ipsec outgoing address translation question
Hello, with ipsecctl I can configure outgoing address translation in ipsec.conf like this: ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 peer 10.10.20.1 Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T I need to use isakmpd.conf and cannot use ipsec.conf for the moment ) Thanks
Re: ipsec outgoing address translation question
It is possible to achieve this via pf.conf. Sorry, no example, as this was done long time ago and for testing only. On 16 sep 2013, at 12:55, Christoph Leser le...@sup-logistik.de wrote: Hello, with ipsecctl I can configure outgoing address translation in ipsec.conf like this: ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 peer 10.10.20.1 Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T I need to use isakmpd.conf and cannot use ipsec.conf for the moment ) Thanks
Re: ipsec outgoing address translation question
Christoph Leser le...@sup-logistik.de wrote: with ipsecctl I can configure outgoing address translation in ipsec.conf like this: ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 peer 10.10.20.1 Is there an equivalent syntax for isakmpd.conf? All that ipsecctl does with ike rules is to translate them into a piece of isakmpd.conf-style configuration and pass it to isakmpd's FIFO control socket. Use ipsecctl -n -v to inspect or capture and re-use that output. C set [Phase 1]:10.10.20.1=peer-10.10.20.1 force C set [peer-10.10.20.1]:Phase=1 force C set [peer-10.10.20.1]:Address=10.10.20.1 force C set [peer-10.10.20.1]:Configuration=phase1-peer-10.10.20.1 force C set [phase1-peer-10.10.20.1]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-10.10.20.1]:Transforms=phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:HASH_ALGORITHM=SHA force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:KEY_LENGTH=128,128:256 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:Life=LIFE_MAIN_MODE force C set [from-10.10.10.1-to-192.168.2.0/24]:Phase=2 force C set [from-10.10.10.1-to-192.168.2.0/24]:ISAKMP-peer=peer-10.10.20.1 force C set [from-10.10.10.1-to-192.168.2.0/24]:Configuration=phase2-from-10.10.10.1-to-192.168.2.0/24 force C set [from-10.10.10.1-to-192.168.2.0/24]:Local-ID=from-10.10.10.1 force C set [from-10.10.10.1-to-192.168.2.0/24]:NAT-ID=nat-192.168.1.0/24 force C set [from-10.10.10.1-to-192.168.2.0/24]:Remote-ID=to-192.168.2.0/24 force C set [phase2-from-10.10.10.1-to-192.168.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-10.10.10.1-to-192.168.2.0/24]:Suites=phase2-suite-from-10.10.10.1-to-192.168.2.0/24 force C set [phase2-suite-from-10.10.10.1-to-192.168.2.0/24]:Protocols=phase2-protocol-from-10.10.10.1-to-192.168.2.0/24 force C set [phase2-protocol-from-10.10.10.1-to-192.168.2.0/24]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol-from-10.10.10.1-to-192.168.2.0/24]:Transforms=phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force C set [from-10.10.10.1]:ID-type=IPV4_ADDR force C set [from-10.10.10.1]:Address=10.10.10.1 force C set [nat-192.168.1.0/24]:ID-type=IPV4_ADDR_SUBNET force C set [nat-192.168.1.0/24]:Network=192.168.1.0 force C set [nat-192.168.1.0/24]:Netmask=255.255.255.0 force C set [to-192.168.2.0/24]:ID-type=IPV4_ADDR_SUBNET force C set [to-192.168.2.0/24]:Network=192.168.2.0 force C set [to-192.168.2.0/24]:Netmask=255.255.255.0 force C add [Phase 2]:Connections=from-10.10.10.1-to-192.168.2.0/24 -- Christian naddy Weisgerber na...@mips.inka.de
Re: ipsec outgoing address translation question
