==== Original message from Stuart Henderson at 26-9-2013 23:58
On 2013-09-26, Daniel Polak <dan...@sys.nl> wrote:
I'd like to see how isakmpd interprets the settings in ipsec.conf and
isakmpd.conf and would like to compare those interpretations.
ipsecctl -nvf /etc/ipsec.conf shows the settings from ipsec.conf as they
would be used by isakmpd but don't see how to do the same with isakmpd.conf.
How can I get the settings from isakmpd.conf and ipsec.conf in the same
format so I can compare them?
isakmpd does not interpret settings in ipsec.conf *at all*; ipsecctl converts
them into control commands which generate isakmpd.conf sections.
to compare, you'll need to adjust the format manually; ipsecctl -nvf outputs
a bunch of lines like this:
C set [sectionname]:variable1=setting1
C set [sectionname]:variable2=setting2
C set [sectionname]:variable3=setting3
which equate to isakmpd.conf entries like this:
[sectionname]
variable1=setting1
variable2=setting2
variable3=setting3
Writing "how isakmpd interprets the settings in ipsec.conf" was slightly
misleading, sorry about that.
I do understand that ipsecctl reads ipsec.conf, generates control
commands and thereby sets up isakmpd.
I have now solved my immediate problem and things are working (I
overlooked that the connection was set for passive mode in ipsec.conf
and for active mode in isakmpd, and the connection only worked when the
my side initiated it).
What would have helped me solve this is a way to see what the current
configuration of isakmpd looks like (irrespective of whether it was
loaded from isakmpd.conf or from ipsec.conf).
It appears there is no equivalent of a "C get all" command to the FIFO
to get the configuration values of all sections in the running isakmpd
configuration.
In spite of having used isakmpd for many years I still don't find
troubleshooting VPN issues easy :-(
Daniel
