Set up IPSEC in openbsd

Udgivet den juli 4, 2004 af mike

Use IPsec the OpenBSD way.

Setting up IPsec in OpenBSD is fairly easy since it’s compiled into the kernel that ships with each release and is enabled by default. All that is left to do is to create the appropriate /etc/isakmpd/isakmpd.conf and /etc/isakmpd/isakmpd.policy files and start isakmpd (the IPsec key-management daemon). This may sound daunting, but OpenBSD’s outstanding documentation and example configuration files make it easier.

First of all, you’ll need to put something similar to this in your /etc/isakmpd/isakmpd.policy:

KeyNote-Version: 2

Authorizer: “POLICY”

Licensees: “passphrase:mypassword”

Conditions: app_domain == “IPsec policy” &&

esp_present == “yes” &&

esp_enc_alg == “aes” &&

esp_auth_alg == “hmac-sha” -> “true”;

This sets a password to use for the IPsec connection.

Now you’ll need to edit your /etc/isakmpd/isakmpd.conf to contain the following:

[General]

Listen-on= 192.168.1.1

Shared-SADB= Defined

[Phase 1]

Default= ISAKMP-peer-remote

#Default= ISAKMP-peer-remote-aggressive

[Phase 2]

Passive-Connections=IPsec-local-remote

[ISAKMP-peer-remote]

Phase= 1

Transport= udp

Local-address= 192.168.1.1

Configuration= Default-main-mode

Authentication= mypassword

[ISAKMP-peer-remote-aggressive]

Phase= 1

Transport= udp

Local-address= 192.168.1.1

Configuration= Default-aggressive-mode

Authentication= mypassword

[IPsec-local-remote]

Phase= 2

ISAKMP-peer= ISAKMP-peer-remote

Configuration= Default-quick-mode

Local-ID= Net-local

Remote-ID= Net-remote

[Net-remote]

ID-type= IPV4_ADDR

Address= 0.0.0.0

[Net-local]

ID-type= IPV4_ADDR

Address= 0.0.0.0

[Default-main-mode]

DOI= IPSEC

EXCHANGE_TYPE= ID_PROT

Transforms= 3DES-SHA

[Default-aggressive-mode]

DOI= IPSEC

EXCHANGE_TYPE= AGGRESSIVE

Transforms= 3DES-SHA-RSA

[Default-quick-mode]

DOI= IPSEC

EXCHANGE_TYPE= QUICK_MODE

Suites= QM-ESP-AES-SHA-PFS-SUITE

This configuration will allow anyone to connect with the password mypassword.

After you’ve edited the configuration files, you can start isakmpd by running this command:

# /sbin/isakmpd

To have isakmpd start up with each system boot, you should edit your /etc/rc.conf.local (or create one if it doesn’t exist) and put the following line in it:

isakmpd_flags=””

That should do it. As usual, check your system logs if your tunnel has trouble connecting.

Dette indlæg blev udgivet i Knowledge Base, Networking, Old Base, OpenBSD. Bogmærk permalinket.

Skriv et svar