Great hint, you saved me a lot of time. Thanks a lot Christoph -Ursprüngliche Nachricht- Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von Christian Weisgerber Gesendet: Montag, 16. September 2013 16:42 An: misc@openbsd.org Betreff: Re: ipsec outgoing address translation question Christoph Leser le...@sup-logistik.de wrote: with ipsecctl I can configure outgoing address translation in ipsec.conf like this: ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 peer 10.10.20.1 Is there an equivalent syntax for isakmpd.conf? All that ipsecctl does with ike rules is to translate them into a piece of isakmpd.conf-style configuration and pass it to isakmpd's FIFO control socket. Use ipsecctl -n -v to inspect or capture and re-use that output. C set [Phase 1]:10.10.20.1=peer-10.10.20.1 force C set [peer- 10.10.20.1]:Phase=1 force C set [peer-10.10.20.1]:Address=10.10.20.1 force C set [peer-10.10.20.1]:Configuration=phase1-peer-10.10.20.1 force C set [phase1-peer-10.10.20.1]:EXCHANGE_TYPE=ID_PROT force C add [phase1- peer-10.10.20.1]:Transforms=phase1-transform-peer-10.10.20.1-RSA_SIG- SHA-AES128-MODP_1024 force C set [phase1-transform-peer-10.10.20.1- RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128- MODP_1024]:HASH_ALGORITHM=SHA force C set [phase1-transform-peer- 10.10.20.1-RSA_SIG-SHA-AES128- MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1- transform-peer-10.10.20.1-RSA_SIG-SHA-AES128- MODP_1024]:KEY_LENGTH=128,128:256 force C set [phase1-transform-peer- 10.10.20.1-RSA_SIG-SHA-AES128- MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1- transform-peer-10.10.20.1-RSA_SIG-SHA-AES128- MODP_1024]:Life=LIFE_MAIN_MODE force C set [from-10.10.10.1-to- 192.168.2.0/24]:Phase=2 force C set [from-10.10.10.1-to- 192.168.2.0/24]:ISAKMP-peer=peer-10.10.20.1 force C set [from-10.10.10.1- to-192.168.2.0/24]:Configuration=phase2-from-10.10.10.1-to-192.168.2.0/24 force C set [from-10.10.10.1-to-192.168.2.0/24]:Local-ID=from-10.10.10.1 force C set [from-10.10.10.1-to-192.168.2.0/24]:NAT-ID=nat-192.168.1.0/24 force C set [from-10.10.10.1-to-192.168.2.0/24]:Remote-ID=to-192.168.2.0/24 force C set [phase2-from-10.10.10.1-to- 192.168.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from- 10.10.10.1-to-192.168.2.0/24]:Suites=phase2-suite-from-10.10.10.1-to- 192.168.2.0/24 force C set [phase2-suite-from-10.10.10.1-to- 192.168.2.0/24]:Protocols=phase2-protocol-from-10.10.10.1-to- 192.168.2.0/24 force C set [phase2-protocol-from-10.10.10.1-to- 192.168.2.0/24]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol- from-10.10.10.1-to-192.168.2.0/24]:Transforms=phase2-transform-from- 10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256- MODP_1024-TUNNEL]:TRANSFORM_ID=AES force C set [phase2-transform- from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024- TUNNEL]:KEY_LENGTH=128,128:256 force C set [phase2-transform-from- 10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024- TUNNEL]:ENCAPSULATION_MODE=TUNNEL force C set [phase2-transform- from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024- TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256- MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256- MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force C set [from- 10.10.10.1]:ID-type=IPV4_ADDR force C set [from- 10.10.10.1]:Address=10.10.10.1 force C set [nat-192.168.1.0/24]:ID- type=IPV4_ADDR_SUBNET force C set [nat- 192.168.1.0/24]:Network=192.168.1.0 force C set [nat- 192.168.1.0/24]:Netmask=255.255.255.0 force C set [to-192.168.2.0/24]:ID- type=IPV4_ADDR_SUBNET force C set [to- 192.168.2.0/24]:Network=192.168.2.0 force C set [to- 192.168.2.0/24]:Netmask=255.255.255.0 force C add [Phase 2]:Connections=from-10.10.10.1-to-192.168.2.0/24 -- Christian naddy Weisgerber na...@mips.inka.de