Re: iked(8) and ikectl(8)
Hi, On Thu, 03.06.2010 at 23:06:58 +0200, Reyk Floeter r...@openbsd.org wrote: IPsec. In difference to isakmpd(8), which supports the ISAKMP/Oakley a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at present. The IKEv2 protocol in RFC 4306 has been simplified and provides many benefits over ISAKMP/IKEv1. this means... (1) that only either iked OR isakmpd can run on one box? (2) on one IP, but share the same box? (3) or that iked has a dispatch mechanism to forward IKEv1 connections to a bystanding isakmpd, and cooperate with it to allow for using both types of connections on one IP? My guess is that it's (1), but my preference would be (3), of course. -- Kind regards, --Toni++
Re: iked(8) and ikectl(8)
On Fri, 4 Jun 2010 12:35:36 +0200 Reyk Floeter r...@openbsd.org wrote: but please a little bit before using it in production networks, iked(8) is not fully ready yet ;-). I'm following your commit flow about it and is exiting, this is why I'm still with OpenBSD ;) -- Massimo
Re: iked(8) and ikectl(8)
On Thu, 3 Jun 2010 23:06:58 +0200 Reyk Floeter r...@openbsd.org wrote: This is a very brief summary, more information will follow. reyk That's great! ... 4.7 is just behind the door and is already time to move on -current! I got 48 IPsec gateways which just await to be upgraded! Pretty nice! -- Massimo
Re: iked(8) and ikectl(8)
On Fri, Jun 04, 2010 at 12:27:12PM +0200, Massimo Lusetti wrote: On Thu, 3 Jun 2010 23:06:58 +0200 Reyk Floeter r...@openbsd.org wrote: This is a very brief summary, more information will follow. reyk That's great! ... 4.7 is just behind the door and is already time to move on -current! I got 48 IPsec gateways which just await to be upgraded! but please a little bit before using it in production networks, iked(8) is not fully ready yet ;-). reyk
iked(8) and ikectl(8)
Hi! Today I imported iked(8) that is another automatic keying daemon for IPsec. In difference to isakmpd(8), which supports the ISAKMP/Oakley a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at present. The IKEv2 protocol in RFC 4306 has been simplified and provides many benefits over ISAKMP/IKEv1. iked(8) itself has been designed to fit the style of all the recent OpenBSD daemons and comes with a tool ikectl(8) for runtime configuration, status, working reloads, and integrated commands to maintain a simple X.509 CA for IKEv2. I also have some important design goals that I will describe later. The current state is that iked(8) still lacks a few important features but works as a responder against different peer implementations. That means, you can set up a running VPN with Windows 7 or libstrongswan libcharon clients connecting to iked(8) running as the server or security gateway. I will add initiator (client) mode next. This is a very brief summary, more information will follow. reyk
Re: iked(8) and ikectl(8)
On 4 June 2010 00:06, Reyk Floeter r...@openbsd.org wrote: Hi! Today I imported iked(8) that is another automatic keying daemon for IPsec. B In difference to isakmpd(8), which supports the ISAKMP/Oakley a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at present. B The IKEv2 protocol in RFC 4306 has been simplified and provides many benefits over ISAKMP/IKEv1. iked(8) itself has been designed to fit the style of all the recent OpenBSD daemons and comes with a tool ikectl(8) for runtime configuration, status, working reloads, and integrated commands to maintain a simple X.509 CA for IKEv2. B I also have some important design goals that I will describe later. The current state is that iked(8) still lacks a few important features but works as a responder against different peer implementations. B That means, you can set up a running VPN with Windows 7 or libstrongswan libcharon clients connecting to iked(8) running as the server or security gateway. B I will add initiator (client) mode next. This is a very brief summary, more information will follow. reyk Good stuff Reyk! Will try it shortly. Looking forward to the details as well. -- The best the little guy can do is what the little guy does right