On Sat, 3 Mar 2007, Hans Hoexer wrote:
> Hi,
>
> On Fri, Feb 23, 2007 at 12:09:27AM +0000, Stuart Henderson wrote:
> >
> > @0 C set [Phase 1]:Default=peer-default force
> > C set [peer-default]:Phase=1 force
> > C set [peer-default]:Authentication=22222 force
> > C set [peer-default]:Configuration=mm-default force
> > C set [peer-default]:ID=me.mylan.net-ID force
> > C set [peer-default]:Remote-ID=default-ID force
> > C set [default-ID]:ID-type=FQDN force
> > C set [default-ID]:Name=net.100 force
> >
> > @1 C set [Phase 1]:Default=peer-default force
> > C set [peer-default]:Phase=1 force
> > C set [peer-default]:Authentication=33333 force
> > C set [peer-default]:Configuration=mm-default force
> > C set [peer-default]:ID=me.mylan.net-ID force
> > C set [peer-default]:Remote-ID=default-ID force
> > C set [default-ID]:ID-type=FQDN force
> > C set [default-ID]:Name=net.101 force
SNIP
> yes. There is only one "catch-all" entry for peers where the IP
> address is not know, the "[Phase 1]:Default=peer-default" (see
> isakmpd.conf(5)).
>
> Therefore, it is not possible to have multiple main mode IDs,
> transforms, etc. when the peer is not specified. Thus, ipsecctl
> just overwrites the IDs, transforms, etc. I agree, this is somewhat
> sloppy and will be fixed (ie. ipsecctl will fail parsing the config
> file).
I was thinking about this when I was having some issues with setting up
ipsec.conf earlier this week. (which was resolved with help from jason,
todd & stuart) .
Have you considered a mechanism similiar to authpf? When someone
authenticates via ssh "authpf" or something similar would add an automatic
key setup which then setup flows and sa for the specific peer. I have
setup authpf to only allow ipsec connections to people who authenticate
via ssh first. This way I can use 2 factor authentication against either
kerberos or ldap for ssh logins to support our "road warriors" running
WinXP.
ext_if="em0"
pass in log quick on enc0 inet proto tcp from any to any no state
pass in log quick on enc0 inet proto udp from any to any no state
pass in log quick on enc0 inet proto icmp from any to any no state
pass out log quick on enc0 inet proto tcp from any to any no state
pass out log quick on enc0 inet proto udp from any to any no state
pass out log quick on enc0 inet proto icmp from any to any no state
pass in log quick on $ext_if proto esp from $user_ip to $ext_if
pass out log quick on $ext_if proto esp from $ext_if to $user_ip
pass in log quick on $ext_if proto udp from $user_ip \
to $ext_if port {500, 4500}
pass out log quick on $ext_if proto udp from $ext_if \
to $user_ip port {500, 4500}
ike active esp tunnel \
from internal_network/24 to $user_ip \
peer $user_ip \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk "secretkey"
anyway, just an idea
g.day
diana
