Re: VPN between Linux and OpenBSD with RSA

Mon, 03 Nov 2008 16:07:26 -0800 

If you're using Debian you may have better luck just running OpenBSD's
isakmpd on the Debian host.  Just read the docs, 'apt-get install
isakmpd' and proceed as normal.  The standard Debian kernels have the
necessary modules enabled by default.  I've had success with that
approach to a Debian<->OpenBSD IPSec vpn.

John


On Mon, Nov 03, 2008 at 08:00:21PM -0200, Pedro David Netto Silveira wrote:
> Hi!
> I'm basically trying to setup a VPN between a linux box (debian) and an
> OpenBSD one.
> I'd like to use a RSA for that VPN.
> 
> With PSK, I can make the VPN, but looks so hard build a tunnel with RSA
> keying.
> 
> I try this:
> 
> Linux Box:
> 
> ######file: /etc/ipsec.conf
> 
> config setup
>         interfaces=%defaultroute
>         plutodebug="all"
>         nat_traversal=yes
>         plutowait=yes
>         nhelpers=0
>         uniqueids=yes
> conn OpenBSD
>         type=tunnel
>         left=172.20.82.65
>         leftrsasigkey=0sAQPKKAz...
>         right=172.20.82.57
>         rightsubnet=192.168.1.0/24
>         rightrsasigkey=0sAQPF5ZXJfL...
>         keyexchange=ike
>         esp=aes128-sha1
>         ike=aes128-sha1-modp1024
>         auto=route
>         auth=esp
>         authby=rsasig
>         pfs=yes
>         keyingtries=%forever
>         rekeymargin=4m
>         disablearrivalcheck=no
>         rekey=yes
>         aggrmode=no
> 
> ######file: /etc/ipsec.secrets
> 
> :RSA    {
>         # RSA 1024 bits   ncdres09   Thu Oct 30 10:56:33 2008
>         # for signatures only, UNSAFE FOR ENCRYPTION
>         #pubkey=0sAQPKKAz...
>          .
>          .
>          .
>          .
>         }
> ------------------------------------------------------------------------------------------------------------------------------
> OBSD box:
> 
> ######file: /etc/ipsec.conf
> 
> ipv4_linux = "172.20.82.65"
> ipv4_addr = "172.20.82.57"
> ipv4_addr_subnet = "192.168.1.0/24"
> ike esp from $ipv4_addr to $ipv4_linux quick auth hmac-sha1 enc aes group
> modp1024
> ike esp from $ipv4_addr_subnet to $ipv4_linux quick auth hmac-sha1 enc aes
> group modp1024
> 
> ######file: /etc/isakmpd/local.pub
> 
> -----BEGIN PUBLIC KEY-----
> 0sAQPF5ZXJfL...
> -----END PUBLIC KEY-----
> 
> ######file: /etc/isakmpd/pubkeys/ipv4/172.20.82.65
> 
> 0sAQPKKAz...
> 
> ------------------------------------------------------------------------------------------------------------------------------
> 
> OBS: these IP's are fake.
> 
> Someone know if that would work?
> Have some hint for me?
> Thank you!
> 
> Pedro David

Reply via email to