Great hint, you saved me a lot of time. Thanks a lot
Christoph > -----Ursprüngliche Nachricht----- > Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im > Auftrag von Christian Weisgerber > Gesendet: Montag, 16. September 2013 16:42 > An: misc@openbsd.org > Betreff: Re: ipsec outgoing address translation question > > Christoph Leser <le...@sup-logistik.de> wrote: > > > with ipsecctl I can configure outgoing address translation in > > ipsec.conf like this: > > > > ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 > > peer 10.10.20.1 > > > > Is there an equivalent syntax for isakmpd.conf? > > All that ipsecctl does with ike rules is to translate them into a piece of > isakmpd.conf-style configuration and pass it to isakmpd's FIFO control > socket. Use "ipsecctl -n -v" to inspect or capture and re-use that output. > > C set [Phase 1]:10.10.20.1=peer-10.10.20.1 force C set [peer- > 10.10.20.1]:Phase=1 force C set [peer-10.10.20.1]:Address=10.10.20.1 force C > set [peer-10.10.20.1]:Configuration=phase1-peer-10.10.20.1 force C set > [phase1-peer-10.10.20.1]:EXCHANGE_TYPE=ID_PROT force C add [phase1- > peer-10.10.20.1]:Transforms=phase1-transform-peer-10.10.20.1-RSA_SIG- > SHA-AES128-MODP_1024 force C set [phase1-transform-peer-10.10.20.1- > RSA_SIG-SHA-AES128-MODP_1024]:AUTHENTICATION_METHOD=RSA_SIG > force C set [phase1-transform-peer-10.10.20.1-RSA_SIG-SHA-AES128- > MODP_1024]:HASH_ALGORITHM=SHA force C set [phase1-transform-peer- > 10.10.20.1-RSA_SIG-SHA-AES128- > MODP_1024]:ENCRYPTION_ALGORITHM=AES_CBC force C set [phase1- > transform-peer-10.10.20.1-RSA_SIG-SHA-AES128- > MODP_1024]:KEY_LENGTH=128,128:256 force C set [phase1-transform-peer- > 10.10.20.1-RSA_SIG-SHA-AES128- > MODP_1024]:GROUP_DESCRIPTION=MODP_1024 force C set [phase1- > transform-peer-10.10.20.1-RSA_SIG-SHA-AES128- > MODP_1024]:Life=LIFE_MAIN_MODE force C set [from-10.10.10.1-to- > 192.168.2.0/24]:Phase=2 force C set [from-10.10.10.1-to- > 192.168.2.0/24]:ISAKMP-peer=peer-10.10.20.1 force C set [from-10.10.10.1- > to-192.168.2.0/24]:Configuration=phase2-from-10.10.10.1-to-192.168.2.0/24 > force C set [from-10.10.10.1-to-192.168.2.0/24]:Local-ID=from-10.10.10.1 > force C set [from-10.10.10.1-to-192.168.2.0/24]:NAT-ID=nat-192.168.1.0/24 > force C set [from-10.10.10.1-to-192.168.2.0/24]:Remote-ID=to-192.168.2.0/24 > force C set [phase2-from-10.10.10.1-to- > 192.168.2.0/24]:EXCHANGE_TYPE=QUICK_MODE force C set [phase2-from- > 10.10.10.1-to-192.168.2.0/24]:Suites=phase2-suite-from-10.10.10.1-to- > 192.168.2.0/24 force C set [phase2-suite-from-10.10.10.1-to- > 192.168.2.0/24]:Protocols=phase2-protocol-from-10.10.10.1-to- > 192.168.2.0/24 force C set [phase2-protocol-from-10.10.10.1-to- > 192.168.2.0/24]:PROTOCOL_ID=IPSEC_ESP force C set [phase2-protocol- > from-10.10.10.1-to-192.168.2.0/24]:Transforms=phase2-transform-from- > 10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024-TUNNEL force C > set [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256- > MODP_1024-TUNNEL]:TRANSFORM_ID=AES force C set [phase2-transform- > from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024- > TUNNEL]:KEY_LENGTH=128,128:256 force C set [phase2-transform-from- > 10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024- > TUNNEL]:ENCAPSULATION_MODE=TUNNEL force C set [phase2-transform- > from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256-MODP_1024- > TUNNEL]:AUTHENTICATION_ALGORITHM=HMAC_SHA2_256 force C set > [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256- > MODP_1024-TUNNEL]:GROUP_DESCRIPTION=MODP_1024 force C set > [phase2-transform-from-10.10.10.1-to-192.168.2.0/24-AES128-SHA2_256- > MODP_1024-TUNNEL]:Life=LIFE_QUICK_MODE force C set [from- > 10.10.10.1]:ID-type=IPV4_ADDR force C set [from- > 10.10.10.1]:Address=10.10.10.1 force C set [nat-192.168.1.0/24]:ID- > type=IPV4_ADDR_SUBNET force C set [nat- > 192.168.1.0/24]:Network=192.168.1.0 force C set [nat- > 192.168.1.0/24]:Netmask=255.255.255.0 force C set [to-192.168.2.0/24]:ID- > type=IPV4_ADDR_SUBNET force C set [to- > 192.168.2.0/24]:Network=192.168.2.0 force C set [to- > 192.168.2.0/24]:Netmask=255.255.255.0 force C add [Phase > 2]:Connections=from-10.10.10.1-to-192.168.2.0/24 > > -- > Christian "naddy" Weisgerber na...@mips.inka.de
