I am attaching a diff to the isakmpd.conf man page that I hope clarifies using
certificate based authentication. I found the information in the archives, and
I thought they might be better documented in the man page.
I believe the changes to be correct, but please do not take my word on it as I
am new to IPSec.
l8rZ,
--
andrew - ICQ# 253198 - JID: [EMAIL PROTECTED]
Proud member: http://www.mad-techies.org
BOFH excuse of the day: boss forgot system password
--- isakmpd.conf.5.orig Mon Aug 15 11:24:10 2005
+++ isakmpd.conf.5 Mon Aug 15 12:22:53 2005
@@ -886,12 +886,13 @@
# Incoming phase 1 negotiations are multiplexed on the source IP address
[Phase 1]
10.1.0.1= ISAKMP-peer-west
+10.1.0.3= ISAKMP-peer-north
# These connections are walked over after config file parsing and told
# to the application layer so that it will inform us when traffic wants to
# pass over them. This means we can do on-demand keying.
[Phase 2]
-Connections= IPsec-east-west
+Connections= IPsec-east-west,IPsec-east-north
# Default values are commented out.
[ISAKMP-peer-west]
@@ -905,6 +906,20 @@
Authentication= mekmitasdigoat
#Flags=
+# This connection uses certifiates, it assumes you have generated a valid
+# certificate from your "Private-key", that includes the "subjectAltName"
+# as used in the ID-east section and placed it in the "Cert-directory".
+[ISAKMP-peer-north]
+Phase= 1
+#Transport= udp
+Local-address= 10.1.0.2
+Address= 10.1.0.3
+#Port= isakmp
+#Port= 500
+Configuration= RSA_SIG-phase-1-configuration
+ID= ID-east
+#Flags=
+
[IPsec-east-west]
Phase= 2
ISAKMP-peer= ISAKMP-peer-west
@@ -929,6 +944,19 @@
EXCHANGE_TYPE= QUICK_MODE
Suites=
QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE
+# Phase 1 description (Main Mode) using AUTHENTICATION_METHOD= RSA_SIG
+# RSA_SIG is needed when using certificates for authentication
+
+[RSA_SIG-phase-1-configuration]
+EXCHANGE_TYPE= ID_PROT
+Transforms= 3DES-SHA-RSA_SIG
+
+# The values here are what would be used by default in this configuration
+# if an ID was not specified in the ISAKMP-peer-north section.
+[ID-east]
+ID-type= IPV4_ADDR
+Address= 10.1.0.2
+
# Data for an IKE mode-config peer
[asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com]
Address= 192.168.1.123
@@ -983,6 +1011,13 @@
GROUP_DESCRIPTION= MODP_1024
Life= Default-phase-1-lifetime
+[DES-MD5-RSA_SIG]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= MD5
+AUTHENTICATION_METHOD= RSA_SIG
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
[DES-SHA]
ENCRYPTION_ALGORITHM= DES_CBC
HASH_ALGORITHM= SHA
@@ -990,6 +1025,13 @@
GROUP_DESCRIPTION= MODP_1024
Life= Default-phase-1-lifetime
+[DES-SHA-RSA_SIG]
+ENCRYPTION_ALGORITHM= DES_CBC
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= RSA_SIG
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
# 3DES
[3DES-SHA]
@@ -999,6 +1041,13 @@
GROUP_DESCRIPTION= MODP_1024
Life= Default-phase-1-lifetime
+[3DES-SHA-RSA_SIG]
+ENCRYPTION_ALGORITHM= 3DES_CBC
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= RSA_SIG
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
# Blowfish
[BLF-SHA]
@@ -1006,6 +1055,14 @@
KEY_LENGTH= 128,96:192
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD= PRE_SHARED
+GROUP_DESCRIPTION= MODP_1024
+Life= Default-phase-1-lifetime
+
+[BLF-SHA-RSA_SIG]
+ENCRYPTION_ALGORITHM= BLOWFISH_CBC
+KEY_LENGTH= 128,96:192
+HASH_ALGORITHM= SHA
+AUTHENTICATION_METHOD= RSA_SIG
GROUP_DESCRIPTION= MODP_1024
Life= Default-phase-1-lifetime
