Re: isakmpd and iked on the same box
Tommy Nevtelen wrote on 31-8-2018 16:12: On 2018-08-31 10:44, Daniel Polak wrote: Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very good for SLAs which complicates things. Or am I missing something? Would it work for you to add a separate VPN gateway with iked next to the VPN gateway running isakmpd? If you do that you can then set routes to direct traffic for networks that have migrated to ikev2 to the iked gateway. Sure, there are many solutions. But that is kind of a lot of work and investment in hardware compared to just running both at the same time right? Of course it is but if the work on and the investment in software has not been done for you by the OpenBSD developers (or sometimes their sponsors) then that's how it is. Needs must.
Re: isakmpd and iked on the same box
Hello Philipp, I use to (reliably) run from two to four parallel instances of isakmpd on same boxes (for years) - first using different ports, then different IPs. It seems like they've had to (peacefully) share the SADB. Did I just not have enough tunnels to trigger the problem? If this isn't the case, why can't iked be as "nice" as isakmpd? Just wondering. Thursday, August 30, 2018, 10:39:21 AM, you wrote: PB> Hi, PB> Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: >> Hi, >> >> I'm wondering if it would be possible to add iked to my box already >> running isakmpd. >> I found this quite old thread: >> http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html PB> Why is it "always" my old threads in this area? :-) PB> I was not following development too closely, but I think that on the PB> kernel side PB> things have not changed. Which means iked and isakmpd will happily "toe PB> tap" PB> on each others SADB in the kernel (even if there is *some* PID PB> handling). PB> Would like to hear if kernel side has "improved" lately, but the overall PB> standpoint PB> looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked PB> some "months ago"). PB> [Still stuck with my ikev2 with strongswan on a different box solution] PB> HTH... wait, no: PB> ciao -- Best regards, Borismailto:psi...@prodigy.net
Re: isakmpd and iked on the same box
On 2018-08-31 10:44, Daniel Polak wrote: Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very good for SLAs which complicates things. Or am I missing something? Would it work for you to add a separate VPN gateway with iked next to the VPN gateway running isakmpd? If you do that you can then set routes to direct traffic for networks that have migrated to ikev2 to the iked gateway. Sure, there are many solutions. But that is kind of a lot of work and investment in hardware compared to just running both at the same time right? -- Tommy
Re: isakmpd and iked on the same box
Am Donnerstag, August 30, 2018 17:39 CEST, Philipp Buehler schrieb: > Hi, > > Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: > > Hi, > > > > I'm wondering if it would be possible to add iked to my box already > > running isakmpd. > > I found this quite old thread: > > http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html > > Why is it "always" my old threads in this area? :-) > > I was not following development too closely, but I think that on the > kernel side > things have not changed. Which means iked and isakmpd will happily "toe > tap" > on each others SADB in the kernel (even if there is *some* PID > handling). > > Would like to hear if kernel side has "improved" lately, but the overall > standpoint > looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked > some "months ago"). > > [Still stuck with my ikev2 with strongswan on a different box solution] isakmpd and iked on separate nodes still seems to be the way to go. thanks everyone. Sebastian > > HTH... wait, no: > ciao > -- > pb
Re: isakmpd and iked on the same box
Tommy Nevtelen wrote on 30-8-2018 23:13: We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very good for SLAs which complicates things. Or am I missing something? Would it work for you to add a separate VPN gateway with iked next to the VPN gateway running isakmpd? If you do that you can then set routes to direct traffic for networks that have migrated to ikev2 to the iked gateway.
