Thanks Reky. I'll stick with isakmp for now but would like to swtich to iked when its ready.
BTW. Any known issues with isakmp and groups larger than modp1024? I still can't get isakmpd to use anything larger than that? -Jim On 10/19/12 3:35 PM, Reyk Floeter wrote: > Hi, > > On Fri, Oct 19, 2012 at 8:10 PM, Tyler Morgan <tyl...@tradetech.net> wrote: >> On 10/19/2012 1:16 AM, Jim Miller wrote: >>> Two part question: >>> >>> 1. Anyone had any success getting iked and carp working on OpenBSD 5.1 >>> (amd64)? We can get it working with isakmpd. The issue seems to be >>> that iked wants to send out packets as the physical interface IP instead >>> of the carp IP. iked documentation eludes to the fact that it should >>> work. > thanks for reporting, I can reproduce the problem. > >> In my experience under 5.1 isakmpd wants to use the IP from the real >> physical interface instead of the virtual carp interface too, so I have to >> use the "local x.x.x.x" command in ipsec.conf, where x.x.x.x = my carp IP -- >> this forces it onto the carp IP and all is well. >> >> iked.conf(5) has a similar "local" command. Does it not work? >> > It does not work. You can see that iked is setting the carp address > correctly but the address on the wire is the primary one. Fail. The > code doesn't bind() to the IP used in the "local" command and the > kernel uses the primary address for the related route. > > btw. you can also specify "local carp0" instead of the IP address and > it will pick the interface's first address. > >> and keep in mind the caveat: >> >> "iked is not yet finished and is missing some important security features. >> It should not yet be used in production networks." -- iked(8) >> > Yeah, but we're working on it. I actually added this comment before > mikeb@ added support for SA expiration, lifetimes and retransmits. So > iked is still not ready, but the situation is much better now ;-) > > reyk