Re: Isakmpd and dynamic IPs configuration?

[Juan Vera <juan@coresecurity.com>]

> /H
> 
> (*) It is possible to generate isakmpd.conf's "dynamically" (possibly
> scripted) to change IPs in the configuration files as required. I haven't
> really experimented with this myself, so I have no examples. Calling
> something from the end of dhclient-script(8) seems like a good place to
> start...
> 

hello

  im doing that at home with a simple script that echo(1)es to 
/var/run/isakmpd.fifo.

isakmpd.conf:

# generic isakmpd config
[General]
Default-phase-1-lifetime=       3600,10:86400
Default-phase-2-lifetime=       86400,10:86400

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE
# eof

as you can see there's no self/peer data in it. everything
is dinamically included/modified/removed using echo.

the script (named 'ikectl' :) is based around this little
shell function:

ike_echo()
{
    echo "$1" > /var/run/isakmpd.fifo
}

for example:

ike_set()
{
    ike_echo "C set $1 1"
}

proper commands can be checked on isakmpd(8) man page.

two checks are really need to be done: is isakmpd running? and
is the fifo on disk (and a true fifo?)? otherways it
will lock.

also i wrote a minimal irc client to exchange ips
without needing DNS entries.

btw, to the purists: there's an option to dump the
generated configuration to syslog; so, you can generate
configs and save them to do checks, etc.

--

i think in the future something like ikectl will be included
on isakmpd distribution; mine works just fine.