Disclaimer: I don't want to sound too negative, I really appreciate all the hard work that went in to OpenIKED.... but I've just made the reverse trip; OpenIKED (IKEv2) to isakmpd (IKEv1). We just couldn't get our connections stable with OpenIKED. We backported multiple patches from the master in to our 6.0 source tree which improved things but in the end after what seemed like about a month without trouble OpenIKED suddenly started to run in to trouble with rekeying so I finally called it quits and deployed isakmpd.
For example we bumped in to an issue described on the mailinglist[1] with rekeying. This is one of the patches we applied which improved things for us but as far as I can tell this hasn't ended up in the main source tree. Also there are some pitfalls of things that work with isakmpd but not with iked. For example sasyncd has some shortcomings with iked [2]. We bumped into like 5 other things like this before throwing in the towel. So my advice is: Ask yourself if you really need IKEv2 with iked because it won't be as smooth sailing as with isakmpd. [1] https://marc.info/?l=openbsd-tech&m=147869752432059&w=2 [2] https://marc.info/?l=openbsd-misc&m=147574084806723&w=2 Kind regards, Jasper > Op 7 februari 2017 om 18:43 schreef Christopher Sean Hilton > <[email protected]>: > > > How hard is it to transition from an isakmpd managed IPsec VPN to iked > managment? I have a certificate based isakmpd solution that works. It > is mainly just a matter of rsyncing the directories and using a little > editor magic on the ipsec.conf file to create iked.conf? > > Thanks in advance, > > -- Chris
