I have isakmpd running quite well with certificates. I'm now trying to do something that may or may not be simple.
I wish to establish two tunnels between my ipsec central server on a static IP two dynamic points on the internet. The first case is an openbsd box which wants to connect a remote lan. The second case is an openbsd laptop which just needs remote access for itself. I've done this in my ipsec.conf: ## --------------------------------------------------------------------------- my_fqdn="ipsec-hub.example.com" my_network="10.0.0.0/24" ## Allow the remote box access remote_fqdn="myremote.dyndns.org" remote_network="10.0.1.0/24" ike passive esp \ from { $my_fqdn $my_network } \ to { $remote_fqdn $remote_network } \ local $my_fqdn peer any \ srcid $my_fqdn dstid $remote_fqdn ## Allow the laptop access laptop_fqdn="mylaptop.dyndns.org" ike passive esp \ from { $my_fqdn $my_network } \ to any \ local $my_fqdn peer any \ srcid $my_fqdn dstid $laptop_fqdn ## --------------------------------------------------------------------------- I think that I've over-specified things because either configuration works if they are alone in the file but putting them both together results in an error? There's more. If you choose to call me an idiot over this please do so in private :-)... This file works: my_fqdn="ipsec-hub.example.com" my_network="10.0.0.1/24" ike passive esp from { $my_fqdn $my_network } to any \ local $my_fqdn peer any \ srcid $my_fqdn I would like to believe that the reason it works is because my peers both have signed certificate which verify as okay using the ca.crt that I've configured in "/etc/isakmpd/ca". However if I'm wrong then I've just opened up my LAN to attack from the entire internet. Which -D options do I need to set in isakmpd E.g. # isakmpd -Kd -D 3=10 -D 8=10 to see the identity of the peers and get confirmation that the reason that negotiation was successful is because A the peer provided a certificate and B the certificate verified with my CA? -- Chris ---------------------------------------------------------------------------- "There will be an answer, Let it be." ch...@vindaloo.com