On 2019-03-13, Fedor Piecka <[email protected]> wrote:
> I understood that ipsecctl and ipsec.conf are supposed to free the user
> from configuring keynotes manually.
That's not correct. ipsec.conf can take the place of isakmpd.conf in
some limited cases. It doesn't replace keynote in any way.
> Doesn't the parameter "-K" of
> isakmpd mean it won't read keynote policy at all?
That is correct. As the manual puts it,
-K When this option is given, isakmpd does not read the policy
configuration file and no keynote(4) policy check is accomplished.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Could you please clarify a bit further on how do keynote policies and
> ipsec.conf automatic keying work together? I understand an option of not
> using ipsec.conf at all, but I don't understand how to use both
> ipsec.conf and isakmpd configuration for a single ESP tunnel.
keynote interacts exactly the same with ipsec.conf as it does with
isakmpd.conf.
ipsecctl -f isn't particularly clever, it's a basic config generator.
It reads ipsec.conf, generates isakmpd.conf sections based on the
config, and feeds these to isakmpd over a fifo. It is missing quite
a lot of configurability that isakmpd.conf allows (for example
allowing multiple encryption suites in the same "default peer"
config).
Run "ipsecctl -vf /etc/ipsec.conf" to see what it's sending,
the output from that can be reformatted slightly and written to
isakmpd.conf.
Yes keynote is a pain but it's the only available method to get this done.
> Iked doesn't have the same problem. No SAs/flows will be created if the
> networks aren't configured in iked.conf. However isakmpd->iked migration
> is painful in OpenBSD as their use at the same time isn't straightforward.
Still unsure about that, "from 0.0.0.0/0 to 0.0.0.0/0" is not that
uncommon a setup with iked when you have roaming clients needing to
access "the internet" via vpn, in which case the networks do match ..
