KeyNote-Version: 2
Authorizer: "POLICY"
Licensees: "passphrase:mojehaso"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg == "aes" &&
            esp_auth_alg == "hmac-sha" -> "true";
-------------------------
[General]
Listen-on=              10.1.0.11
Shared-SADB=            Defined
Policy-File=            /etc/isakmpd/isakmpd.policy

[Phase 1]
10.1.0.11=              ISAKMP-peer-west
10.1.0.12=              ISAKMP-peer-east
Default=                ISAKMP-peer-east-aggressive

[Phase 2]
Connections=            IPsec-west-east

[ISAKMP-peer-east]
Phase=                  1
Local-address=          10.1.0.11
Address=                10.1.0.12
Configuration=          Default-main-mode
Authentication=         mojehaso

[ISAKMP-peer-west]
Phase=                  1
Local-address=          10.1.0.12
Address=                10.1.0.11
Configuration=          Default-main-mode
Authentication=         mojehaso


[ISAKMP-peer-east-aggressive]
Phase=                  1
Local-address=          10.1.0.11
Address=                10.1.0.12
Configuration=          Default-aggressive-mode
Authentication=         mojehaso

[ISAKMP-peer-west-aggressive]
Phase=                  1
Local-address=          10.1.0.12
Address=                10.1.0.11
Configuration=          Default-aggressive-mode
Authentication=         mojehaso

[IPsec-east-west]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-west
Configuration=          Default-quick-mode
Local-ID=               Host-east
Remote-ID=              Host-west

[IPsec-west-east]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-east
Configuration=          Default-quick-mode
Local-ID=               Host-west
Remote-ID=              Host-east

[Host-west]
ID-type=                IPV4_ADDR
Address=                10.1.0.11

[Host-east]
ID-type=                IPV4_ADDR
Address=                10.1.0.12

[Default-main-mode]
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-SHA

[Default-aggressive-mode]
EXCHANGE_TYPE=          AGGRESSIVE
Transforms=             3DES-SHA-RSA

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE
-------------------------
Listen-on=             10.1.0.12
-------------------------
Default=               ISAKMP-peer-west-aggressive
-------------------------
Connections=           IPsec-east-west
-------------------------
# /sbin/isakmpd
-------------------------
# tcpdump -n
tcpdump: listening on pcn0, link-type EN10MB
21:19:38.920316 esp 10.1.0.11 > 10.1.0.12 spi 0xB9C862E7 seq 1 len 132
21:19:38.921420 esp 10.1.0.12 > 10.1.0.11 spi 0xBC4069F4 seq 1 len 132
21:19:39.926389 esp 10.1.0.11 > 10.1.0.12 spi 0xB9C862E7 seq 2 len 132
21:19:39.927216 esp 10.1.0.12 > 10.1.0.11 spi 0xBC4069F4 seq 2 len 132
21:19:40.940115 esp 10.1.0.11 > 10.1.0.12 spi 0xB9C862E7 seq 3 len 132
21:19:40.940711 esp 10.1.0.12 > 10.1.0.11 spi 0xBC4069F4 seq 3 len 132
-------------------------
# tcpdump -n -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0, link-type ENC
21:21:53.281316 (authentic,confidential): SPI 0xb9c862e7: 10.1.0.11 > 10.1.0.12: icmp: echo request (encap)
21:21:53.281480 (authentic,confidential): SPI 0xbc4069f4: 10.1.0.12 > 10.1.0.11: icmp: echo reply (encap)
21:21:54.240855 (authentic,confidential): SPI 0xb9c862e7: 10.1.0.11 > 10.1.0.12: icmp: echo request (encap)
21:21:54.241059 (authentic,confidential): SPI 0xbc4069f4: 10.1.0.12 > 10.1.0.11: icmp: echo reply (encap)
-------------------------
$ certpatch -i 10.1.0.11 -k CA.key 10.1.0.11.crt 10.1.0.11.crt
Reading ssleay created certificate 10.1.0.11.crt and modify it
Enter PEM pass phrase:
Creating Signature: PKEY_TYPE = RSA: X509_sign: 128 OKAY 
Writing new certificate to 10.1.0.11.crt
-------------------------
$ certpatch -t fqdn -i puffy -k CA.key puffy.crt puffy.crt
Reading ssleay created certificate asdf.crt and modify it
Enter PEM pass phrase:
Creating Signature: PKEY_TYPE = RSA: X509_sign: 128 OKAY 
Writing new certificate to puffy.crt
-------------------------
$ openssl x509 -subject -noout -in ca/CA.crt
subject= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=CA Root
-------------------------
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from hosts with certs signed by our CA
Authorizer: "POLICY"
Licensees: "DN: /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=CA Root"
Conditions: app_domain == "IPsec policy" &&
            esp_present == "yes" &&
            esp_enc_alg != "null" -> "true";
-------------------------
# /sbin/isakmpd
-------------------------
isakmpd_flags=""
