Re: iked + isakmpd on the same machine

2014-04-24 Thread Mike Belopuhov
On 22 April 2014 17:40, Claer cl...@claer.hammock.fr wrote:
 On Tue, Apr 22 2014 at 28:17, Mike Belopuhov wrote:

 On 22 April 2014 17:13, Philipp
 e1c1bac6253dc54a1e89ddc046585...@posteo.net wrote:
  It happened! A remote peer *requires* IKEv2 - and I've to do that on a
  machine running isakmpd with somewhat 25+ IKEv1 peers.
 
  First hurdle: I cannot bind iked to a certain (carp) IP-address. Mad
  workaround: start isakmpd (with Listen-on) first.
  Second hurdle: iked loads its SAs and eventually does this by creating a
  new empty SADB, effectivly killing all
  the SAs isakmpd loaded into the kernel before?
 
  Is there a diff sleeping out there for tackling the first hurdle?
 
  For the second one, I've to refrain from testing this in live further more.
  First to reconstruct my Frankenstein-Lab.
 
  Cheers for any thoughts beside mad, bro? :-)
 

 more like it's not supported and is not supposed to work.
 it's like running nginx and apache at the same time but
 worse since there are kernel tentacles involved as well
 (as you might have figured out already) that will likely
 prevent you from doing that on the same box but different
 ip addresses.

 cheers,
 mike

 Hello,

 I had a similar case. We handled it with another firewall for the moment
 but I wish to keep vpns at one place. May it work with rdomains?


i don't know for sure.  perhaps rdomain separation is enough but you have
a chance to try and see if it works.  don't forget to create additional
enc devices though.

 Sorry for not replying to the list because I dont want to disturb tech@.


what kind of a mailing list is that that is afraid of being disturbed?
it's right there for such discussions.  and if someone says it's not,
he's utterly wrong.

 Thanks!

 Claer




Re: iked + isakmpd on the same machine

2014-04-24 Thread Philipp

Am 22.04.2014 17:28 schrieb Mike Belopuhov:

more like it's not supported and is not supposed to work.

not supposed as in 'not wanted'?


it's like running nginx and apache at the same time but

Quite frankly: I'm doing that in some locations ;-)


worse since there are kernel tentacles involved as well
(as you might have figured out already) that will likely

That's somehow the main problem, the two daemons are not
trying to share the pfkey2 ioctls outcome. So, I can wait til iked 
supports ikev1, too.
Using a different machine will be quite painful at the moment. 
Rock+hard place.



prevent you from doing that on the same box but different
ip addresses.

Nevertheless I'd say that a Listen-on style directive for iked
would a useful thing[tm], e.g. to default the srcid to that.

Cheers.



Re: iked + isakmpd on the same machine

2014-04-24 Thread Mike Belopuhov
On 24 April 2014 12:12, Philipp
e1c1bac6253dc54a1e89ddc046585...@posteo.net wrote:
 Am 22.04.2014 17:28 schrieb Mike Belopuhov:

 more like it's not supported and is not supposed to work.

 not supposed as in 'not wanted'?


not supposed.


 it's like running nginx and apache at the same time but

 Quite frankly: I'm doing that in some locations ;-)


not on the same port (80) though.  ikev2 and isakmp both use
same udp ports (500 and 4500).


 worse since there are kernel tentacles involved as well
 (as you might have figured out already) that will likely

 That's somehow the main problem, the two daemons are not
 trying to share the pfkey2 ioctls outcome.

i don't see it like that.

 So, I can wait til iked supports ikev1, too.

there are no current plans to implement ikev1 support that
i'm aware of.

 Using a different machine will be quite painful at the moment.
 Rock+hard place.


 prevent you from doing that on the same box but different
 ip addresses.

 Nevertheless I'd say that a Listen-on style directive for iked
 would a useful thing[tm], e.g. to default the srcid to that.


perhaps.  currently i believe srcid will default to local if
specified.

 Cheers.




Re: iked + isakmpd on the same machine

2014-04-24 Thread Chris Cappuccio
Mike Belopuhov [m...@belopuhov.com] wrote:
 
 more like it's not supported and is not supposed to work.
 it's like running nginx and apache at the same time

hey, nginx and httpd run concurrently quite fine on
different IP addresses, same box :)



Re: iked + isakmpd on the same machine

2014-04-24 Thread Mike Belopuhov
On 24 April 2014 20:25, Chris Cappuccio ch...@nmedia.net wrote:
 Mike Belopuhov [m...@belopuhov.com] wrote:

 more like it's not supported and is not supposed to work.
 it's like running nginx and apache at the same time

 hey, nginx and httpd run concurrently quite fine on
 different IP addresses, same box :)

i meant using the same port numbers of course.



