When I have used ipsec.conf, I used automatic keying and automatic SAs. Here is an example, using FQDNs rather than IP addresses.
Code:
ike dynamic esp from egress to jggimi.jggimi.homeip.net \
srcid netbook.jggimi.homeip.net dstid jggimi.jggimi.homeip.net
The key pairs are stored in different branches of the
/etc/isakmpd/{private,pubkeys}/ structure. For FQDNs, as in this example, the public keys are stored in /
etc/isakmpd/pubkeys/fqdn/ and the private key used locally is stored in
/etc/isakmpd/private/. The public key filenames should be the FQDNs of the participating systems. I have always called the private key file
local.key.
Code:
# ls -lR /etc/isakmpd/{pubkeys,private}
/etc/isakmpd/private:
total 4
-rw------- 1 root wheel 1675 Dec 27 2009 local.key
/etc/isakmpd/pubkeys:
total 16
drwxr-xr-x 2 root wheel 512 Feb 1 13:51 fqdn
drwxr-xr-x 2 root wheel 512 Feb 1 13:51 ipv4
drwxr-xr-x 2 root wheel 512 Feb 1 13:51 ipv6
drwxr-xr-x 2 root wheel 512 Feb 1 13:51 ufqdn
/etc/isakmpd/pubkeys/fqdn:
total 8
-rw-r--r-- 1 root wheel 272 May 1 2010 jggimi.jggimi.homeip.net
-rw-r--r-- 1 root wheel 451 May 1 2010 netbook.jggimi.homeip.net
/etc/isakmpd/pubkeys/ipv4:
/etc/isakmpd/pubkeys/ipv6:
/etc/isakmpd/pubkeys/ufqdn:
#
Using IP addresses is similar, but the key files are stored in a different branch of the /etc/isakmpd tree. For IPv4 addresses, store the public keys in
/etc/isakmpd/pubkeys/ipv4/, and their filenames should be their applicable ipv4 addresses.
EDITED TO ADD: This host key infrastructure is not the only possibility. This and other key management methods are documented in the
isakmpd(8) man page, in the IKE Public Key Infrastructure section.