Re: iked and isakmpd in parallel

[Stuart Henderson]

On 2015-01-20, Fedor Piecka teplav...@gmail.com wrote:
 We need to support both IKEv1 and IKEv2 peers in our environment.

At this point, you need VMs or separate hardware to do this with OpenBSD.

 My first question now is how to instruct iked to listen only on a selected
 interface.

 The second question is whether the 2 of them wouldn't interfere with each
 other.

There are ways around address binding, but they would still interfere.

Re: iked and isakmpd in parallel

[Joe Crivello]

We also have a need for this in our environment.

We use transport mode IPSEC to protect gif(4) tunnels between our OpenBSD
routers at our remote sites, and we would also ideally like one of these
routers to act as a Win 7 road warrior IKEv2 gateway. We would just use
iked for both scenarios, but as of 5.6, iked doesn't appear to support
transport mode yet. We have also tried running isakmpd and iked
side-by-side, but we have been unsuccessful in doing so. IIRC, when one
daemon starts after the other it wipes out the other's SAs and encap routes.

-Joe

On Tue, Jan 20, 2015 at 9:17 AM, Fedor Piecka teplav...@gmail.com wrote:

 Hello

 We need to support both IKEv1 and IKEv2 peers in our environment.

 Isakmpd.conf supports Listen-on directive.

 However I haven't found such a thing in iked.conf an iked manual pages.


 My first question now is how to instruct iked to listen only on a selected
 interface.

 The second question is whether the 2 of them wouldn't interfere with each
 other.

 Regards
 Fedor

iked and isakmpd in parallel

[Fedor Piecka]

Hello

We need to support both IKEv1 and IKEv2 peers in our environment.

Isakmpd.conf supports Listen-on directive.

However I haven't found such a thing in iked.conf an iked manual pages.


My first question now is how to instruct iked to listen only on a selected
interface.

The second question is whether the 2 of them wouldn't interfere with each
other.

Regards
Fedor