[SATLUG] anyone use isakmpd or IPSec?

Travis travis+ml-satlug at subspacefield.org
Wed Sep 3 20:30:10 CDT 2008


I'm struggling with the OpenBSD daemon isakmpd on Linux.  Sometimes, I
restart the service and it works just fine.  Other times it will not
work for as long as 45 seconds.

If you haven't seen OpenBSD's isakmpd, it's configuration file is very
unforgiving, but it is the slickest, baddest, most NAT-penetrating
tool in existence. On OpenBSD, it will send a packet from/to port 500
to exchange keys.  If that isn't the src port when it arrives, the
recipient knows that the sender went through NAT, so they encapsulate
all the IPSec packets in UDP port 4500, and on top of that slickness,
they also send keepalives so that stateful NAT devices keep the port
open.

What I'm trying to build up is a IPSec VPN between home, an OpenBSD
coloc, and a Debian Linux server in Amsterdam.

Point to point, I can get it to work, but dealing with VPN routing
is my next pain point, and this indeterminacy on Linux is putting
the brakes on my ambition to build a walled city of sorts.

Anyone else working with this stuff?

PS: I've got several presentations and a 150-page book on security
here:  http://www.subspacefield.org/security/
-- 
Crypto ergo sum.  http://www.subspacefield.org/~travis/
Truth does not fear scrutiny or competition, only lies do.
If you are a spammer, please email john at subspacefield.org to get blacklisted.


More information about the SATLUG mailing list