diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/README')
-rw-r--r-- | keyexchange/isakmpd-20041012/README | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/README b/keyexchange/isakmpd-20041012/README new file mode 100644 index 0000000..13df6a1 --- /dev/null +++ b/keyexchange/isakmpd-20041012/README @@ -0,0 +1,68 @@ +$OpenBSD: README,v 1.19 2003/02/22 06:57:07 kjell Exp $ +$EOM: README,v 1.28 1999/10/10 22:53:24 angelos Exp $ + +This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) +implementation. It's written by Niklas Hallqvist and Niels Provos, +funded by Ericsson Radio Systems AB. Isakmpd's home is in the +OpenBSD main source tree under src/sbin/isakmpd. Look at +http://www.openbsd.org/ for details on how to get OpenBSD source. + +Isakmpd is being developed under OpenBSD, with OpenBSD as its primary +target, however, it is ported to Linux with FreeS/WAN IPsec. The +makefile support assumes a BSD environment nonetheless as it is not too +hard to get such an environment to work under other operating systems. +For example, Red Hat 5.2 shipped with pmake installed. Read sysdep/README +for further details about this issue. Other systems isakmpd has been +ported to, but no code has been made available for, includes Solaris +and Win32s. I mention this just because it shows that the code is +fairly portable. + +First edit the Makefile in a manner you see fit. Specifically the OS +define is important to get right of course. +Assuming you have an OpenBSD /usr/share/mk and use the OpenBSD (or +similar) make(1), you build isakmpd this way: + +make obj && make depend && make + +Then obj/isakmpd will be the daemon. I suggest you try it by running +under gdb with args similar to: + -d -n -p5000 -DA=99 -f/tmp/isakmpd.fifo -csamples/VPN-east.conf + +That will run isakmpd in the foreground, not connected to any application +(like an IPsec implementation) logging to stderr with full debugging output, +listening on UDP port 5000, accepting control commands via the named pipe +called /tmp/isakmpd.fifo and reading its configuration from the +VPN-east.conf file (found in the isakmpd/samples directory). + +If you are root you can try to run without -n -p5000 thus getting it to +talk to your IPsec stack and use the standard port 500 instead. + +The logging classes are Miscellaneous = 0, Transports = 1, Messages = 2, +Crypto = 3, Timers = 4, System Dependencies = 5, Security Associations = 6, +and Exchanges = 7. The debug levels increase in verbosity from 0 (off) to +99 (max). Read log.[ch] and ui.c to see how to alter the debugging levels. + +Now you have setup your daemon and can watch incoming negotiations. +But how do you get such? Either use http://isakmp-test.ssh.fi/, +there's an excellent service, just waiting for you. Or you can try to +start another isakmpd on another port (say -p5001 or so, instead) +and another fifo (let's say /tmp/other.fifo). Then edit the config +file to have some peer descriptions that fit your need and issue a +command like this: + +$ echo "c IPsec-east-west" >/tmp/other.fifo + +and watch. You can turn on debugging on that isakmpd too of course, for +greater fun. This rudimentary user interface is slightly described in +DESIGN-NOTES. If you are going to look at the config file, don't be scared, +the man page isakmpd.conf(5) covers every detail, and the flexibility will +be hidden under a userfriendlier layer in a later release. I did this +first config-file syntax just because it should be easy to parse. The man +page isakmpd.policy(5) describes the policy model used in conjunction with +KeyNote. + +Happy IKEing! + +Niklas Hallqvist <niklas@openbsd.org> +Niels Provos <provos@openbsd.org> +Håkan Olsson <ho@openbsd.org> |