Hosting Provided By

[initiator-id] section not documented in isakmpd.conf man page

From: Richard Browne <richb(at)timestone.com.au>
Date: Tue Mar 18 2003 - 15:23:38 EST

The man page for isakmpd.conf is missing information on the optional
[initiator-id] section. This is useful in road warrior configurations when
using preshared keys. Instead of getting the preshared key from the Authentication= line in the [ISAKMP-peer] section, isakmpd can get it from a section named after the initiator id. This [initiator-id] section can be remote IPV4 address, IPV6 address, FQDN or UFQDN. Doing this allows you to have different shared secrets for different users.

The man page should also mention this will only work for aggressive mode (not main mode) due to the design of the protocol.

Also note the Authentication= line in the default [ISAKMP-peer] section will take precedence if it is present.

Someone on OpenBSD-misc kindly provided an example isakmpd.conf to illustrate this using UFQDN:

[General]

Listen-on= 192.168.1.1

[Phase 1]

Default=                ISAKMP-clients

[Phase 2]

Passive-Connections= IPsec-clients

[ISAKMP-clients]

Phase=                  1
Transport=              udp
Configuration=          PGP-aggressive-mode


[user1@mydomain.com]


Phase=                  1
Configuration=          PGP-aggressive-mode
Authentication=         mypassword


[user2@mydomain.com]


Phase=                  1
Configuration=          PGP-aggressive-mode
Authentication=         differentpassword


[IPsec-clients]


Phase=                  2
Local-ID=               default-route


[default-route]


ID-type=        IPV4_ADDR_SUBNET
Network=        192.168.154.0
Netmask=        255.255.255.0

Received on Tue Mar 18 15:25:22 2003

Do you need help?

This message: [ Message body ]
Next message: Markus Friedl: "Re: [initiator-id] section not documented in isakmpd.conf man page"
Previous message: Rainer Duffner: "Re: Compaq Smart Array 5x"
Next in thread: Markus Friedl: "Re: [initiator-id] section not documented in isakmpd.conf man page"
Reply: Markus Friedl: "Re: [initiator-id] section not documented in isakmpd.conf man page"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:52 EDT