On Tue, 1 Dec 2015 23:49:37 +0000 (UTC) Stuart Henderson <[email protected]> wrote:
> Neither isakmpd nor iked tracks DNS changes. This is good to know, thank you for the information. > On the central side use "passive" not "dynamic". Remove the "peer > $gw_branche" to set this for the 'default peer' (i.e. to avoid > matching on IP address). > > Do you really need the first flow? It will simplify things if you can > restrict yourself to $lan_branche addresses and just have the second > flow. (Otherwise because you want to use the 'default peer' you'll > need to collapse these into a single rule with "to any"). Also very helpful. All the examples I found, including "AUTOMATIC KEYING" section of ipsec.conf, have flow between gateways configured. I tried without them first, but I couldn't make it work. Only later I discovered it was related to the firewall rule, but forgot to retry without gateway-to-gateway flow once I fixed it. > It might be easier to get the basic setup working with psk first, but > when you have that up and running, see the PUBLIC KEY AUTHENTICATION > section in isakmpd(8) and get that setup, it is pretty simple to use > and much safer than psk. That was the idea from the beginning, didn't want to complicate further before having basic setup working. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
