This document will explain howto configure OpenBSD’s IPSec to authenticate via a Certificate Authority and x509 certificates. It is demonstrated with OpenBSD 4.1 and depends upon ipsecctl which first appeared in OpenBSD 3.8.
First you will need to place your CA certificate in /etc/isakmpd/ca.
# ls -al /etc/isakmpd/ca total 16 drwxr-xr-x 2 root wheel 512 Jun 1 13:25 . drwxr-xr-x 8 root wheel 512 Jun 1 13:18 .. -r--r--r-- 1 root wheel 3460 Jun 1 12:27 cacert.pem
Next you will to place your hosts certificate in /etc/isakmpd/certs.
# ls -al /etc/isakmpd/certs total 16 drwxr-xr-x 2 root wheel 512 Jun 1 13:59 . drwxr-xr-x 8 root wheel 512 Jun 1 13:18 .. -r--r--r-- 1 root wheel 3008 Jun 1 13:59 192.168.25.25.pem
This certificate should be processed with a subjectAltName extension field as described in the isakmpd man page.
# setenv CERTIP 192.168.25.25
# openssl x509 -req -days 365 -in 192.168.25.25.csr \
-CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \
-CAcreateserial -extfile /etc/ssl/x509v3.cnf \
-extensions x509v3_IPAddr -out 192.168.25.25.pem
When you view the resulting certificate, you should see similar results in the X509v3 extensions.
[...]
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:192.168.25.25
[...]
Here is an example ipsec.conf used with the above configuration to connect with a peer running ipsec-tools/racoon.
ike esp from 192.168.25.25 to 192.168.25.211 main auth hmac-sha1 enc 3des quick auth hmac-sha1 enc 3des
You should ensure that isakmpd is running with the -K argument.
You can add the following to /etc/rc.conf.local
isakmpd_flags="-K" ipsec=YES
In older versions of OpenBSD the following needs to be added to /etc/rc.local
as the rc.conf variable ipsec does not exist.
ipsecctl -f /etc/ipsec.conf
i followed your steps, but Certificate are not working on my machines,, facing a lot of issue related to it…
can i share logs with you !
Pingback: Setting up IPSec over GRE on OpenBSD « TriBudi@Words
Pingback: BSD Support » Setting up IPSec over GRE on OpenBSD