Немного про IPsec и isakmpd в OpenBSD

25.06.2003 13:45

Пример настройки IPsec туннеля в OpenBSD.

 1. setup ip address and policy (aka. SPD, flow):  # cat hostname.fxp1 inet 10.0.0.10 !ipsecadm flush !ipsecadm flow -addr 10.0.0.10/32 192.168.20.1/32 -src 10.0.0.10 -dst 192.168.20.1 -proto esp -out -require !ipsecadm flow -addr 192.168.20.1/32 10.0.0.10/32 -src 10.0.0.10 -dst 192.168.20.1 -proto esp -in -require  2. enable isakmpd (-L for debug in /var/run/isakmpd.pcap):  # grep isakmpd_flags rc.conf isakmpd_flags="-L"  3. setup allow-all policy file:  # cat isakmpd/isakmpd.policy Authorizer: "POLICY" # chmod 600 isakmpd/isakmpd.policy  4. generate key for IKE authentication  # openssl genrsa -out isakmpd/private/local.key 1024 # chmod 600 isakmpd/private/local.key  5. extract public key:  # openssl rsa -out /var/tmp/my.pub -in isakmpd/private/local.key -pubout # scp /var/tmp/my.pub peer:...  6. install public key of peers:  # cp /var/tmp/peer.pub isakmpd/pubkeys/ipv4/192.168.20.1  # cat isakmpd/pubkeys/ipv4/192.168.20.1 -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC73evmkPzOKn4+ZwPvSUbjGorx [...] W7Uaf6tD6rKxpa06kQIDAQAB -----END PUBLIC KEY-----  no need for an isakmpd.conf file  7. ping peer  # ping 192.168.20.1