On 11 aug 2006, at 22.59, Steve Glaus wrote:
...
I'm mostly asking questions now for my own curiousity so feel free
everyone to ignore these ramblings.
- Is PFS something that's negotiated only during phase 2? Could
this be why it was passing phase one but not passing phase two?
Yup. PFS means a new Diffie-Hellman key generation exhcange should
take place in phase 2. Running without PFS means no such exchange
(keying material from the DH exchange in phase 1 is reused instead)
which is slightly faster, but not as strong. If you look closely at
the various suites you can select in phase 2, you'll see that only
the 'PFS' suites have a D-H "group description" attached. (No PFS ->
no group desc required)
- when I specify a quick mode suite in isakmpd.conf does ipsecctl
USE that suite?
I think you can override the defaults, i.e override the default
isakmpd configuration for a particular suite to do this. I haven't
looked that closely at how this can be done. You'll probably end up
with modifying all tunnels using this quick mode configuration, so it
may be a bit tricky.
Of course, if you have a particularly weird peer that only accepts
certain options, I'd write all config for this peer in isakmpd.conf
syntax (and use ipsecctl for the well-behaved peers :).
Can I do something like this in isakmpd.conf and then use ipsecctl
to add the add the flows?
Sure, but...
[General]
listen on = x.x.x.x
[Phase 1]
x.x.x.x = Remote
[Phase 2]
Connections = VPN1
you will want to use 'Passive-connections' instead of 'Connections'
here. Otherwise isakmpd itself will enforce the tunnel being
negotiated (and in doing so, isakmpd will setup the flows).
[Remote]
Configuration = Default-main-mode
[VPN1]
Configuration = Default-quick-mode
[Default-main-mode]
Transforms=(whatever)
[Default-quick-mode]
Suites=(whatever)
Does isakmpd -K simply use a default policy of allowing everything?
Well, there are a bunch of sanity checks still in place, but
basically yes.
/H
