Re: vpn between OpenBSD and Linux/Openswan with x509 certs

Tue, 29 Nov 2005 04:25:45 -0800 

> Maybe I still need something like this in isakmpd.conf:
>
> # Certificates stored in PEM format
>    [X509-certificates]
>    CA-directory=    /etc/isakmpd/ca/
>    Cert-directory=    /etc/isakmpd/certs/
>    Private-key=        /etc/isakmpd/private/openbsd1.as10.net.priv
>
> Am I on the right track? I would really appreciate any suggestions.
>

Well, I worked it out, in case anyone's interested.

First, I did it the old way, using man isakmpd.conf and various online
examples to guide me. I started with a simple PSK tunnel, then generated certs 
and
modified isakmpd.conf accordingly. Some tinkering was
required to accomodate subjectAltName and my FQDN ID i.e. they had to
match, and the cert at the IPCop end had to include subjectAltName, even
though IPCop doesn't usually use this.

Once that was working OK, I reread man ipsecctl and man ipsec.conf. My
ipsec.conf now looks like this:

flow esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1

ike esp from 10.12.62.99 to 0.0.0.0/0 peer 10.12.62.1 srcid tk-i5kb.tk-on.net

and I've got rid of isakmpd.conf. I still have a basic isakmpd.policy i.e.

Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";

So now I run isakmpd -a, and ipsecctl -vv -f /etc/ipsec.conf, and I get
the following output:

@0 flow esp out from 10.12.62.98 to 0.0.0.0/0 peer 10.12.62.1
        type require
@1 flow esp in from 0.0.0.0/0 to 10.12.62.98 peer 10.12.62.1
        type use
@2 C set [peer-10.12.62.1]:Phase=1 force
C set [peer-10.12.62.1]:Address=10.12.62.1 force
C set [peer-10.12.62.1]:ID=local-ID force
C set [local-ID]:ID-type=FQDN force
C set [local-ID]:Name=tk-i5kb.tk-on.net force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Phase=2 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:ISAKMP-peer=peer-10.12.62.1 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Configuration=qm-10.12.62.98-0.0.0.0/0 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Local-ID=lid-10.12.62.98 force
C set [IPsec-10.12.62.98-0.0.0.0/0]:Remote-ID=rid-0.0.0.0/0 force
C set [qm-10.12.62.98-0.0.0.0/0]:EXCHANGE_TYPE=QUICK_MODE force
C set [qm-10.12.62.98-0.0.0.0/0]:Suites=QM-ESP-AES-SHA2-256-PFS-SUITE force
C set [lid-10.12.62.98]:ID-type=IPV4_ADDR force
C set [lid-10.12.62.98]:Address=10.12.62.98 force
C set [rid-0.0.0.0/0]:ID-type=IPV4_ADDR_SUBNET force
C set [rid-0.0.0.0/0]:Network=0.0.0.0 force
C set [rid-0.0.0.0/0]:Netmask=0.0.0.0 force
t IPsec-10.12.62.98-0.0.0.0/0
c IPsec-10.12.62.98-0.0.0.0/0

IPCop's log shows a successful connection, and everything works as
expected. I'm guessing that as long as the certs are in the default
location, isakmpd finds them, without the kind of explicit declaration
referred to previously.

I'm very happy. :)

Reply via email to