On 11 dec 2006, at 07.14, nuffnough wrote:
Hi...
I have recently started using OpenBSD, and one of the things that I
liked
most about it was the ease I got my VPN tunnels working with isakmpd.
I've learnt in the past few weeks that the use of isakmpd is being
deprecated in favour of ipsec.
Rather, using ipsec.conf is recommended over isakmpd.conf.
What were the reasons that led to this decision..?
Some people seem to find isakmpd.conf a bit complex. :)
How long will I still be able to use isakmpd?
ipsecctl is a frontend to isakmpd, it does not replace the
functionality. isakmpd is still doing all IKE processing.
Typically you create an ipsec.conf file, which ipsecctl parses,
output is "isakmpd.conf" style data that is fed to isakmpd via the
command fifo (see isakmpd(8)).
What are the advantages that ipsec has over isakmpd?
Assuming you mean ipsecctl and not IPsec, it makes IKE configuration
easier. I.e. one does not have to be an IPsec/IKE "expert" to setup a
VPN.
Will I still be able to configure custom policies when the defaults
aren't
appropriate?
Yes. Atleast I've heard nothing about actually disabling isakmpd
reading isakmpd.conf.
Also, combinations are possible. You can change (some of) isakmpd's
defaults by tweaking them in isakmpd.conf, then use ipsec.conf to do
the actual (or additional) tunnel setup. Note that ipsecctl has some
defaults and settings of it's own that may override your defaults
(the "last thing to be specified" applies).
/H
