isakmp vpn configuration

Daniel Eyholzer Wed, 17 Aug 2005 07:14:25 -0700

Hi there


I have an OpenBSD box that is configured as firewall and vpn gateway. The
box has two physical interfaces. One interface is the WAN interface that
connects to the internet. The other interface connects to the LAN switch
and has defined several virtual VLAN interfaces for different LAN subnets.

The basic vpn configuration works. I can connect with the Greenbow vpn
client from Windows host and reach the hosts on the LAN interfaces. In the
Greenbow vpn client configuration I can define the subnet to which I want
to tunnel to. So if I define the subnet of the vlan 2 interface in the
Greenbow vpn client, I can reach the hosts that are in the vlan 2 subnet,
if I define the subnet of the vlan 3 interface, I can reach the hosts that
are in the vlan 3 subnet. I have no control to which subnet the vpn client
has access.


My isakmpd.conf looks like thist:
# ----------------
# Defaults section
# ----------------

[General]
Default-phase-1-lifetime=       3600,60:86400
Default-phase-2-lifetime=       1200,60:86400

# -----------
# Connections
# -----------

[Phase 1]
Default=                ISAKMP-clients

[Phase 2]
Passive-Connections=    IPsec-clients

# ---------------------
# Phase 1 peer sections
# ---------------------

[ISAKMP-clients]
Phase=          1
Transport=      udp
Configuration=  default-main-mode
Authentication= mekmitasdigoat

# ----------------
# Phase 2 sections
# ----------------

[IPsec-clients]
Phase=          2
Configuration=  default-quick-mode
Local-ID=       default-route
Remote-ID=      dummy-remote

# ------------------
# Client ID sections
# ------------------

[default-route]
ID-type=        IPV4_ADDR_SUBNET
Network=        0.0.0.0
Netmask=        0.0.0.0

[dummy-remote]
ID-type=        IPV4_ADDR
Address=        0.0.0.0


[default-main-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms=     AES-SHA-GRP2

[default-quick-mode]
DOI=            IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites=         QM-ESP-AES-SHA-PFS-GR2-SUITE 


I have tried to change Network and Netmask in the [default-route] section
from 0.0.0.0 to the network and netmask of one of the vlan subnetworks, but
it does not help. I can still connect to the other subnet if I define them
in the client. Anyone knows how I can restrict access to only one of the
vlan subnets?


Thanks, Daniel

isakmp vpn configuration

Reply via email to