Re: Hoe to specify multiple transform suites in ipsec.conf(5)
Damon McMahon wrote: From: Heinrich Rebehn <[EMAIL PROTECTED]> Date: 29 October 2007 9:14:16 PM To: OpenBSD Subject: Hoe to specify multiple transform suites in ipsec.conf(5) Hello list, I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf. However i cannot find a syntax to specify multiple transform suites with ipsec.conf I tried something like: ike passive esp from any to any quick enc {aes,3des} but it is rejected. I want something like Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE as a result. As a workaround i can stuff it into the running configuration using isakmpd's fifo, but that is not a very robust solution. Specifying Default-phase-2-suites = QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE in isakmpd.conf does not help, because ipsecctl overrides it. Is there a way to tell ipsecctl to not specify a suite at all, so that the default is used? BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf? Thanks for any hints. -- Heinrich, I've tried to do the same - see http://readlist.com/lists/openbsd.org/misc/12/62613.html - as of 4.1 this is not supported by ipsec.conf(5). Best wishes, Damon Thanks for your reply, Damon. I missed your post when searching the archives. You wrote that isakmpd.conf is "deprecated". Obviously this is not (yet) quite so. Kind regards, Heinrich
Re: Hoe to specify multiple transform suites in ipsec.conf(5)
From: Heinrich Rebehn <[EMAIL PROTECTED]> Date: 29 October 2007 9:14:16 PM To: OpenBSD Subject: Hoe to specify multiple transform suites in ipsec.conf(5) Hello list, I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf. However i cannot find a syntax to specify multiple transform suites with ipsec.conf I tried something like: ike passive esp from any to any quick enc {aes,3des} but it is rejected. I want something like Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE as a result. As a workaround i can stuff it into the running configuration using isakmpd's fifo, but that is not a very robust solution. Specifying Default-phase-2-suites = QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES- SHA2-256-PFS-SUITE in isakmpd.conf does not help, because ipsecctl overrides it. Is there a way to tell ipsecctl to not specify a suite at all, so that the default is used? BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf? Thanks for any hints. -- Heinrich, I've tried to do the same - see http://readlist.com/lists/openbsd.org/ misc/12/62613.html - as of 4.1 this is not supported by ipsec.conf(5). Best wishes, Damon
Hoe to specify multiple transform suites in ipsec.conf(5)
Hello list, I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf. However i cannot find a syntax to specify multiple transform suites with ipsec.conf I tried something like: ike passive esp from any to any quick enc {aes,3des} but it is rejected. I want something like Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE as a result. As a workaround i can stuff it into the running configuration using isakmpd's fifo, but that is not a very robust solution. Specifying Default-phase-2-suites = QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE in isakmpd.conf does not help, because ipsecctl overrides it. Is there a way to tell ipsecctl to not specify a suite at all, so that the default is used? BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf? Thanks for any hints. -- Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341