Isakmpd setup question.

Christopher Hilton chris at vindaloo.com
Tue Jun 5 16:27:38 UTC 2007 

Hi,

I would like to set up isakmpd so I can connect my roaming laptop to my 
NATed LAN behind an OpenBSD firewall on a cable modem. I have an ISAKMPD 
configuration which allows me to do this but to build it I have setup 
the Phase 1 Identifiers to be the IP Addresses that I get. While the 
Cable modem side of the connection is reasonably static the laptop side 
is anything but. My laptop runs FreeBSD and I have built the isakmpd 
port. My laptop also has a constant FQDN via dyndns.org. I would like to 
know how to convert my current configuration from relying on IP 
addresses to relying on FWDN on both sides.

I grabbed my initial configurations from the OpenBSD examples and 
tweaked them until they worked for me but I need to go those few extra 
steps.

Here's /etc/isakmpd/isakmpd.conf from my OpenBSD firewall/router:


----------------------------------------------------------------------


#	$OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $
#	$EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $

# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - #192.168.12.0/24
#
# "west" and "east" are the respective secrity gateways (aka VPN-nodes).
## We are east.


[General]
Listen-on=		192.168.132.1

[Phase 1]
172.17.0.1=		ISAKMP-peer-west

[Phase 2]
Passive-Connections=	IPsec-east-west

[ISAKMP-peer-west]
Phase=			1
Transport=		udp
Address=		172.17.0.1
Configuration=		Default-aggressive-mode
Authentication=		*** not my real password ***

[IPsec-east-west]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-west
Configuration=		Default-quick-mode
Local-ID=		Net-east
Remote-ID=		Net-west

[Net-west]
ID-type=		IPV4_ADDR_SUBNET
Network=		172.17.0.1
Netmask=		255.255.255.255

[Net-east]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.0.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

[Default-aggressive-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		AGGRESSIVE
Transforms=		3DES-SHA

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-AES-SHA-PFS-SUITE

# End of file

And here's the corresponding /etc/isakmpd/isakmpd.conf from my laptop:

---------------------------------------------------------------------

### We are "west" here

[General]
# Listen-on=		172.17.100.1

[Phase 1]
192.168.132.1=		ISAKMP-peer-west

[Phase 2]
Connections=		IPsec-east-west

[ISAKMP-peer-west]
Phase=			1
Transport=		udp
Address=		192.168.132.1
Configuration=		Default-aggressive-mode
Authentication=		*** not my real password ***

[IPsec-east-west]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-west
Configuration=		Default-quick-mode
Local-ID=		Net-west
Remote-ID=		Net-east

[Net-west]
ID-type=		IPV4_ADDR_SUBNET
Network=		172.17.0.1
Netmask=		255.255.255.255

[Net-east]
ID-type=		IPV4_ADDR_SUBNET
Network=		10.0.0.0
Netmask=		255.255.255.0

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

[Default-aggressive-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		AGGRESSIVE
Transforms=		3DES-SHA

[Default-quick-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		QUICK_MODE
Suites=			QM-ESP-AES-SHA-PFS-SUITE

## End of file

I appreciate any help that someone could provide. I'm especially 
interested in developing a better understanding of how isakmpd works 
with uses these configurations.

Thank you
-- Chris

-- 
       __o          "All I was doing was trying to get home from work."
     _`\<,_           -Rosa Parks
___(*)/_(*)___________________________________________________________
Christopher Sean Hilton                    <chris | at | vindaloo.com>
         pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14

More information about the freebsd-questions mailing list