On 2019-03-13, Fedor Piecka wrote:
> I understood that ipsecctl and ipsec.conf are supposed to free the user
> from configuring keynotes manually.
That's not correct. ipsec.conf can take the place of isakmpd.conf in
some limited cases. It doesn't replace keynote in any way.
> Doesn't the
I understood that ipsecctl and ipsec.conf are supposed to free the user
from configuring keynotes manually. Doesn't the parameter "-K" of
isakmpd mean it won't read keynote policy at all?
man ipsec.conf:
The keying daemon, isakmpd(8), can be enabled to run at boot time
via the
On 2019-03-13, Fedor Piecka wrote:
> Does anybody see any misconfiguration or misunderstanding on our side? Or
> is this a bug (IMHO a security bug) in OpenBSD IPsec implementation?
isakmpd: it is a misconfiguration (but an incredibly common one), you
should use a keynote policy to prevent this.
Hello
We've discovered a very weird behavior in OpenBSD IPsec.
We run isakmpd -K and use ipsecctl with ipsec.conf to set up our IPsec
tunnels. When our peer adds a new network to an existing configuration on
his router, our OpenBSD box accepts the network without our intervention,
SAs and flows
4 matches
Mail list logo
