April 2004
Intermediate to advanced
320 pages
9h 10m
English
Use IPsec the OpenBSD way.
Setting
up IPsec in OpenBSD is fairly easy
since it’s compiled into the kernel that ships with
each release and is enabled by default.
All that is left to do is to create the appropriate
/etc/isakmpd/isakmpd.conf and
/etc/isakmpd/isakmpd.policy files and start
isakmpd
(the IPsec
key-management daemon). This may
sound daunting, but OpenBSD’s outstanding
documentation and example configuration files make it easier.
First of all, you’ll need to put something similar
to this in your /etc/isakmpd/isakmpd.policy:
KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:mypassword"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "aes" &&
esp_auth_alg == "hmac-sha" -> "true";This sets a password to use for the IPsec connection.
Now you’ll need to edit your
/etc/isakmpd/isakmpd.conf to contain the
following:
[General] Listen-on= 192.168.1.1 Shared-SADB= Defined [Phase 1] Default= ISAKMP-peer-remote #Default= ISAKMP-peer-remote-aggressive [Phase 2] Passive-Connections=IPsec-local-remote [ISAKMP-peer-remote] Phase= 1 Transport= udp Local-address= 192.168.1.1 Configuration= Default-main-mode Authentication= mypassword [ISAKMP-peer-remote-aggressive] Phase= 1 Transport= udp Local-address= 192.168.1.1 Configuration= Default-aggressive-mode Authentication= mypassword [IPsec-local-remote] Phase= 2 ISAKMP-peer= ISAKMP-peer-remote Configuration= Default-quick-mode Local-ID= Net-local Remote-ID= Net-remote [Net-remote] ...