ISAKMPD is a key management
system. It does the sharing of keys for IPSec in four very different ways:
- Shared passphrases: useful for provisioning tests, not recommended for production use
- Host Keys: most common use between OpenBSD instances, and recommended in most of the Internet-based How-to documentation since the advent of ipsecctl.conf.
- X.509 Certificates: useful when a peer with non-OpenBSD ISAKMPD systems
- Keynote Authentification: used in complex trust management systems only
It is the Host Key option I was referring to, as I had assumed you had been reading the "Zero to IPSec in 4 Minutes" How-to document. It uses IPv4 Host Keys and static addressing, as do most others.
Host Keys allow for four different naming conventions. And that is all they are -- naming conventions. They make setting up SAs and Flows in ipsecctl.conf easier. They are:
- ipv4 - the keys are named by static IP address in IPv4 format
- ipv6 - the keys are named by static IP address in IPv6 format
- fqdn - the keys are named by fully qualified domain name
- ufqdn - the keys are named by user@fully qualified domain name
There is no difference between these other than file naming and storage location under /etc/isakmpd.
Yes, it is much easier if you use no-ip or dyndns or some other method of referring to dynamic IP addresses by domain name, and altering the reference when they change.