Hack 69 Set Up IPsec in OpenBSD

Previous page
Table of content
Next page

figs/moderate.gif figs/hack69.gif

Use IPsec the OpenBSD way.

Setting up IPsec in OpenBSD is fairly easy since it's compiled into the kernel that ships with each release and is enabled by default. All that is left to do is to create the appropriate /etc/isakmpd/isakmpd.conf and /etc/isakmpd/isakmpd.policy files and start isakmpd (the IPsec key-management daemon). This may sound daunting, but OpenBSD's outstanding documentation and example configuration files make it easier.

First of all, you'll need to put something similar to this in your /etc/isakmpd/isakmpd.policy:

KeyNote-Version: 2 Authorizer: "POLICY" Licensees: "passphrase:mypassword" Conditions: app_domain == "IPsec policy" &&             esp_present == "yes" &&             esp_enc_alg == "aes" &&             esp_auth_alg == "hmac-sha" -> "true";

This sets a password to use for the IPsec connection.

Now you'll need to edit your /etc/isakmpd/isakmpd.conf to contain the following:

[General] Listen-on=              192.168.1.1 Shared-SADB=            Defined [Phase 1] Default=                ISAKMP-peer-remote #Default=               ISAKMP-peer-remote-aggressive [Phase 2] Passive-Connections=IPsec-local-remote [ISAKMP-peer-remote] Phase=                  1 Transport=              udp Local-address=          192.168.1.1 Configuration=          Default-main-mode Authentication=         mypassword [ISAKMP-peer-remote-aggressive] Phase=                  1 Transport=              udp Local-address=          192.168.1.1 Configuration=          Default-aggressive-mode Authentication=         mypassword [IPsec-local-remote] Phase=                  2 ISAKMP-peer=            ISAKMP-peer-remote Configuration=          Default-quick-mode Local-ID=               Net-local Remote-ID=              Net-remote [Net-remote] ID-type=                IPV4_ADDR Address=                0.0.0.0 [Net-local] ID-type=                IPV4_ADDR Address=                0.0.0.0 [Default-main-mode] DOI=                    IPSEC EXCHANGE_TYPE=          ID_PROT Transforms=             3DES-SHA [Default-aggressive-mode] DOI=                    IPSEC EXCHANGE_TYPE=          AGGRESSIVE Transforms=             3DES-SHA-RSA [Default-quick-mode] DOI=                    IPSEC EXCHANGE_TYPE=          QUICK_MODE Suites=                 QM-ESP-AES-SHA-PFS-SUITE

This configuration will allow anyone to connect with the password mypassword.

After you've edited the configuration files, you can start isakmpd by running this command:

# /sbin/isakmpd

To have isakmpd start up with each system boot, you should edit your /etc/rc.conf.local (or create one if it doesn't exist) and put the following line in it:

isakmpd_flags=""

That should do it. As usual, check your system logs if your tunnel has trouble connecting.


Previous page
Table of content
Next page
Network Security Hacks
Network Security Hacks: Tips & Tools for Protecting Your Privacy
ISBN: 0596527632
EAN: 2147483647
Year: 2006
Pages: 158
Authors: Andrew Lockhart
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
Oracle Developer Forms Techniques
Special Edition Using Crystal Reports 10
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy