Hi,
I'm wondering if it would be possible to add iked to my box already running
isakmpd.
I found this quite old thread:
http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html
just checking to see if things might have changed since then.
Ive a vio0 interface with two IPs: 10.0.0.52 and 192.168.0.4:
so I've isakmpd running, binding it to a specific IP like this:
[General]
Listen-on= 10.0.0.52
Default-phase-1-lifetime= 28800,60:86400
Default-phase-2-lifetime= 1200,60:86400
DPD-check-interval= 10
Policy-File= /etc/isakmpd/isakmpd.policy
so with isakmpd, I'm used to use ipsecctl and have multiple
/etc/ipsec.conf.tunnelXYZ files around, so that I can up/down etc. single
tunnels without affecting the others.
now adding iked with following config:
ikev2 "just a test" \
esp proto tcp \
from 192.168.66.0/24 to 192.168.77.0/24 \
peer 172.16.0.3 local 192.166.0.4
starting up iked works. However, it binds to *:500 and *:4500 so care has to be
taken to start it after isakmpd, otherwise isakmpd would refuse to start. I
used the "local" keyword to see if iked would only bind to that specific
address, but
it doesn't.
Looking at ikectl manpage, I only see the "load <filename>". So I could specify
alternate configuration files, but that would affect the overall iked
configuration, I cannot add/remove single tunnel instances to iked?
I've seen that in iked.conf, I can specify names for the flows, but I guess
that's only for easier identification, I cannot use
these names to trigger a start/stop/restart of a given flow?
I haven't used iked before, so far, isakmpd was sufficient, so I'm a bit
curious, and might miss something about iked it in general.
Also isakmpd/iked, and ipsecctl/ikectl work on the same kernel resources, do
they step onto each others toes?
Also, if not possible to run iked and isakmpd together on the same node, no big
deal, can easily run on separate nodes, just
wanted to ensure I don't miss anything.
thanks,
Sebastian