Re: isakmpd and iked on the same box
On 2018-08-30 22:06, Daniel Polak wrote: > On 30/08/2018 17:39, Philipp Buehler wrote: >> I was not following development too closely, but I think that on the >> kernel side >> things have not changed. Which means iked and isakmpd will happily >> "toe tap" >> on each others SADB in the kernel (even if there is *some* PID >> handling). >> >> Would like to hear if kernel side has "improved" lately, but the >> overall standpoint >> looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in >> iked some "months ago"). > Why would IKEv1 be dead if the stubs were removed from iked? There is > still isakmpd and that works pretty well. > > Also I see many companies that still use IKEv1 and it would be > unpleasant if there was no way to connect to them with OpenBSD. We use isakmpd to interconnect 30ish routers and I would like to switch to iked, but since there is no support to run both at the same time it makes it quite hard to migrate slowly. Will basically need to do it all at the same time and that is not very good for SLAs which complicates things. Or am I missing something? -- Tommy
Re: isakmpd and iked on the same box
On 30/08/2018 17:39, Philipp Buehler wrote: I was not following development too closely, but I think that on the kernel side things have not changed. Which means iked and isakmpd will happily "toe tap" on each others SADB in the kernel (even if there is *some* PID handling). Would like to hear if kernel side has "improved" lately, but the overall standpoint looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked some "months ago"). Why would IKEv1 be dead if the stubs were removed from iked? There is still isakmpd and that works pretty well. Also I see many companies that still use IKEv1 and it would be unpleasant if there was no way to connect to them with OpenBSD. Daniel
Re: isakmpd and iked on the same box
Hi, Am 30.08.2018 10:27 schrieb Sebastian Reitenbach: Hi, I'm wondering if it would be possible to add iked to my box already running isakmpd. I found this quite old thread: http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html Why is it "always" my old threads in this area? :-) I was not following development too closely, but I think that on the kernel side things have not changed. Which means iked and isakmpd will happily "toe tap" on each others SADB in the kernel (even if there is *some* PID handling). Would like to hear if kernel side has "improved" lately, but the overall standpoint looks like: IKEv1 is dead (e.g. see the removal of IKEv1 stubs in iked some "months ago"). [Still stuck with my ikev2 with strongswan on a different box solution] HTH... wait, no: ciao -- pb
isakmpd and iked on the same box
Hi, I'm wondering if it would be possible to add iked to my box already running isakmpd. I found this quite old thread: http://openbsd-archive.7691.n7.nabble.com/iked-isakmpd-on-the-same-machine-td246610.html just checking to see if things might have changed since then. Ive a vio0 interface with two IPs: 10.0.0.52 and 192.168.0.4: so I've isakmpd running, binding it to a specific IP like this: [General] Listen-on= 10.0.0.52 Default-phase-1-lifetime= 28800,60:86400 Default-phase-2-lifetime= 1200,60:86400 DPD-check-interval= 10 Policy-File=/etc/isakmpd/isakmpd.policy so with isakmpd, I'm used to use ipsecctl and have multiple /etc/ipsec.conf.tunnelXYZ files around, so that I can up/down etc. single tunnels without affecting the others. now adding iked with following config: ikev2 "just a test" \ esp proto tcp \ from 192.168.66.0/24 to 192.168.77.0/24 \ peer 172.16.0.3 local 192.166.0.4 starting up iked works. However, it binds to *:500 and *:4500 so care has to be taken to start it after isakmpd, otherwise isakmpd would refuse to start. I used the "local" keyword to see if iked would only bind to that specific address, but it doesn't. Looking at ikectl manpage, I only see the "load ". So I could specify alternate configuration files, but that would affect the overall iked configuration, I cannot add/remove single tunnel instances to iked? I've seen that in iked.conf, I can specify names for the flows, but I guess that's only for easier identification, I cannot use these names to trigger a start/stop/restart of a given flow? I haven't used iked before, so far, isakmpd was sufficient, so I'm a bit curious, and might miss something about iked it in general. Also isakmpd/iked, and ipsecctl/ikectl work on the same kernel resources, do they step onto each others toes? Also, if not possible to run iked and isakmpd together on the same node, no big deal, can easily run on separate nodes, just wanted to ensure I don't miss anything. thanks, Sebastian
