> Can anyone reccomend a client configuration for IPsec from a roaming
> Linux machine that works with OpenBSD's ipsecctl?
> I have tried Openswan and racoon and both have thier problems.
> Currently using X509 certificates but if anyone has public keys
> working that would be good too.
I've got an OpenBSD road warrior that connects to a Debian server
running racoon. So far I haven't connected a Linux road warrior to an
OpenBSD machine but the following setup might work.
If you decide to use public keys you've got to convert the keys
between the file format used by OpenBSD and the format used by Racoon
and Openswan. I've put a Perl script that converts public keys
between both formats at the end of this message. The script requires
the Perl modules Parse::RecDescent and Crypt::OpenSSL::RSA, which are
both available as packages under OpenBSD and Debian.
Run the script on your OpenBSD machine to convert your machine's
public key into the file format that is accepted by racoon. Example:
./plainrsa-convert < /etc/isakmpd/local.pub
Copy the output into the file /etc/racoon/certs/pubkeys.rsa on the
Linux machine. You can put the OpenBSD machine's IP address in front
of the key. Example:
192.168.0.1 : PUB 0sAgUAF2T29ovO...
Run the command plainrsa-gen, which comes with the racoon package, to
create a key on the Linux machine. Example:
plainrsa-gen -f /etc/racoon/certs/privatekey.rsa
Extract the public key from the key file and convert the key to the
format accepted by OpenBSD. Example:
grep ": PUB" privatekey.rsa | sed 's/^#//' | ./plainrsa-convert
Assuming that your client's host name is roadwarrior.example.org, put
the output of the above command into the file
/etc/isakmpd/pubkeys/fqdn/roadwarrior.example.org on your OpenBSD
I'm not sure what to put into /etc/ipsec.conf on the OpenBSD machine.
I think that something like this should work:
ike passive from any to 192.168.0.1 \
srcid server.example.org \
Put the following directives into the file /etc/racoon/racoon.conf on
the Linux machine. Don't forget to modify the IP address and the
I have been using www.shrew.net ipsec (gui) client on my road warrior
ubuntu 7.10 (linux) machines very successfully with our openBSD 4.2
vpn/pf gateways. I did have to use an openBSD-side isakmpd.conf method
vs. an ipsec.conf/ipsecctl method as I couldn't author an ipsec.conf
shrew.net has a dependency on ipsec-tools 0.6.n or 0.7.0 (on the linux
machine), but it shields you from the grottiness of it while giving the
road warrior end-user a click and go vpn session.
The shrew.net client is about to version to 2.1. While 2.0.x works for
me, if it doesn't for you, then 2.1 has many fixes and enhancements.
> Tom Menari writes:
>> Can anyone reccomend a client configuration for IPsec from a roaming
>> Linux machine that works with OpenBSD's ipsecctl?
>> I have tried Openswan and racoon and both have thier problems.
>> Currently using X509 certificates but if anyone has public keys
>> working that would be good too.
> I've got an OpenBSD road warrior that connects to a Debian server
> running racoon. So far I haven't connected a Linux road warrior to an
> OpenBSD machine but the following setup might work. [...]
I've just tried to use the setup that I described and it doesn't work.
You ought to add "nat_traversal on" to the remote section of the
I also forget to mention that you have to specify policies on the
Linux side. On Debian the policies may be set statically in
/etc/ipsec-tools.conf but in a road warrior setup you probably have to
run setkey from a dhclient script.
But now isakmpd outputs the error message "ike_phase_1_recv_ID:
received remote ID other than expected foo.example.org" although
"my_identifier fqdn" is used on the Linux side. Unfortunately,
isakmpd doesn't tell me what type of remote ID it got. The debug
output on the Linux side is even more useless.
I'm giving up. If I were you I'd use OpenVPN, which can be set up in
a few minutes without getting a headache.