On 2011-06-14, Paul Suh <[email protected]> wrote: > On Jun 7, 2011, at 11:29 AM, Rodolfo Gouveia wrote: >> I thought you could change those in isakmpd.conf: >> # Certificates stored in PEM format >> [X509-certificates] >> CA-directory= /etc/isakmpd/ca/ >> Cert-directory= /etc/isakmpd/certs/ >> CRL-directory= /etc/isakmpd/crls/ >> Private-key= /etc/isakmpd/private/local.key >> I took the above from the isakmpd.conf(5). > > Rodolfo, > > Thanks for the input, but the lockout to /etc/isakmpd actually happens in the > code -- see my reply to Stuart Henderson's post. Changing the values in > isakmpd.conf won't do anything.
ah, m_priv_local_sanitize_path() does a realpath() lookup and enforces that the path is inside /etc/isakmpd (RO) or /var/run (RW). > Also, I'm not using isakmpd.conf -- I'm using ipsec.conf and running "isakmpd > -K" so that I can use ipsecctl. This is a lot simpler than isakmpd.conf and is > (I believe) the preferred way to do IPSec these days. there's no problem to mix ipsec.conf and isakmpd.conf, for example it's the only way to set certain things (e.g. lifetimes for the default peer). also note that ipsec.conf does not require -K, you can (and in some cases should) use ipsec.conf with keynote policies.
