1$OpenBSD: README,v 1.20 2016/09/02 12:17:32 tb Exp $ 2$EOM: README,v 1.28 1999/10/10 22:53:24 angelos Exp $ 3 4This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) 5implementation. It's written by Niklas Hallqvist and Niels Provos, 6funded by Ericsson Radio Systems AB. Isakmpd's home is in the 7OpenBSD main source tree under src/sbin/isakmpd. Look at 8https://www.openbsd.org/ for details on how to get OpenBSD source. 9 10Isakmpd is being developed under OpenBSD, with OpenBSD as its primary 11target, however, it is ported to Linux with FreeS/WAN IPsec. The 12makefile support assumes a BSD environment nonetheless as it is not too 13hard to get such an environment to work under other operating systems. 14For example, Red Hat 5.2 shipped with pmake installed. Read sysdep/README 15for further details about this issue. Other systems isakmpd has been 16ported to, but no code has been made available for, includes Solaris 17and Win32s. I mention this just because it shows that the code is 18fairly portable. 19 20First edit the Makefile in a manner you see fit. Specifically the OS 21define is important to get right of course. 22Assuming you have an OpenBSD /usr/share/mk and use the OpenBSD (or 23similar) make(1), you build isakmpd this way: 24 25make obj && make depend && make 26 27Then obj/isakmpd will be the daemon. I suggest you try it by running 28under gdb with args similar to: 29 -d -n -p5000 -DA=99 -f/tmp/isakmpd.fifo -csamples/VPN-east.conf 30 31That will run isakmpd in the foreground, not connected to any application 32(like an IPsec implementation) logging to stderr with full debugging output, 33listening on UDP port 5000, accepting control commands via the named pipe 34called /tmp/isakmpd.fifo and reading its configuration from the 35VPN-east.conf file (found in the isakmpd/samples directory). 36 37If you are root you can try to run without -n -p5000 thus getting it to 38talk to your IPsec stack and use the standard port 500 instead. 39 40The logging classes are Miscellaneous = 0, Transports = 1, Messages = 2, 41Crypto = 3, Timers = 4, System Dependencies = 5, Security Associations = 6, 42and Exchanges = 7. The debug levels increase in verbosity from 0 (off) to 4399 (max). Read log.[ch] and ui.c to see how to alter the debugging levels. 44 45Now you have setup your daemon and can watch incoming negotiations. 46But how do you get such? Either use http://isakmp-test.ssh.fi/, 47there's an excellent service, just waiting for you. Or you can try to 48start another isakmpd on another port (say -p5001 or so, instead) 49and another fifo (let's say /tmp/other.fifo). Then edit the config 50file to have some peer descriptions that fit your need and issue a 51command like this: 52 53$ echo "c IPsec-east-west" >/tmp/other.fifo 54 55and watch. You can turn on debugging on that isakmpd too of course, for 56greater fun. This rudimentary user interface is slightly described in 57DESIGN-NOTES. If you are going to look at the config file, don't be scared, 58the man page isakmpd.conf(5) covers every detail, and the flexibility will 59be hidden under a userfriendlier layer in a later release. I did this 60first config-file syntax just because it should be easy to parse. The man 61page isakmpd.policy(5) describes the policy model used in conjunction with 62KeyNote. 63 64Happy IKEing! 65 66Niklas Hallqvist <niklas@openbsd.org> 67Niels Provos <provos@openbsd.org> 68H�kan Olsson <ho@openbsd.org> 69