Re: iked + isakmpd on the same machine

2014-04-24 Thread Stuart Henderson
On 2014/04/24 20:30, Mike Belopuhov wrote:
 On 24 April 2014 20:25, Chris Cappuccio ch...@nmedia.net wrote:
  Mike Belopuhov [m...@belopuhov.com] wrote:
 
  more like it's not supported and is not supposed to work.
  it's like running nginx and apache at the same time
 
  hey, nginx and httpd run concurrently quite fine on
  different IP addresses, same box :)
 
 i meant using the same port numbers of course.
 

they can do that fine too! :) just have one hand-off the relevant
requests to the other.



Re: iked + isakmpd on the same machine

2014-04-24 Thread Alexander Hall

On 04/24/14 21:53, Stuart Henderson wrote:

On 2014/04/24 20:30, Mike Belopuhov wrote:

On 24 April 2014 20:25, Chris Cappuccio ch...@nmedia.net wrote:

Mike Belopuhov [m...@belopuhov.com] wrote:


more like it's not supported and is not supposed to work.
it's like running nginx and apache at the same time


hey, nginx and httpd run concurrently quite fine on
different IP addresses, same box :)


i meant using the same port numbers of course.



they can do that fine too! :) just have one hand-off the relevant
requests to the other.



If they bind to separate IP addresses that is obviously not a problem, 
even for the same port numbers.




Re: iked + isakmpd on the same machine

2014-04-24 Thread Mike Belopuhov
On 24 April 2014 22:25, Alexander Hall alexan...@beard.se wrote:
 On 04/24/14 21:53, Stuart Henderson wrote:

 On 2014/04/24 20:30, Mike Belopuhov wrote:

 On 24 April 2014 20:25, Chris Cappuccio ch...@nmedia.net wrote:

 Mike Belopuhov [m...@belopuhov.com] wrote:


 more like it's not supported and is not supposed to work.
 it's like running nginx and apache at the same time


 hey, nginx and httpd run concurrently quite fine on
 different IP addresses, same box :)


 i meant using the same port numbers of course.


 they can do that fine too! :) just have one hand-off the relevant
 requests to the other.


 If they bind to separate IP addresses that is obviously not a problem, even
 for the same port numbers.

yes. that's precisely what i meant:  you can't bind to the same ipaddr:port
pair twice.   why do i have to chew it and spit it out for you.  it was clear
what i meant from the start.



Re: iked + isakmpd on the same machine

2014-04-24 Thread Stuart Henderson
On 2014/04/24 22:28, Mike Belopuhov wrote:
 On 24 April 2014 22:25, Alexander Hall alexan...@beard.se wrote:
  On 04/24/14 21:53, Stuart Henderson wrote:
 
  On 2014/04/24 20:30, Mike Belopuhov wrote:
 
  On 24 April 2014 20:25, Chris Cappuccio ch...@nmedia.net wrote:
 
  Mike Belopuhov [m...@belopuhov.com] wrote:
 
 
  more like it's not supported and is not supposed to work.
  it's like running nginx and apache at the same time
 
 
  hey, nginx and httpd run concurrently quite fine on
  different IP addresses, same box :)
 
 
  i meant using the same port numbers of course.
 
 
  they can do that fine too! :) just have one hand-off the relevant
  requests to the other.
 
 
  If they bind to separate IP addresses that is obviously not a problem, even
  for the same port numbers.
 
 yes. that's precisely what i meant:  you can't bind to the same ipaddr:port
 pair twice.   why do i have to chew it and spit it out for you.  it was clear
 what i meant from the start.

with the httpds there is a good mechanism to listen on a single external
ipaddr:port and look at layer7 information and if a request cannot be
handled by one daemon (e.g. req handled by nginx but it needs mod_perl),
it can be passed across to the other.

if the pfkey issue was solved, it probably wouldn't be *too* messy to
do similar for passing ike to isakmpd and ikev2 to iked (either
internally in iked, or via relayd) if somebody wanted to handle both
protocols on the same external address..



Re: iked + isakmpd on the same machine

2014-04-22 Thread Mike Belopuhov
On 22 April 2014 17:13, Philipp
e1c1bac6253dc54a1e89ddc046585...@posteo.net wrote:
 It happened! A remote peer *requires* IKEv2 - and I've to do that on a
 machine running isakmpd with somewhat 25+ IKEv1 peers.

 First hurdle: I cannot bind iked to a certain (carp) IP-address. Mad
 workaround: start isakmpd (with Listen-on) first.
 Second hurdle: iked loads its SAs and eventually does this by creating a
 new empty SADB, effectivly killing all
 the SAs isakmpd loaded into the kernel before?

 Is there a diff sleeping out there for tackling the first hurdle?

 For the second one, I've to refrain from testing this in live further more.
 First to reconstruct my Frankenstein-Lab.

 Cheers for any thoughts beside mad, bro? :-)


more like it's not supported and is not supposed to work.
it's like running nginx and apache at the same time but
worse since there are kernel tentacles involved as well
(as you might have figured out already) that will likely
prevent you from doing that on the same box but different
ip addresses.

cheers,
mike