IPSec head check question.

Tue, 12 Jan 2010 15:19:58 -0800 

I have isakmpd running quite well with certificates. I'm now trying to do
something that may or may not be simple.

I wish to establish two tunnels between my ipsec central server on a static IP
two dynamic points on the internet. The first case is an openbsd box which
wants to connect a remote lan. The second case is an openbsd laptop which just
needs remote access for itself.

I've done this in my ipsec.conf:

##
---------------------------------------------------------------------------

my_fqdn="ipsec-hub.example.com"
my_network="10.0.0.0/24"

## Allow the remote box access

remote_fqdn="myremote.dyndns.org"
remote_network="10.0.1.0/24"

ike passive esp \
    from { $my_fqdn $my_network } \
    to { $remote_fqdn $remote_network } \
    local $my_fqdn peer any \
    srcid $my_fqdn dstid $remote_fqdn

## Allow the laptop access

laptop_fqdn="mylaptop.dyndns.org"

ike passive esp \
    from { $my_fqdn $my_network } \
    to any \
    local $my_fqdn peer any \
    srcid $my_fqdn dstid $laptop_fqdn

##
---------------------------------------------------------------------------

I think that I've over-specified things because either configuration works if
they are alone  in the file but putting them both together results in an
error?

There's more. If you choose to call me an idiot over this please do so in
private :-)...

This file works:

my_fqdn="ipsec-hub.example.com"
my_network="10.0.0.1/24"

ike passive esp
    from { $my_fqdn $my_network } to any \
    local $my_fqdn peer any \
    srcid $my_fqdn

I would like to believe that the reason it works is because my peers both have
signed certificate which verify as okay using the ca.crt that I've configured
in "/etc/isakmpd/ca". However if I'm wrong then I've just opened up my LAN to
attack from the entire internet. Which -D options do I need to set in isakmpd
E.g.

     # isakmpd -Kd -D 3=10 -D 8=10

to see the identity of the peers and get confirmation that the reason that
negotiation was successful is because A the peer provided a certificate and B
the certificate verified with my CA?

-- Chris



----------------------------------------------------------------------------
                                       "There will be an answer, Let it be."
                                                          ch...@vindaloo.com

Reply via email to