DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 29th August 2012
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default ipsec, x509 and more than one interface

I have one OpenBSD box and two network card, cards are connected to different networks:
xl0 IP=10.10.10.1/24
rl0 IP=192.168.1.1/24

Now I want to configure multiple isakmpd/IPsec connections. Some IPsec connections are against hosts from first network, some of them are in second network, i.e. I need protected traffic between:
10.10.10.1 <==> 10.10.10.2
10.10.10.1 <==> 10.10.10.3
192.168.1.1 <==> 192.168.1.2
192.168.1.1 <==> 192.168.1.3

Everything is clear and simple, except how to configure x509 certificates? For me, there are two scenarios:

first scenario:
1. create only one local.key
2. create two crt: 10.10.10.1.crt and 192.168.1.1.crt in /etc/isakmpd/certs/
3. in /etc/ipsec.conf configure two different kind of lines:
ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth ....
ike esp from ... to ... local 192.168.1.1 peer 192.168.1.2 main auth ....

second scenario:
1. create one local.key
2. create only one crt: 10.10.10.1.crt (or only 192.168.1.1.crt)
3. in /etc/ipsec.conf configure:
ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth ....
ike esp from ... to ... local 10.10.10.1 peer 192.168.1.2 main auth ....

So, in second scenario, IPsec is "finished" on OpenBSD box,
but not on interface conencted to network 192.168.1.0

Which scenario is appropriate and why? Some other idea?
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf.conf / Which interface ? xinform3n OpenBSD Security 3 8th March 2010 06:23 PM
Web interface for rTorrent Beastie FreeBSD Ports and Packages 0 24th August 2009 11:53 AM
CARP interface with DHClient xinform3n OpenBSD General 5 22nd July 2009 12:41 PM
NAT with only one interface zapov General software and network 4 16th February 2009 03:45 AM
Web interface for pf? windependence OpenBSD Security 4 20th May 2008 03:58 AM


All times are GMT. The time now is 02:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick