Re: IPSec faq ??
On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote: I need to assign to each user a x509 cert and IP associated to this cert As I haven't yet tried the ipsecctl and ipsec.conf tools, I cannot tell you whether they support IKECFG to hand out IP addresses based on certificates. The man page lists the 'any' keyword which seems promising, but I'd have to take a better look. As in previous releases, isakmpd does, of course, support IKECFG. I employ both a Flags=IKECFG in the ISAKMP-peer section and later on an IKECFG-ID stanza. Using the isakmpd.policy, connection attempts using certificates are validated. I have several gateways using isakmpd that deal out IP addresses to users based on their certs. These work fine for me, although configuring isakmpd for these purposes doesn't scale too well. I create those bits of my configuration through a script. customized pf rules for every user based on this certs and IPs . To my knowledge, pf doesn't deal with the certs. It just deals with IP addresses on the enc0 device and the filter rules assigned to those addresses. And also, xauth is implemented?? IIRC, isakmpd does not implement xauth. If I'm mistaken on this point, feel free to correct me. I wouldn't mind having xauth support (e.g. to authenticate against RADIUS), but so far certificates work well enough for my purposes. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: IPSec faq ??
On Fri, May 05, 2006 at 05:25:16PM +0200, David Coppa wrote: > > http://undeadly.org/cgi?action=article&sid=20060222180512 > > This document is based on the old way of configuring IPSec with > ipsecadm. Just search for ipsec on undeadly and you'll find something newer.
Re: IPSec faq ??
http://undeadly.org/cgi?action=article&sid=20060301190520 with ipsectl / ipsec.conf
Re: IPSec faq ??
Thanks Rogier for the info. But i need to do more accurate deploy. I need to assign to each user a x509 cert and IP associated to this cert (bassically I need to work with roadwarriors clients) and deploy customized pf rules for every user based on this certs and IPs . Is this possible with new ipsec feaures?? And also, xauth is implemented?? Rogier Krieger wrote: On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows when ipsec faq will be published on openbsd website?? It used to be published there but it was taken down. A quick search through the list archives should provide a more definite answer as to why. Alternatively, look up the old version of FAQ #13 in CVS. Somebody have some howto?? You really should look at the included documentation. For example, sasyncd(8) and vpn(8) come to mind, but be sure to also look at the pages listed under "SEE ALSO". The material is quite useful in getting started. I haven't tried out ipsecctl(8) and ipsec.conf(5) yet, so I can't tell you whether that will provide you with an easier solution (easier than setting up isakmpd(8), that is). Cheers, Rogier -- If you don't know where you're going, any road will get you there. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: IPSec faq ??
How about http://www.securityfocus.com/infocus/1859 with the new ipsectl / ipsec.conf ? -jdk On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote: > > Hi all, > > Somebody knows when ipsec faq will be published on openbsd website?? i > need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509 > certificates included? Somebody have some howto?? > > Thanks. > > -- > CL Martinez > carlopmart {at} gmail {d0t} com
Re: IPSec faq ??
On Fri, 2006-05-05 at 11:02 -0400, Peter Blair wrote: > http://undeadly.org/cgi?action=article&sid=20060222180512 This document is based on the old way of configuring IPSec with ipsecadm. ipsecctl is the new (and better) way of implementing a vpn on openbsd 3.9. Regards, David
Re: IPSec faq ??
On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote: Somebody knows when ipsec faq will be published on openbsd website?? It used to be published there but it was taken down. A quick search through the list archives should provide a more definite answer as to why. Alternatively, look up the old version of FAQ #13 in CVS. Somebody have some howto?? You really should look at the included documentation. For example, sasyncd(8) and vpn(8) come to mind, but be sure to also look at the pages listed under "SEE ALSO". The material is quite useful in getting started. I haven't tried out ipsecctl(8) and ipsec.conf(5) yet, so I can't tell you whether that will provide you with an easier solution (easier than setting up isakmpd(8), that is). Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: IPSec faq ??
There was a FAQ for IPSEC at one point, but the IPSEC implementation in OpenBSD has been a really fast moving target the last couple years due to the great improvements that have been made. At this point the FAQ would have to be essentially rewritten as it was made long before ipsecctl and associated tools were implemented. Tim Donahue > Hi all, > > Somebody knows when ipsec faq will be published on openbsd website?? i > need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509 certificates included? Somebody have some howto?? > > Thanks. > > -- > CL Martinez > carlopmart {at} gmail {d0t} com
Re: IPSec faq ??
http://undeadly.org/cgi?action=article&sid=20060222180512 On 5/5/06, carlopmart <[EMAIL PROTECTED]> wrote: Hi all, Somebody knows when ipsec faq will be published on openbsd website?? i need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509 certificates included? Somebody have some howto?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
IPSec faq ??
Hi all, Somebody knows when ipsec faq will be published on openbsd website?? i need to deploy two openbsd 3.9 HA firewalls with vpn, dhcp and x509 certificates included? Somebody have some howto?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com