Hi, I'm running an IPSEC setup using iskampd.conf + isakmpd.policy, and would like to move to using ipsec.conf instead.
First off, I noticed that, if isakmpd is running w/o the '-K' switch, running 'ipsecctl -f somefile' results in a problem accessing /var/run/isakmpd.fifo, with a "file does not exist" error. I have cobbled together a very simple configuration, derived from the classic East-West style config files that I already use (and which work great). In /etc/isakmpd/certs I have the public part of an X.509 certificate for all affected parties, esp. the IPSEC peers, named like this: "1.2.3.4.crt" for a peer with id type IPV4_ADDR and an IP number of 1.2.3.4. For mobile users, I have certificates in the same directory named "u...@example.com.crt" for an UFQDN id of "u...@example.com". In /etc/isakmpd/private I have the machine's own private key file, corresponding to their id (eg. "1.2.3.4.key" for a VPN gateway). The tunnels are all set up mostly the same way, using main mode, X.509 certificates for authentication, PFS, tunnel mode, and IKE configuration in case of mobile users. To test my new ipsec.conf file, I temporarily moved the isakmpd.{conf,policy} files out of the way, restarted isakmpd with -K, and ran ipsecctl -f my-ipsec.conf file, which reads like this, following the example closely: ike esp from 172.17.16.0/24 to 172.17.0/20 peer 1.2.3.4 \ srcid 1.2.3.5 dstid 1.2.3.4 ike esp from 1.2.3.5 to 1.2.3.4 \ srcid 1.2.3.5 dstid 1.2.3.4 The tunnel doesn't come up, and the log files (-DA=90) shows: Default ike_phase_1_recv_ID: received remote ID other than expected 1.2.3.4 Collecting some packets I can see: 17:33:56.358776 1.2.3.4.500 > 1.2.3.5.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 10e2114ec84c8a9d->2cd65760e925dc55 msgid: 00000000 len: 1292 payload: ID len: 12 type: IPV4_ADDR = 1.2.3.4 payload: CERT len: 992 payload: SIG len: 260 [ttl 0] (id 1, len 1320) The ID is both in the CN and the subjectAltName attribute of the certificate involved. I've also tried without the 'srcid' and 'dstid' specifiers, as the man page says that, in this case, the IP number(s) are taken as IDs, but still no luck. What gives? Kind regards, --Toni++