Re: iked + isakmpd on the same machine
On 04/24/14 22:28, Mike Belopuhov wrote: On 24 April 2014 22:25, Alexander Hall wrote: On 04/24/14 21:53, Stuart Henderson wrote: On 2014/04/24 20:30, Mike Belopuhov wrote: On 24 April 2014 20:25, Chris Cappuccio wrote: Mike Belopuhov [m...@belopuhov.com] wrote: more like it's not supported and is not supposed to work. it's like running nginx and apache at the same time hey, nginx and httpd run concurrently quite fine on different IP addresses, same box :) i meant using the same port numbers of course. they can do that fine too! :) just have one hand-off the relevant requests to the other. If they bind to separate IP addresses that is obviously not a problem, even for the same port numbers. yes. that's precisely what i meant: you can't bind to the same ipaddr:port pair twice. why do i have to chew it and spit it out for you. it was clear what i meant from the start. You didn't have to. I know you obviously know this. My comment was more directed to Stuart, since multiple IP address was mentioned. And, fwiw, given >> hey, nginx and httpd run concurrently quite fine on >> different IP addresses, same box :) > > i meant using the same port numbers of course. , it was far from clear that you were talking about a single ip address. /Alexander
Re: iked + isakmpd on the same machine
On 2014/04/24 22:28, Mike Belopuhov wrote: > On 24 April 2014 22:25, Alexander Hall wrote: > > On 04/24/14 21:53, Stuart Henderson wrote: > >> > >> On 2014/04/24 20:30, Mike Belopuhov wrote: > >>> > >>> On 24 April 2014 20:25, Chris Cappuccio wrote: > > Mike Belopuhov [m...@belopuhov.com] wrote: > > > > > > more like it's not supported and is not supposed to work. > > it's like running nginx and apache at the same time > > > hey, nginx and httpd run concurrently quite fine on > different IP addresses, same box :) > >>> > >>> > >>> i meant using the same port numbers of course. > >>> > >> > >> they can do that fine too! :) just have one hand-off the relevant > >> requests to the other. > >> > > > > If they bind to separate IP addresses that is obviously not a problem, even > > for the same port numbers. > > yes. that's precisely what i meant: you can't bind to the same ipaddr:port > pair twice. why do i have to chew it and spit it out for you. it was clear > what i meant from the start. with the httpds there is a good mechanism to listen on a single external ipaddr:port and look at layer7 information and if a request cannot be handled by one daemon (e.g. req handled by nginx but it needs mod_perl), it can be passed across to the other. if the pfkey issue was solved, it probably wouldn't be *too* messy to do similar for passing ike to isakmpd and ikev2 to iked (either internally in iked, or via relayd) if somebody wanted to handle both protocols on the same external address..
Re: iked + isakmpd on the same machine
On 24 April 2014 22:25, Alexander Hall wrote: > On 04/24/14 21:53, Stuart Henderson wrote: >> >> On 2014/04/24 20:30, Mike Belopuhov wrote: >>> >>> On 24 April 2014 20:25, Chris Cappuccio wrote: Mike Belopuhov [m...@belopuhov.com] wrote: > > > more like it's not supported and is not supposed to work. > it's like running nginx and apache at the same time hey, nginx and httpd run concurrently quite fine on different IP addresses, same box :) >>> >>> >>> i meant using the same port numbers of course. >>> >> >> they can do that fine too! :) just have one hand-off the relevant >> requests to the other. >> > > If they bind to separate IP addresses that is obviously not a problem, even > for the same port numbers. yes. that's precisely what i meant: you can't bind to the same ipaddr:port pair twice. why do i have to chew it and spit it out for you. it was clear what i meant from the start.
Re: iked + isakmpd on the same machine
On 04/24/14 21:53, Stuart Henderson wrote: On 2014/04/24 20:30, Mike Belopuhov wrote: On 24 April 2014 20:25, Chris Cappuccio wrote: Mike Belopuhov [m...@belopuhov.com] wrote: more like it's not supported and is not supposed to work. it's like running nginx and apache at the same time hey, nginx and httpd run concurrently quite fine on different IP addresses, same box :) i meant using the same port numbers of course. they can do that fine too! :) just have one hand-off the relevant requests to the other. If they bind to separate IP addresses that is obviously not a problem, even for the same port numbers.
Re: iked + isakmpd on the same machine
On 2014/04/24 20:30, Mike Belopuhov wrote: > On 24 April 2014 20:25, Chris Cappuccio wrote: > > Mike Belopuhov [m...@belopuhov.com] wrote: > >> > >> more like it's not supported and is not supposed to work. > >> it's like running nginx and apache at the same time > > > > hey, nginx and httpd run concurrently quite fine on > > different IP addresses, same box :) > > i meant using the same port numbers of course. > they can do that fine too! :) just have one hand-off the relevant requests to the other.
Re: iked + isakmpd on the same machine
On 24 April 2014 20:25, Chris Cappuccio wrote: > Mike Belopuhov [m...@belopuhov.com] wrote: >> >> more like it's not supported and is not supposed to work. >> it's like running nginx and apache at the same time > > hey, nginx and httpd run concurrently quite fine on > different IP addresses, same box :) i meant using the same port numbers of course.
