|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
ipsec, x509 and more than one interface
I have one OpenBSD box and two network card, cards are connected to different networks:
xl0 IP=10.10.10.1/24 rl0 IP=192.168.1.1/24 Now I want to configure multiple isakmpd/IPsec connections. Some IPsec connections are against hosts from first network, some of them are in second network, i.e. I need protected traffic between: 10.10.10.1 <==> 10.10.10.2 10.10.10.1 <==> 10.10.10.3 192.168.1.1 <==> 192.168.1.2 192.168.1.1 <==> 192.168.1.3 Everything is clear and simple, except how to configure x509 certificates? For me, there are two scenarios: first scenario: 1. create only one local.key 2. create two crt: 10.10.10.1.crt and 192.168.1.1.crt in /etc/isakmpd/certs/ 3. in /etc/ipsec.conf configure two different kind of lines: ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth .... ike esp from ... to ... local 192.168.1.1 peer 192.168.1.2 main auth .... second scenario: 1. create one local.key 2. create only one crt: 10.10.10.1.crt (or only 192.168.1.1.crt) 3. in /etc/ipsec.conf configure: ike esp from ... to ... local 10.10.10.1 peer 10.10.10.2 main auth .... ike esp from ... to ... local 10.10.10.1 peer 192.168.1.2 main auth .... So, in second scenario, IPsec is "finished" on OpenBSD box, but not on interface conencted to network 192.168.1.0 Which scenario is appropriate and why? Some other idea? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf.conf / Which interface ? | xinform3n | OpenBSD Security | 3 | 8th March 2010 06:23 PM |
Web interface for rTorrent | Beastie | FreeBSD Ports and Packages | 0 | 24th August 2009 11:53 AM |
CARP interface with DHClient | xinform3n | OpenBSD General | 5 | 22nd July 2009 12:41 PM |
NAT with only one interface | zapov | General software and network | 4 | 16th February 2009 03:45 AM |
Web interface for pf? | windependence | OpenBSD Security | 4 | 20th May 2008 03:58 AM |