On Wed, Apr 14, 2021 at 03:28:31PM +0300, Dev Op wrote: > Hello all! > > I have several partners working with different IKE versions. Is it possible > to run iked and isakmpd on the same machine if I have two public > IP addresses on it? > > On iksampd (IKEv1) it's simple, for example: > /etc/isakmpd/isakmpd.conf > [General] > Listen-on=X.X.X.X > Retransmits=32 > Exchange-max-time=240 > DPD-check-interval=30 > Default-phase-1-lifetime=86400,60:86400 > Default-phase-2-lifetime=86400,60:86400 > > But how to bind iked (IKEv2) to another address Y.Y.Y.Y?
Running both on the same system isn't possible. As far as I understand it's not just about the UDP listening ports. It isn't possible to share the kernel's IPsec flow table cleanly between the two deamons. You should be able to work around this limitation by running one of the daemons in a virtual machine, e.g. in vmm(4), provided your hardware supports this. Check: grep ^vmm0 /var/run/dmesg.boot It is possible to bridge the VM's host-side network interface with the physical network interface. This way, the VM could directly use one of the two IP addresses, eliminating the need for NAT. > $ uname -r > 6.7 You should upgrade to 6.8 now. The 6.9 release is just around the corner.
