OpenBSD 4.2 isakmp/ipsec defaults

Fri, 07 Dec 2007 01:03:59 -0800 

Greetings,
I am trying to establish ipsec between a 4.2-current box and a Cisco 3005 concentrator, without going to manual keying or setting up isakmpd.conf or .policy. 


I have come across a few folks who have been successful using 4.0 and  
4.1 with isakmpd.conf or isakmpd.policy, but my understanding is that  
under 4.2 the functions provided by the aforementioned files are now  
better handled by ipsec.conf.



I'm going to toss out some generalities here before I resort to  
posting debugs from isakmpd because I think I'm only missing one  
critical factor in Phase2. If this is improper, I'll gladly post logs,  
but I think I'm almost there and only missing one key piece of info.



Phase1 negotiates fine, Phase2 fails. I believe this is due to the  
fact that the key lifetime isn't coordinated, but I could be wrong  
(hell, it's likely...).



My question is - what is the default key lifetime (in seconds  
preferably) for the 4.2 implementation of isakmp? I can modify the  
Cisco end to a degree, but I can't find any way to change this on my  
OpenBSD 4.2 box, nor even find the default. The ipsec man page has a  
paragraph on lifetimes, but I the specifics escape me. I cant find  
anything in man isakmpd.



- Am I forced to use manual keying/flows in order to specify key  
lifetimes? And if so, what is the syntax?
- Is there a modifier in 4.2 ipsec.conf to use automatic keying with a  
specified key lifetime? I can't find it for the life of me.



Like I said, if I'm being improper by not posting logs, I can  
certainly do that, but I think I'm almost there.



ipsec.conf that negotiates phase1 fine (going with Cisco 3005 default  
transforms for Lan-to-Lan IPSEC  Tunnel):
ike esp from a.a.a.a/24 to z.z.z.z/24 peer 1.1.1.1 main auth hmac-md5  
enc 3des group modp1024 quick auth hmac-md5 enc 3des group none psk  
blahblah



Peer/Endpoint id's are tricky, and I have messed around with adding  
"local" and/or srcid dstid to the line, with no major change in  
behavior - leading me to believe that my issue is outside of this line.


Anyhow, thanks for any advice you can provide.

Cheers























					Reply via email to