On May 26, 2010, at 1:58 PM, Jacob Yocom-Piatt wrote: > Bryan wrote: >> On Tue, May 25, 2010 at 14:06, [email protected] >> <[email protected]> wrote: >> >>> over the past several years i have encountered a variety of problems with >>> isakmpd that range from difficult to translate error messages to tunnels >>> dropping without explanation. >>> >>> > seriously... > > have you ever used isakmpd?
I use it all the time between roughly 10 boxen. > i ask this because i get the impression that you have not used it much if you missed the point of my message. it totally sucks - i've been using it since 2003 and very little has changed except the ipsecctl interface making it quicker to setup tunnels. a number of people in the openbsd community have discussed the possibility of a total rewrite with me over the past several years because they too believe it is old and flaky. > > isakmpd is brittle as hell and endpoints being snapshots that are a few months apart is enough to cause serious interoperation problems. someone may or may not have developed an improved version of isakmpd that runs on openbsd, i will not name names, and that is because isakmpd is not commercial grade software. there is a lot of neat and challenging crypto code in isakmpd but, imo, further improvements are tolerated turd polishing. > > i'm looking for an alternative so i don't have to resort to excessive debugging and answering a series of 10 questions to figure out wtf is going on. i am not saying that your list of questions is the wrong way to debug this, it's totally correct, only that you're a fucking idiot for not getting the point of my original message. it is amazing that you have the patience to follow the ridiculously long trail to troubleshoot and fix isakmpd but don't see that walking this trail is due to the code being old and brittle. > And you want any help after talking to this list that way ? > based on the lack of replies i speculate not many people use an ssh vpn... Nope, we run isakmpd.
