IPsec and fixed keys

[igy01]

I want to set up IPsec & manual keying (not use isakmpd at all)

So, I set up something as:

host01 /etc>cat ipsec.conf
#
# Set up a tunnel using static keying:
#

flow esp from 192.168.1.0/24 to 192.168.2.0/24 peer 10.10.10.2

esp from 10.10.10.1 to 10.10.10.2 spi 0xabd9da39:0xc9dbb83d \
authkey 0x54....somethnig_hex...:0x.....something_hex... \
enckey 0x...some_hex....:0x...some_hex......

And it works fine.

Now I want tu put keys into separate files, and my question is, how to create files for authkey i enckey?

It is NOT working for me, when I set up something as:

cat /etc/authkey.txt
0xaaaa........:0xbbbbbb...... (all is one line, keys separated by : )

or:

0xaaaa....... (two lines)
0xbbbb......

or:

aaaa....
bbbb...


what is the right syntax for this two files? I cant find any example :-(


Of course, ipsec.conf is now:

flow esp from 192.168.1.0/24 to 192.168.2.0/24 peer 10.10.10.2

esp from 10.10.10.1 to 10.10.10.2 spi 0xabd9da39:0xc9dbb83d \
authkey file "/etc/authkey.txt" enckey file "/etc/enckey.txt"

[jggimi]

When I have used ipsec.conf, I used automatic keying and automatic SAs. Here is an example, using FQDNs rather than IP addresses.

Code:

ike dynamic esp from egress to jggimi.jggimi.homeip.net \
    srcid netbook.jggimi.homeip.net dstid jggimi.jggimi.homeip.net

The key pairs are stored in different branches of the /etc/isakmpd/{private,pubkeys}/ structure. For FQDNs, as in this example, the public keys are stored in /etc/isakmpd/pubkeys/fqdn/ and the private key used locally is stored in /etc/isakmpd/private/. The public key filenames should be the FQDNs of the participating systems. I have always called the private key file local.key.

Code:

# ls -lR /etc/isakmpd/{pubkeys,private}
/etc/isakmpd/private:
total 4
-rw-------  1 root  wheel  1675 Dec 27    2009 local.key

/etc/isakmpd/pubkeys:
total 16
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 fqdn
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 ipv4
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 ipv6
drwxr-xr-x  2 root  wheel  512 Feb  1 13:51 ufqdn

/etc/isakmpd/pubkeys/fqdn:
total 8
-rw-r--r--  1 root  wheel  272 May  1  2010 jggimi.jggimi.homeip.net
-rw-r--r--  1 root  wheel  451 May  1  2010 netbook.jggimi.homeip.net

/etc/isakmpd/pubkeys/ipv4:

/etc/isakmpd/pubkeys/ipv6:

/etc/isakmpd/pubkeys/ufqdn:
#

Using IP addresses is similar, but the key files are stored in a different branch of the /etc/isakmpd tree. For IPv4 addresses, store the public keys in /etc/isakmpd/pubkeys/ipv4/, and their filenames should be their applicable ipv4 addresses.

EDITED TO ADD: This host key infrastructure is not the only possibility. This and other key management methods are documented in the isakmpd(8) man page, in the IKE Public Key Infrastructure section.

[jggimi]

I did find a couple of examples of authkey file syntax for manual keying:

https://groups.google.com/forum/#!to...sc/dldoO1bCX0M
http://openbsd.7691.n7.nabble.com/ip...ng-td2673.html

Perhaps these will help you get your desired manual keying working.