Christoph Leser <[email protected]> wrote: > with ipsecctl I can configure outgoing address translation in > ipsec.conf like this: > > ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 > peer 10.10.20.1 > > Is there an equivalent syntax for isakmpd.conf?
All that ipsecctl does with ike rules is to translate them into a piece of isakmpd.conf-style configuration and pass it to isakmpd's FIFO control socket. Use "ipsecctl -n -v" to inspect or capture and re-use that output. C set [Phase 1]:10.10.20.1=peer-10.10.20.1 force C set [peer-10.10.20.1]:Phase=1 force C set [peer-10.10.20.1]:Address=10.10.20.1 force C set [peer-10.10.20.1]:Configuration=phase1-peer-10.10.20.1 force C set [phase1-peer-10.10.20.1]:EXCHANGE_TYPE=ID_PROT force C add [phase1-peer-10.10.20.1]:Transforms=phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:HASH_ALGORITHM=SHA force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:KEY_LENGTH=128,128:256 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128-MODP_1024]:Life=LIFE_MAIN_MODE force C set [from-10.10.10.1-to-192.168.2.0/24]:Phase=2 force C set [from-10.10.10.1-to-192.168.2.0/24]:ISAKMP-peer=peer-10.10.20.1 force C set [from-10.10.10.1-to-192.168.2.0/24]:Configuration=phase2-from-10.10.10.1-to-192.168.2.0/24 force C set [from-10.10.10.1-to-192.168.2.0/24]:Local-ID=from-10.10.10.1 force C set [from-10.10.10.1-to-192.168.2.0/24]:NAT-ID=nat-192.168.1.0/24 force C set [from-10.10.10.1-to-192.168.2.0/24]:Remote-ID=to-192.168.2.0/24 force C set [phase2-from-10.10.10.1-to-192.168.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from-10.10.10.1-to-192.168.2.0/24]:Suites=phase2-suite-from-10.10.10.1-to-192.168.2.0/24 force C set [phase2-suite-from-10.10.10.1-to-192.168.2.0/24]:Protocols=phase2-protocol-from-10.10.10.1-to-192.168.2.0/24 force C set [phase2-protocol-from-10.10.10.1-to-192.168.2.0/24]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol-from-10.10.10.1-to-192.168.2.0/24]:Transforms=phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:TRANSFORM_ID=AES force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:KEY_LENGTH=128,128:256 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:ENCAPSULATION_MODE=TUNNEL force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force C set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force C set [from-10.10.10.1]:ID-type=IPV4_ADDR force C set [from-10.10.10.1]:Address=10.10.10.1 force C set [nat-192.168.1.0/24]:ID-type=IPV4_ADDR_SUBNET force C set [nat-192.168.1.0/24]:Network=192.168.1.0 force C set [nat-192.168.1.0/24]:Netmask=255.255.255.0 force C set [to-192.168.2.0/24]:ID-type=IPV4_ADDR_SUBNET force C set [to-192.168.2.0/24]:Network=192.168.2.0 force C set [to-192.168.2.0/24]:Netmask=255.255.255.0 force C add [Phase 2]:Connections=from-10.10.10.1-to-192.168.2.0/24 -- Christian "naddy" Weisgerber [email protected]
