$OpenBSD: README,v 1.15 2000/01/26 15:23:45 niklas Exp $ $EOM: README,v 1.28 1999/10/10 22:53:24 angelos Exp $ This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) implementation. It's written by Niklas Hallqvist and Niels Provos, funded by Ericsson Radio Systems AB. Currently it is work in progress, although it can be used for real setups. There are releases, but this distribution is not a release and is not named with ordinary version numbers. When you got the source, hopefully the archive was named with a date which reflects when it was created. These archives are also known as snapshots and will be created at irregular intervals and put up on ftp.gsnig.net and ftp.appli.se in /pub/isakmpd. From Nov 14, 1998 isakmpd is also available in the OpenBSD main source tree under src/sbin/isakmpd, though slightly modified because I don't want to carry support files for other OSes in that distribution. Look at http://www.openbsd.org/ for details on how to get OpenBSD source. Isakmpd is being developed under OpenBSD, with OpenBSD as its primary target, however, it is ported to Linux with FreeS/WAN IPsec. The makefile support assumes a BSD environment noneheless as it is not too hard to get such an environment to work under other operating systems. For example, Red Hat 5.2 shipped with pmake installed. Read sysdep/README for further details about this issue. Other systems isakmpd has been ported to, but no code has been made available for, includes Solaris and Win32s. I mention this just because it shows that the code is fairly portable. First edit the Makefile in a manner you see fit. Specifically the OS define is important to get right of course. Assuming you have an OpenBSD /usr/share/mk and use the OpenBSD (or similar) make(1), you build isakmpd this way: make obj && make depend && make Then obj/isakmpd will be the daemon. I suggest you try it by running under gdb with args similar to: -d -n -p5000 -DA=99 -f/tmp/isakmpd.fifo -csamples/VPN-east.conf That will run isakmpd in the foreground, not connected to any application (like an IPSEC implementation) logging to stderr with full debugging ouput, listening on UDP port 5000, accepting control commands via the named pipe called /tmp/isakmpd.fifo and reading its configuration from the VPN-east.conf file (found in the isakmpd/samples directory). If you are root you can try to run without -n -p5000 thus getting it to talk to your IPSec stack and use the standard port 500 instead. The logging classes are Miscellaneous = 0, Transports = 1, Messages = 2, Crypto = 3, Timers = 4, System Dependencies = 5, Security Associations = 6, and Exchanges = 7. The debug levels increase in verbosity from 0 (off) to 99 (max). Read log.[ch] and ui.c to see how to alter the debugging levels. Now you have setup your daemon and can watch incoming negotiations. But how do you get such? Either use http://isakmp-test.ssh.fi/, there's an excellent service, just waiting for you. Or you can try to start another isakmpd on another port (say -p5001 or so, instead) and another fifo (let's say /tmp/other.fifo). Then edit the config file to have some peer descriptions that fit your need and issue a command like this: $ echo "c IPsec-east-west" >/tmp/other.fifo and watch. You can turn on debugging on that isakmpd too of course, for greater fun. This rudimentary user interface is slightly described in DESIGN-NOTES. If you are going to look at the config file, don't be scared, the man page isakmpd.conf(5) covers every detail, and the flexibility will be hidden under a userfriendlier layer in a later release. I did this first config-file syntax just because it should be easy to parse. The man page isakmpd.policy(5) describes the policy model used in conjunction with KeyNote. Happy IKEing! Niklas Hallqvist Niels Provos Håkan Olsson