FYI, Hakan tells me this isn't possible now, but might be someday.
Sean Knox wrote:
[I didn't get much response on the openbsd-ipsec list, so I'm reposting
here]
I'm having problems allowing roadwarrior connections from aggressive and
main mode clients to connect isakmpd at the same time. At the moment,
I can only allow one, either main mode or aggressive by specifying a
"Default" ISAKMP SA negotiation root, a la:
[Phase 1]
Default = road-aggressive
#Default = road-main-mode
If I don't specify a default phase 1 connection, isakmpd uses the
road-main-mode connection:
160001.993149 Default exchange_setup_p1: expected exchange type ID_PROT
got AGGRESSIVE
I've tried setting the Phase 1 Local-Addresses to listen on different
IPs, but isakmpd still uses the road-main-mode connection for incoming
aggressive connections. Can isakmpd be configured to accepted main mode
*and* aggressive mode clients?
thanks,
sk
(connection settings from isakmpd.conf below)
--- from isakmpd.conf ---
[Phase 1]
#Default = road-aggressive-p1
#Default = road-main-mode-p1
[Phase 2]
Passive-Connections= roadwarriors-aggr,roadwarriors-main
##########################
## Phase 1 definitions
##########################
[road-aggressive-p1]
Phase = 1
Local-Address = 10.10.10.1
Configuration = aggr-mode-psk
Authentication = supersecretpw
Flags = IKECFG
[road-main-mode-p1]
Phase = 1
Local-Address = 10.10.10.2
Configuration = main-mode-rsa
Flags = IKECFG
#########################
## Phase 2 definitions
#########################
[roadwarriors-aggr]
Phase = 2
Configuration = Default-quick-mode
Local-ID = lan
Remote-ID = anybody
ISAKMP-peer = road-aggressive-p1
[roadwarriors-main]
Phase = 2
Configuration = Default-quick-mode
Local-ID = lan
Remote-ID = anybody
ISAKMP-peer = road-main-p1
#########################
## IDs
#########################
[anybody]
ID-type= IPV4_ADDR
Address= 0.0.0.0
[lan]
ID-type = IPV4_ADDR_SUBNET
Network = 192.168.5.0
Netmask = 255.255.255.0\