I understood that ipsecctl and ipsec.conf are supposed to free the user
from configuring keynotes manually. Doesn't the parameter "-K" of
isakmpd mean it won't read keynote policy at all?
man ipsec.conf:
The keying daemon, isakmpd(8), can be enabled to run at boot time
via the
isakmpd_flags variable in rc.conf.local(8). Note that it will
probably
need to be run with at least the -K option, to avoid keynote(4) policy
checking.
man isakmpd:
-K When this option is given, isakmpd does not read the policy
configuration file and no keynote(4) policy check is
accomplished. This option can be used when policies for flows
and SA establishment are arranged by other programs like
ipsecctl(8) or bgpd(8).
Could you please clarify a bit further on how do keynote policies and
ipsec.conf automatic keying work together? I understand an option of not
using ipsec.conf at all, but I don't understand how to use both
ipsec.conf and isakmpd configuration for a single ESP tunnel.
Iked doesn't have the same problem. No SAs/flows will be created if the
networks aren't configured in iked.conf. However isakmpd->iked migration
is painful in OpenBSD as their use at the same time isn't straightforward.
Dňa 13. 3. 2019 o 10:20 Stuart Henderson napísal(a):
isakmpd: it is a misconfiguration (but an incredibly common one), you
should use a keynote policy to prevent this.