View Single Post
  #1   (View Single Post)  
Old 29th August 2012
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default ipsec, x509 and more than one interface

I have one OpenBSD box and two network card, cards are connected to different networks:
xl0 IP=10.10.10.1/24
rl0 IP=192.168.1.1/24

Now I want to configure multiple isakmpd/IPsec connections. Some IPsec connections are against hosts from first network, some of them are in second network, i.e. I need protected traffic between:
10.10.10.1 <==> 10.10.10.2
10.10.10.1 <==> 10.10.10.3
192.168.1.1 <==> 192.168.1.2
192.168.1.1 <==> 192.168.1.3

Everything is clear and simple, except how to configure x509 certificates? For me, there are two scenarios:

first scenario:
1. create only one local.key
2. create two crt: 10.10.10.1.crt and 192.168.1.1.crt in /etc/isakmpd/certs/
3. in /etc/ipsec.conf configure two different kind of lines:
ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth ....
ike esp from ... to ... local 192.168.1.1 peer 192.168.1.2 main auth ....

second scenario:
1. create one local.key
2. create only one crt: 10.10.10.1.crt (or only 192.168.1.1.crt)
3. in /etc/ipsec.conf configure:
ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth ....
ike esp from ... to ... local 10.10.10.1 peer 192.168.1.2 main auth ....

So, in second scenario, IPsec is "finished" on OpenBSD box,
but not on interface conencted to network 192.168.1.0

Which scenario is appropriate and why? Some other idea?
Reply With Quote