View Single Post
  #4   (View Single Post)  
Old 25th October 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

ISAKMPD is a key management system. It does the sharing of keys for IPSec in four very different ways:
  1. Shared passphrases: useful for provisioning tests, not recommended for production use
  2. Host Keys: most common use between OpenBSD instances, and recommended in most of the Internet-based How-to documentation since the advent of ipsecctl.conf.
  3. X.509 Certificates: useful when a peer with non-OpenBSD ISAKMPD systems
  4. Keynote Authentification: used in complex trust management systems only
It is the Host Key option I was referring to, as I had assumed you had been reading the "Zero to IPSec in 4 Minutes" How-to document. It uses IPv4 Host Keys and static addressing, as do most others.

Host Keys allow for four different naming conventions. And that is all they are -- naming conventions. They make setting up SAs and Flows in ipsecctl.conf easier. They are:
  1. ipv4 - the keys are named by static IP address in IPv4 format
  2. ipv6 - the keys are named by static IP address in IPv6 format
  3. fqdn - the keys are named by fully qualified domain name
  4. ufqdn - the keys are named by user@fully qualified domain name
There is no difference between these other than file naming and storage location under /etc/isakmpd.

Yes, it is much easier if you use no-ip or dyndns or some other method of referring to dynamic IP addresses by domain name, and altering the reference when they change.
Reply With Quote