View Single Post
  #5   (View Single Post)  
Old 7th August 2012
xeniades xeniades is offline
New User
 
Join Date: Aug 2012
Posts: 5
Default

hi !
ok, the release is 5.0.
after some investigations, i think that i found the problem and solution.
to be sure that only specific local- and remote subnets are able to connect with vpn/ipsec in openbsd, you have to use the isakmpd.policy. this file contains the allowed subnets, for example:

> remote_ filter_addr_upper == "010.001.000.255" &&
> remote_ filter_addr_lower == "010.001.000.000" &&
> local_ filter_addr_upper == "010.018.000.255" &&
> local_ filter_addr_lower == "010.018.000.000" &&

this file must be parsed by openbsd with keynote. but it is additional effort to create this .policy and you have to install keynote (?)...

by default, isakmpd.policy contains only the pre-shared key and no filters.

what is the advantage of using ipsecctl(8) and ipsec.conf(5) instead of isakmpd.conf / isakmpd.policy ?
Reply With Quote