I have two questions, one trivial *blush*: How can I search the archives for one or a combination of keywords?
Second, I have some questions how to set up IPsec on a router which is connected to the Internet, an internal network, and a WLAN. The router (currently on OpenBSD 4.0) has the following interfaces: 1. Ethernet I/F to a dumb DSL modem, PPPoE in kernel mode runs over this interface. 2. Ethernet I/F with address 192.168.0.1 to a switch (internal LAN), the network address is 192.168.0.0/24. 3. Ethernet I/F with address 192.168.99.1 to an external WLAN access point (D-Link DWL-2100AP), the network address is 192.168.99.0/24. Each of the PCs on the WLAN shall access the internal LAN and Internet individually but *only* via an IPsec VPN. Authentication between the PCs and the router uses X.509 certs, I have generated those already. The ipsec.conf manual describes that the authentication method has to be set up for the iskmpd(8) daemon and references the isakmpd(8) manual. However, isakmpd(8) says: "Traditionally, isakmpd was configured using the isakmpd.conf(5) format. A newer, much simpler format is now available: ipsec.conf(5)". Question a: So, do I need to configure an iskmpd.conf file, yes or no? Or is it all in ipsec.conf "in a much simpler format", and where does ipsec.conf(5) describe this syntax? If I need to configure an isakmpd.conf file similar to the example in the isakmpd.conf(5) manual, I am unsure how to define the peer-west side, i.e. the WLAN network with the peers. Note that the west side does not have a single VPN end point but each individual peer sets up a VPN to the router where the packets are authenticated deciphered. Question b: the [Phase 1] section in the example shows a single address 10.1.0.1=ISAKMP-peer-west, and the [ISAKMP-peer-west] section shows Local-address=10.1.0.2 (the east endpoint I/F, I presume) and Address=10.1.0.1 (the west endpoint I/F, I presume). What do I enter when I have a number of PCs out there on the west side? Question c: The same example defines a connection between two local networks, Net-east and Net-west. If I also want to add a connection between the WLAN and the Internet, what do I have to define then? Question d: There is a section for the IKE in the iskmp.conf example which begins with [asn1_dn//...]. Is this a special representation of the distinguished name, or simply the DN string? If someone can help with a working ipsec.conf and the possibly (?) required isakmpd.conf, I'd be grateful. Harald
