Re: isakmpd, conflict using multiple rules w/o peer address

Sat, 03 Mar 2007 14:59:16 -0800 

Hi,

On Fri, Feb 23, 2007 at 12:09:27AM +0000, Stuart Henderson wrote:
> 
> @0 C set [Phase 1]:Default=peer-default force
> C set [peer-default]:Phase=1 force
> C set [peer-default]:Authentication=22222 force
> C set [peer-default]:Configuration=mm-default force
> C set [peer-default]:ID=me.mylan.net-ID force
> C set [peer-default]:Remote-ID=default-ID force
> C set [default-ID]:ID-type=FQDN force
> C set [default-ID]:Name=net.100 force
> 
> @1 C set [Phase 1]:Default=peer-default force
> C set [peer-default]:Phase=1 force
> C set [peer-default]:Authentication=33333 force
> C set [peer-default]:Configuration=mm-default force
> C set [peer-default]:ID=me.mylan.net-ID force
> C set [peer-default]:Remote-ID=default-ID force
> C set [default-ID]:ID-type=FQDN force
> C set [default-ID]:Name=net.101 force
> 
> obviously having the same names, the first is overwritten by the second.
> 
> Would I be totally going down the wrong route if I were to change
> the hardcoded -default and default- section names in ipsecctl/ike.c
> to something based on dstid?

yes.  There is only one "catch-all" entry for peers where the IP
address is not know, the "[Phase 1]:Default=peer-default" (see
isakmpd.conf(5)).

Therefore, it is not possible to have multiple main mode IDs,
transforms, etc. when the peer is not specified.  Thus, ipsecctl
just overwrites the IDs, transforms, etc.  I agree, this is somewhat
sloppy and will be fixed (ie. ipsecctl will fail parsing the config
file).

BTW, your example (peer not specified, multiple PSKs) does not work
in main mode at all (per design).  For such setups you'll have to
use aggressive mode, which is not recommended (please see the caveats
section of isamkpd.conf(5)).

Just use RSA keys:

ike passive esp from 10.1.10.0/24 to 10.1.44.100/24 \
        quick auth hmac-sha1 enc aes group grp2 \
        srcid me.mylan.net dstid net.100

ike passive esp from 10.1.10.0/24 to 10.1.44.101/24 \
        quick auth hmac-sha1 enc aes group grp2 \
        srcid me.mylan.net dstid net.101

HJ.

PS:  If you have to use aggressive mode, please hang on, we're
     working on some other diff that will be needed for that.

Reply via email to