Hi Stuart,
On Mon, 28 Nov 2016, Stuart Henderson wrote:
ipsec.conf isn't required for this (or anything that you can do with
ipsec.conf; though not all of it is documented in the isakmpd.conf
manual, i.e. NAT-ID).
With the kind help of 'mxb' with a Swedish email address, I learned that.
Mind you, it uses features of 'isakmpd.conf' that are well beyond my level
of knowledge.
I would love to use both concurrently if I can?
Has anybody got any experience with both working well together?
That will be fine.
Yes. I have it working thanks to the list. But not quite as flexibly as I
would like.
If I use a particular PSK across 'isakmpd.policy' and 'isakmpd.conf', and
then try to use a different PSK for all inbound L2TP/IPSec connections, it
fails. If they agree, it works. And I cannot remove the former (.policy)
which I assume enforces an 'isakmpd'-wide PSK and try and use different
ones in the different files, iaakmpd.conf and ipsec.conf i.e. what I use
for IPSec over UDP500 and L2TP/IPSec over 1701 respectively.
For completeness of description, for the latter I use
ike passive esp transport \
proto udp from egress to any port 1701 \
main auth "hmac-sha1" enc "3des" group modp1024 \
quick auth "hmac-sha1" enc "3des" group modp1024 \
psk "MY-PRE-SHARED-SECRET"
The above is what I found works for both Windows 10 (which has '3des'
hardcoded) and Apple. Why I need the 'group modp1024' for quick-mode I do
not know. I must figure out how to obtain a more flexible Windows VPN
client. Microsoft says that only the earlier versions of its L2TP client
are so inflexible.
https://support.microsoft.com/en-us/kb/325158
But even my laptop's version for an up-to-date Windows 10 Home does not
give me any choice for encryption from what I can see. Although I am far
from an expert on Windows 10, in anything and I have used OpenBSD for 20
years.
Though if you have an example ipsec.conf fragment, feed it into
"ipsecctl -nv" and it shows the isakmpd fifo commands that it would send
to add the config sections,
I noticed. I learned more about the complexity of ISAKMPD commands in that
split second of viewing output than I ever really needed to know. Wow. I
awe of those that create such networking tools.
which you could clean up and add to isakmpd.conf yourself if you wanted
to keep things in one place.
That sounds frought with risk. Not a big fan of jumping into the unknown.
And the future is 'ipsec.conf' so I probably need to learn that. Mind you,
one I cannot see is how to nominate a list of CRYPTO TRANSFORMS to the
'enc' keyword inside 'ipsec'. For example how does one achieve the
equivalent in 'isakmpd.conf' to the alternatives
Transforms= AES-SHA-GRP2,3DES-SHA
or even
Suites= QM-ESP-AES-SHA-PFS-GRP2-SUITE, QM-ESP-3DES-SHA-PFS-SUITE
While I am here, I still see on the passive IPSec Port 500 traffic
got AES_CBC, expected 3DES_CBC
on the IPSec/port500udp even when the originating side (A Billion Router
running some version of embedded Linux) is configured to talk AES and only
AES. Very weird. But I notice that in the past, even old versions of
ISAKMPD (4.6 and 4.7) with both ends the same produced that message it
seems. I am clueless as to the cause of that.
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
