ipsec.conf x509 ( was Re: /etc/ipsec.conf default peer psk/dstid mismatch)
Hi, I hope someone on-list can give me a few helpful pointers in the right direction. I've setup certs as per X509 AUTHENTICATION section of the isakmpd man page. However it is a bit unclear as to what I need to put in ipsec.conf to make this work. I've tried a bit of Google trawling, however the examples I come up with seem to relate to older OpenBSD implementations where hacking of isakmpd.conf was part of the process, even for psk (e.g. back in the late 3.x days). I've setup a FQDN cert and have tried changing the config as below : #ROAD WARRIOR ike passive from 10.1.2.3 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ srcid 192.168.111.1 dstid certificate.fqdn.name.here \ tag RoadRunner However I've got a feeling I've probably missed a whole lot of config somewhere ! If anyone has some working examples that would be fantastic, otherwise a few pointers in the right direction would be just fine. Thanks !
/etc/ipsec.conf default peer psk/dstid mismatch
Hello List, I've got this config that is working beautifully : #ROAD WARRIOR ike passive from 10.1.2.3 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ srcid 192.168.111.1 dstid a...@example.com \ psk some_very_long_and_complicated_key \ tag RoadRunner However, if I go and copy/paste that snipped in order to lazily create a second user : #ROAD WARRIOR ike passive from 10.1.2.4 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ srcid 192.168.111.1 dstid b...@example.com \ psk another_very_long_and_complicated_key \ tag RoadRunner Changing only the from,dstid and psk parameters. in other words : --- one.txt2010-03-30 00:00:00.0 + +++ two.txt2010-03-30 00:00:00.0 + @@ -1,8 +1,8 @@ -#ROAD WARRIOR -ike passive from 10.1.2.3 to 10.9.8.0/24 \ +#ROAD HOG +ike passive from 10.1.2.4 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ -srcid 192.168.111.1 dstid a...@example.com \ -psk some_very_long_and_complicated_key \ +srcid 192.168.111.1 dstid b...@example.com \ +psk another_very_long_and_complicated_key \ tag RoadRunner I am greeted with the following wise words : # ipsecctl -f /etc/ipsec.conf /etc/ipsec.conf: 50: default peer psk mismatch /etc/ipsec.conf: 50: default peer dstid mismatch Delete my newly added block and it's all happy again. What am I doing wrong ? Or perhaps more imporantly, what part of the man pages have I not FR'd ? ;-)
Re: /etc/ipsec.conf default peer psk/dstid mismatch
On 2010-03-30, a b rclo...@yahoo.co.uk wrote: Hello List, I've got this config that is working beautifully : #ROAD WARRIOR ike passive from 10.1.2.3 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ srcid 192.168.111.1 dstid a...@example.com \ psk some_very_long_and_complicated_key \ tag RoadRunner However, if I go and copy/paste that snipped in order to lazily create a second user : #ROAD WARRIOR ike passive from 10.1.2.4 to 10.9.8.0/24 \ peer any \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ quick auth hmac-sha2-256 enc aes-256 \ srcid 192.168.111.1 dstid b...@example.com \ psk another_very_long_and_complicated_key \ tag RoadRunner Changing only the from,dstid and psk parameters. in other words : you can only have one peer any configured. therefore if you want to have users connecting from unknown addresses, they must either use the same psk, or use keys instead. or, to put it another way, if you want each user to have a separate psk, you need to know IP addresses in advance. (you can have one psk per known address, and a fallback default psk for any other connections). to get a better understanding: try 'ipsecctl -nvf /etc/ipsec.conf' and compare the output with the two rules; notice which section the psk appears in and try setting an address with 'peer 1.1.1.1' instead of 'peer any' to see what happens.
Re: /etc/ipsec.conf default peer psk/dstid mismatch
Thanks for the wise words Stuart.makes sense now ! Stuart Henderson wrote : you can only have one peer any configured. therefore if you want to have users connecting from unknown addresses, they must either use the same psk, or use keys instead.