Re: iked + isakmpd on the same machine
Mike Belopuhov [m...@belopuhov.com] wrote: > > more like it's not supported and is not supposed to work. > it's like running nginx and apache at the same time hey, nginx and httpd run concurrently quite fine on different IP addresses, same box :)
Re: iked + isakmpd on the same machine
On 24 April 2014 12:12, Philipp wrote: > Am 22.04.2014 17:28 schrieb Mike Belopuhov: > >> more like it's not supported and is not supposed to work. > > not supposed as in 'not wanted'? > not supposed. > >> it's like running nginx and apache at the same time but > > Quite frankly: I'm doing that in some locations ;-) > not on the same port (80) though. ikev2 and isakmp both use same udp ports (500 and 4500). > >> worse since there are kernel tentacles involved as well >> (as you might have figured out already) that will likely > > That's somehow the main problem, the two daemons are not > trying to "share" the pfkey2 ioctls outcome. i don't see it like that. > So, I can wait til iked supports ikev1, too. there are no current plans to implement ikev1 support that i'm aware of. > Using a different machine will be quite painful at the moment. > Rock+hard place. > > >> prevent you from doing that on the same box but different >> ip addresses. > > Nevertheless I'd say that a Listen-on style directive for iked > would a useful thing[tm], e.g. to default the srcid to that. > perhaps. currently i believe srcid will default to "local" if specified. > Cheers. >
Re: iked + isakmpd on the same machine
Am 22.04.2014 17:28 schrieb Mike Belopuhov: more like it's not supported and is not supposed to work. not supposed as in 'not wanted'? it's like running nginx and apache at the same time but Quite frankly: I'm doing that in some locations ;-) worse since there are kernel tentacles involved as well (as you might have figured out already) that will likely That's somehow the main problem, the two daemons are not trying to "share" the pfkey2 ioctls outcome. So, I can wait til iked supports ikev1, too. Using a different machine will be quite painful at the moment. Rock+hard place. prevent you from doing that on the same box but different ip addresses. Nevertheless I'd say that a Listen-on style directive for iked would a useful thing[tm], e.g. to default the srcid to that. Cheers.
Re: iked + isakmpd on the same machine
On 22 April 2014 17:40, Claer wrote: > On Tue, Apr 22 2014 at 28:17, Mike Belopuhov wrote: > >> On 22 April 2014 17:13, Philipp >> wrote: >> > It happened! A remote peer *requires* IKEv2 - and I've to do that on a >> > machine running isakmpd with somewhat 25+ IKEv1 peers. >> > >> > First hurdle: I cannot bind iked to a certain (carp) IP-address. Mad >> > workaround: start isakmpd (with Listen-on) first. >> > Second hurdle: iked loads "its" SAs and eventually does this by creating a >> > new empty SADB, effectivly killing all >> > the SAs isakmpd loaded into the kernel before? >> > >> > Is there a diff sleeping out there for tackling the first hurdle? >> > >> > For the second one, I've to refrain from testing this in live further more. >> > First to reconstruct my Frankenstein-Lab. >> > >> > Cheers for any thoughts beside "mad, bro?" :-) >> > >> >> more like it's not supported and is not supposed to work. >> it's like running nginx and apache at the same time but >> worse since there are kernel tentacles involved as well >> (as you might have figured out already) that will likely >> prevent you from doing that on the same box but different >> ip addresses. >> >> cheers, >> mike >> > Hello, > > I had a similar case. We handled it with another firewall for the moment > but I wish to keep vpns at one place. May it work with rdomains? > i don't know for sure. perhaps rdomain separation is enough but you have a chance to try and see if it works. don't forget to create additional enc devices though. > Sorry for not replying to the list because I dont want to disturb tech@. > what kind of a mailing list is that that is afraid of being disturbed? it's right there for such discussions. and if someone says it's not, he's utterly wrong. > Thanks! > > Claer >
Re: iked + isakmpd on the same machine
On 22 April 2014 17:13, Philipp wrote: > It happened! A remote peer *requires* IKEv2 - and I've to do that on a > machine running isakmpd with somewhat 25+ IKEv1 peers. > > First hurdle: I cannot bind iked to a certain (carp) IP-address. Mad > workaround: start isakmpd (with Listen-on) first. > Second hurdle: iked loads "its" SAs and eventually does this by creating a > new empty SADB, effectivly killing all > the SAs isakmpd loaded into the kernel before? > > Is there a diff sleeping out there for tackling the first hurdle? > > For the second one, I've to refrain from testing this in live further more. > First to reconstruct my Frankenstein-Lab. > > Cheers for any thoughts beside "mad, bro?" :-) > more like it's not supported and is not supposed to work. it's like running nginx and apache at the same time but worse since there are kernel tentacles involved as well (as you might have figured out already) that will likely prevent you from doing that on the same box but different ip addresses. cheers, mike
iked + isakmpd on the same machine
It happened! A remote peer *requires* IKEv2 - and I've to do that on a machine running isakmpd with somewhat 25+ IKEv1 peers. First hurdle: I cannot bind iked to a certain (carp) IP-address. Mad workaround: start isakmpd (with Listen-on) first. Second hurdle: iked loads "its" SAs and eventually does this by creating a new empty SADB, effectivly killing all the SAs isakmpd loaded into the kernel before? Is there a diff sleeping out there for tackling the first hurdle? For the second one, I've to refrain from testing this in live further more. First to reconstruct my Frankenstein-Lab. Cheers for any thoughts beside "mad, bro?" :-)