From owner-freebsd-questions@FreeBSD.ORG Tue Jun 5 16:27:38 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id BE09616A400 for ; Tue, 5 Jun 2007 16:27:38 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from corellia.vindaloo.com (corellia.vindaloo.com [64.51.148.100]) by mx1.freebsd.org (Postfix) with ESMTP id 68D8A13C44B for ; Tue, 5 Jun 2007 16:27:38 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from [172.24.145.69] (endor.vindaloo.com [172.24.145.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by corellia.vindaloo.com (Postfix) with ESMTP id 1346F5CBC; Tue, 5 Jun 2007 12:27:37 -0400 (EDT) Message-ID: <46658EF8.5080704@vindaloo.com> Date: Tue, 05 Jun 2007 12:27:36 -0400 From: Christopher Hilton User-Agent: Thunderbird 1.5.0.12 (Macintosh/20070509) MIME-Version: 1.0 To: misc@openbsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: User Questions Subject: Isakmpd setup question. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jun 2007 16:27:38 -0000 Hi, I would like to set up isakmpd so I can connect my roaming laptop to my NATed LAN behind an OpenBSD firewall on a cable modem. I have an ISAKMPD configuration which allows me to do this but to build it I have setup the Phase 1 Identifiers to be the IP Addresses that I get. While the Cable modem side of the connection is reasonably static the laptop side is anything but. My laptop runs FreeBSD and I have built the isakmpd port. My laptop also has a constant FQDN via dyndns.org. I would like to know how to convert my current configuration from relying on IP addresses to relying on FWDN on both sides. I grabbed my initial configurations from the OpenBSD examples and tweaked them until they worked for me but I need to go those few extra steps. Here's /etc/isakmpd/isakmpd.conf from my OpenBSD firewall/router: ---------------------------------------------------------------------- # $OpenBSD: VPN-east.conf,v 1.12 2002/06/09 08:13:07 todd Exp $ # $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. # # The network topology of the example net is like this: # # 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - #192.168.12.0/24 # # "west" and "east" are the respective secrity gateways (aka VPN-nodes). ## We are east. [General] Listen-on= 192.168.132.1 [Phase 1] 172.17.0.1= ISAKMP-peer-west [Phase 2] Passive-Connections= IPsec-east-west [ISAKMP-peer-west] Phase= 1 Transport= udp Address= 172.17.0.1 Configuration= Default-aggressive-mode Authentication= *** not my real password *** [IPsec-east-west] Phase= 2 ISAKMP-peer= ISAKMP-peer-west Configuration= Default-quick-mode Local-ID= Net-east Remote-ID= Net-west [Net-west] ID-type= IPV4_ADDR_SUBNET Network= 172.17.0.1 Netmask= 255.255.255.255 [Net-east] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE # End of file And here's the corresponding /etc/isakmpd/isakmpd.conf from my laptop: --------------------------------------------------------------------- ### We are "west" here [General] # Listen-on= 172.17.100.1 [Phase 1] 192.168.132.1= ISAKMP-peer-west [Phase 2] Connections= IPsec-east-west [ISAKMP-peer-west] Phase= 1 Transport= udp Address= 192.168.132.1 Configuration= Default-aggressive-mode Authentication= *** not my real password *** [IPsec-east-west] Phase= 2 ISAKMP-peer= ISAKMP-peer-west Configuration= Default-quick-mode Local-ID= Net-west Remote-ID= Net-east [Net-west] ID-type= IPV4_ADDR_SUBNET Network= 172.17.0.1 Netmask= 255.255.255.255 [Net-east] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-aggressive-mode] DOI= IPSEC EXCHANGE_TYPE= AGGRESSIVE Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-SHA-PFS-SUITE ## End of file I appreciate any help that someone could provide. I'm especially interested in developing a better understanding of how isakmpd works with uses these configurations. Thank you -- Chris -- __o "All I was doing was trying to get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)___________________________________________________________ Christopher Sean Hilton pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14