ipsec ipcomp howto - OpenBSD 5.7

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ipsec ipcomp howto - OpenBSD 5.7

mottycruz
configuring ipsec.conf with ipcomp seem to be difficult then I thought.
I enable ipcomp
# sysctl -a | grep ipcomp
net.inet.ipcomp.enable=1

ipcomp is enabled on both gateways. Here is ipsec.conf:

flow ipcomp from 10.10.10.0/24 to 10.10.2.0/24 \
        peer 192.168.1.57

ike esp from 10.10.10.0/24 to 10.10.2.0/24 \
         peer 192.168.1.57 \
         main auth hmac-sha2-256 enc 3des group modp1024 lifetime 86400 \
         quick auth hmac-sha2-256 enc 3des lifetime 86400 \
         psk f15490b4ebc2bfc41a9a009509c91ceb443547f6

my local LAN 10.10.10.0/24
remote LAN 10.10.2.0/24

# ipsecctl -s all
FLOWS:
flow esp in from 10.10.2.0/24 to 10.10.10.0/24 peer 192.168.1.57 type
require
flow esp out from 10.10.10.0/24 to 10.10.2.0/24 peer 192.168.1.57 type
require

SAD:
esp tunnel from 192.168.1.57 to 192.168.125.157 spi 0xc259f59d auth
hmac-sha2-256 enc 3des-cbc
esp tunnel from 192.168.125.157 to 192.168.1.57 spi 0xe9b1976d auth
hmac-sha2-256 enc 3des-cbc
#


any ideas? documentation man ipsec.conf has poor information about
ipcomp, in my point of view.

Reply | Threaded
Open this post in threaded view
|

Re: ipsec ipcomp howto - OpenBSD 5.7

Matt Schwartz
ipcomp has not been implemented in ipsec/isakmpd. I've gotten it to work
quite well with iked. iked is the key management daemon for IKEv2.

On Thu, Mar 17, 2016 at 6:00 PM, Motty Cruz wrote:

> configuring ipsec.conf with ipcomp seem to be difficult then I thought. I
> enable ipcomp
> # sysctl -a | grep ipcomp
> net.inet.ipcomp.enable=1
>
> ipcomp is enabled on both gateways. Here is ipsec.conf:
>
> flow ipcomp from 10.10.10.0/24 to 10.10.2.0/24 \
>        peer 192.168.1.57
>
> ike esp from 10.10.10.0/24 to 10.10.2.0/24 \
>         peer 192.168.1.57 \
>         main auth hmac-sha2-256 enc 3des group modp1024 lifetime 86400 \
>         quick auth hmac-sha2-256 enc 3des lifetime 86400 \
>         psk f15490b4ebc2bfc41a9a009509c91ceb443547f6
>
> my local LAN 10.10.10.0/24
> remote LAN 10.10.2.0/24
>
> # ipsecctl -s all
> FLOWS:
> flow esp in from 10.10.2.0/24 to 10.10.10.0/24 peer 192.168.1.57 type
> require
> flow esp out from 10.10.10.0/24 to 10.10.2.0/24 peer 192.168.1.57 type
> require
>
> SAD:
> esp tunnel from 192.168.1.57 to 192.168.125.157 spi 0xc259f59d auth
> hmac-sha2-256 enc 3des-cbc
> esp tunnel from 192.168.125.157 to 192.168.1.57 spi 0xe9b1976d auth
> hmac-sha2-256 enc 3des-cbc
> #
>
>
> any ideas? documentation man ipsec.conf has poor information about ipcomp,
> in my point of view.