakmpd/private/local.key 1024
# chmod 600 isakmpd/private/local.key
5. extract public key:
# openssl rsa -out /var/tmp/my.pub -in isakmpd/private/local.key -pubout
# scp /var/tmp/my.pub peer:...
6. install public key of peers:
# cp /var/tmp/peer.pub isakmpd/pubkeys/ipv4/192.168.20.1
# cat isakmpd/pubkeys/ipv4/192.168.20.1
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC73evmkPzOKn4+ZwPvSUbjGorx
[...]
W7Uaf6tD6rKxpa06kQIDAQAB
-----END PUBLIC KEY-----
no need for an isakmpd.conf file
7. ping peer
# ping 192.168.20.1
By Sesha () on
It's probably something simple that I am not seeing right in front of me :)
To the person who posted the 1st reply:
how would I setup ISAKMPD.CONF to get to the Internet from my workstation.
I can't set a fixed ip or subnet since it's the Internet but I do thank you for your response.
I will figure it out someday (hopefully today :)
thanks again!
Sesha
By Jeffrey () on
I tried switching the encryption algorithm from blf to aes the other day (just for fun) and noticed that when using aes, packets would fragment; it looked like the fragments were not being handled by enc0 but were going directly to the network interface (rl0 in this case).
I have the MTU set to 1444 for rl0 (only on one machine though). Other machines are using 1500. Does aes encryption require a different MTU..?
Can anyone give MTU recommendations for interfaces which are intended to handle IPsec traffic? I know there must be something I can read to help with this, but I've yet to find it.