Hi,
I'm wondering if it would be possible to add iked to my box already running isakmpd.
I found this quite old thread: http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html
just checking to see if things might have changed since then.
Ive a vio0 interface with two IPs: 10.0.0.52 and 192.168.0.4:
so I've isakmpd running, binding it to a specific IP like this:
[General]
Listen-on= 10.0.0.52
Default-phase-1-lifetime= 28800,60:86400
Default-phase-2-lifetime= 1200,60:86400
DPD-check-interval= 10
Policy-File= /etc/isakmpd/isakmpd.policy
so with isakmpd, I'm used to use ipsecctl and have multiple /etc/ipsec.conf.tunnelXYZ files around, so that I can up/down etc. single tunnels without affecting the others.
now adding iked with following config:
ikev2 "just a test" \
esp proto tcp \
from 192.168.66.0/24 to 192.168.77.0/24 \
peer 172.16.0.3 local 192.166.0.4
starting up iked works. However, it binds to *:500 and *:4500 so care has to be taken to start it after isakmpd, otherwise isakmpd would refuse to start. I used the "local" keyword to see if iked would only bind to that specific address, but
it doesn't.
Looking at ikectl manpage, I only see the "load <filename>". So I could specify alternate configuration files, but that would affect the overall iked configuration, I cannot add/remove single tunnel instances to iked?
I've seen that in iked.conf, I can specify names for the flows, but I guess that's only for easier identification, I cannot use
these names to trigger a start/stop/restart of a given flow?
I haven't used iked before, so far, isakmpd was sufficient, so I'm a bit curious, and might miss something about iked it in general.
Also isakmpd/iked, and ipsecctl/ikectl work on the same kernel resources, do they step onto each others toes?
Also, if not possible to run iked and isakmpd together on the same node, no big deal, can easily run on separate nodes, just
wanted to ensure I don't miss anything.
thanks,
Sebastian
No comments:
Post a Comment