Hi,
On Sat, 23.08.2008 at 13:30:28 +0200, Daniel Rapp <[EMAIL PROTECTED]> wrote:
> I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
> want to add a roadwarrior tunnel to..
this should work roughly like this:
[Phase 1]
1.2.3.4= Your-Main-Connection # that you have already
Default= Mobile-User
[Phase 2]
Connections= main-connection
Passive-Connections= mobile-user
[Your-Main-Connection]
... # just keep the whole setup
[Mobile-User]
Phase= 1
ID= local-id
...
[local-id]
ID-type= your.id.type # I like "IPV4_ADDR"
Address= 1.2.3.4 # tag and value depend
# on ID-type, obviously
[mobile-user]
Phase= 2
Local-id= default-route
remote-id dummy-machine
[default-route]
ID-type= IPV4_ADDR_SUBNET
Network= 0.0.0.0
Netmask= 0.0.0.0
[dummy-machine]
ID-type= IPV4_ADDR
Address= 0.0.0.0
This is about it. I also like using IKE config mode, which adds
Flags= ikecfg
to the [Mobile-User] section, plus an appropriate client entry. I like
UFQDNs for that, so I have something like
[ufqdn/[EMAIL PROTECTED]
Address= 10.1.2.3
Netmask= 255.255.255.255
Nameserver= 10.4.5.6
The whole thing works with an isakpd.policy file that grant access to
the [EMAIL PROTECTED] id, and certificates that carry these IDs.
Btw, don't use self-signed certificates - they don't buy you anything.
You can add connections like this in an additive manner to
isakmpd.conf, but there are some problems when networking gets more
complicated.
The recommended way to set up VPNs appears to be using ipsec.conf these
days, so you should probably read about that first, although I'm a bit
stumped as to why one wants to disable policy checking, as per
ipsec.conf(5): "Note that it will probably need to be run with at least
the -K option, to avoid keynote(4) policy checking.". But then, I may
simply not have understood this paragraph myself, yet.
Kind regards,
--Toni++
