[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd and unknown peers

> Hi, I am trying to set up an OpenBSD 2.8 IPSec server.
> My problem is that there will be a few peers, most of
> which will not have a known address.  From what I
> understand this is quite possible to do but the
> problem that I am running into is lack of
> documentation- what value should I put for Address? 

The roadwarrior setup should be documented in a FAQ or
something.  I dont have experience setting up this kind
of configuration so I cant comment more on it.

Beyond that, isakmp has some support for
dynamic keying of unknown hosts which is undocumented.
The best way to see what is going on here is to leave
isakmpd unconfigured (or minimally configured), turn
debugging on, and try to establish a connection to it
from your peer.  Reading through the debug log will
show which configuration items are being queried.
Since they're not in your config file, default values
will be selected.  Add those items to your config as
you see fit and restart and try again.

Some items are statically wired in and cant be changed,
so full support isnt quite there yet.

I've played with some of these a while ago and cant
remember all the details, but looking over an old
config file, I used some of the following:

    [Default-phase-1-configuration]
       doi, exchange type, transforms, etc...

    [Default-main-mode]
       doi, exchange type, transforms, etc...
    
    [Peer-<ipaddr>]
        phase = 1, transport, local addr, configuration, etc..

you can also observe some of these items in pf_key_v2_acquire()
in pf_key_v2.c (search for the sprintf calls).  Some entries
here include:

    Connection-<num>
    Connection-Phase2-<num>
    Peer-<dst>
    Peer-<dst>/<src>
    Peer-<dst>/<src>-<srcid>
    Peer-<dst>/<src>-<srcid>/<dstid>
    [.. some more variations...]
    ISAKMP-Configuration-<peer>

happy hacking :)
                                         Tim N.