DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th February 2014
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default IPsec and fixed keys

I want to set up IPsec & manual keying (not use isakmpd at all)

So, I set up something as:

host01 /etc>cat ipsec.conf
#
# Set up a tunnel using static keying:
#

flow esp from 192.168.1.0/24 to 192.168.2.0/24 peer 10.10.10.2

esp from 10.10.10.1 to 10.10.10.2 spi 0xabd9da39:0xc9dbb83d \
authkey 0x54....somethnig_hex...:0x.....something_hex... \
enckey 0x...some_hex....:0x...some_hex......

And it works fine.

Now I want tu put keys into separate files, and my question is, how to create files for authkey i enckey?

It is NOT working for me, when I set up something as:

cat /etc/authkey.txt
0xaaaa........:0xbbbbbb...... (all is one line, keys separated by : )

or:

0xaaaa....... (two lines)
0xbbbb......

or:

aaaa....
bbbb...


what is the right syntax for this two files? I cant find any example :-(


Of course, ipsec.conf is now:

flow esp from 192.168.1.0/24 to 192.168.2.0/24 peer 10.10.10.2

esp from 10.10.10.1 to 10.10.10.2 spi 0xabd9da39:0xc9dbb83d \
authkey file "/etc/authkey.txt" enckey file "/etc/enckey.txt"
Reply With Quote
  #2   (View Single Post)  
Old 19th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

When I have used ipsec.conf, I used automatic keying and automatic SAs. Here is an example, using FQDNs rather than IP addresses.
Code:
ike dynamic esp from egress to jggimi.jggimi.homeip.net \
    srcid netbook.jggimi.homeip.net dstid jggimi.jggimi.homeip.net
The key pairs are stored in different branches of the /etc/isakmpd/{private,pubkeys}/ structure. For FQDNs, as in this example, the public keys are stored in /etc/isakmpd/pubkeys/fqdn/ and the private key used locally is stored in /etc/isakmpd/private/. The public key filenames should be the FQDNs of the participating systems. I have always called the private key file local.key.
Code:
# ls -lR /etc/isakmpd/{pubkeys,private}
/etc/isakmpd/private:
total 4
-rw-------  1 root  wheel  1675 Dec 27    2009 local.key

/etc/isakmpd/pubkeys:
total 16
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 fqdn
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 ipv4
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 ipv6
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 ufqdn

/etc/isakmpd/pubkeys/fqdn:
total 8
-rw-r--r--  1 root  wheel  272 May  1  2010 jggimi.jggimi.homeip.net
-rw-r--r--  1 root  wheel  451 May  1  2010 netbook.jggimi.homeip.net

/etc/isakmpd/pubkeys/ipv4:

/etc/isakmpd/pubkeys/ipv6:

/etc/isakmpd/pubkeys/ufqdn:
#
Using IP addresses is similar, but the key files are stored in a different branch of the /etc/isakmpd tree. For IPv4 addresses, store the public keys in /etc/isakmpd/pubkeys/ipv4/, and their filenames should be their applicable ipv4 addresses.

EDITED TO ADD: This host key infrastructure is not the only possibility. This and other key management methods are documented in the isakmpd(8) man page, in the IKE Public Key Infrastructure section.

Last edited by jggimi; 19th February 2014 at 03:54 AM. Reason: documentation link added
Reply With Quote
  #3   (View Single Post)  
Old 19th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I did find a couple of examples of authkey file syntax for manual keying:

https://groups.google.com/forum/#!to...sc/dldoO1bCX0M
http://openbsd.7691.n7.nabble.com/ip...ng-td2673.html

Perhaps these will help you get your desired manual keying working.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh keys barti OpenBSD Security 1 10th August 2012 09:51 AM
RSA keys not as random as they should be J65nko News 1 16th February 2012 10:09 PM
ncurses & function keys JimC OpenBSD General 1 24th October 2011 02:36 PM
Creative uses for SSH and SSH keys backrow Off-Topic 1 21st June 2010 01:09 AM
arrow keys in X idefix FreeBSD General 8 25th September 2009 08:16 AM


All times are GMT. The time now is 11:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick