Re: Hoe to specify multiple transform suites in ipsec.conf(5)
Damon McMahon wrote:
From: Heinrich Rebehn <[EMAIL PROTECTED]>
Date: 29 October 2007 9:14:16 PM
To: OpenBSD
Subject: Hoe to specify multiple transform suites in ipsec.conf(5)
Hello list,
I am trying to move my IPsec configuration from isakmpd.conf to
ipsec.conf.
However i cannot find a syntax to specify multiple transform suites
with ipsec.conf
I tried something like:
ike passive esp from any to any quick enc {aes,3des}
but it is rejected.
I want something like
Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE
as a result.
As a workaround i can stuff it into the running configuration using
isakmpd's fifo, but that is not a very robust solution.
Specifying
Default-phase-2-suites =
QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE
in isakmpd.conf
does not help, because ipsecctl overrides it. Is there a way to tell
ipsecctl to not specify a suite at all, so that the default is used?
BTW, is ipsec.conf meant to ever become a full replacement for
isakmpd.conf?
Thanks for any hints.
--
Heinrich,
I've tried to do the same - see
http://readlist.com/lists/openbsd.org/misc/12/62613.html - as of 4.1
this is not supported by ipsec.conf(5).
Best wishes,
Damon
Thanks for your reply, Damon. I missed your post when searching the
archives.
You wrote that isakmpd.conf is "deprecated". Obviously this is not (yet)
quite so.
Kind regards,
Heinrich
Re: Hoe to specify multiple transform suites in ipsec.conf(5)
From: Heinrich Rebehn <[EMAIL PROTECTED]>
Date: 29 October 2007 9:14:16 PM
To: OpenBSD
Subject: Hoe to specify multiple transform suites in ipsec.conf(5)
Hello list,
I am trying to move my IPsec configuration from isakmpd.conf to
ipsec.conf.
However i cannot find a syntax to specify multiple transform suites
with ipsec.conf
I tried something like:
ike passive esp from any to any quick enc {aes,3des}
but it is rejected.
I want something like
Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE
as a result.
As a workaround i can stuff it into the running configuration using
isakmpd's fifo, but that is not a very robust solution.
Specifying
Default-phase-2-suites = QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-
SHA2-256-PFS-SUITE
in isakmpd.conf
does not help, because ipsecctl overrides it. Is there a way to
tell ipsecctl to not specify a suite at all, so that the default is
used?
BTW, is ipsec.conf meant to ever become a full replacement for
isakmpd.conf?
Thanks for any hints.
--
Heinrich,
I've tried to do the same - see http://readlist.com/lists/openbsd.org/
misc/12/62613.html - as of 4.1 this is not supported by ipsec.conf(5).
Best wishes,
Damon
Hoe to specify multiple transform suites in ipsec.conf(5)
Hello list,
I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf.
However i cannot find a syntax to specify multiple transform suites with
ipsec.conf
I tried something like:
ike passive esp from any to any quick enc {aes,3des}
but it is rejected.
I want something like
Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE
as a result.
As a workaround i can stuff it into the running configuration using
isakmpd's fifo, but that is not a very robust solution.
Specifying
Default-phase-2-suites =
QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE
in isakmpd.conf
does not help, because ipsecctl overrides it. Is there a way to tell
ipsecctl to not specify a suite at all, so that the default is used?
BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf?
Thanks for any hints.
--
Heinrich Rebehn
University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -
Phone : +49/421/218-4664
Fax :-3341
