Pardon the shortness here. One warning up front is that in.iked is closed-source, so IF there are any issues with IKE per se, we are not able to fix them.
> On Feb 8, 2018, at 6:08 AM, Ján Poctavek <[email protected]> wrote: > > Hi Dan, > > Yes we know about the IKEv2 and we'll be happy to try it. > > You might also be interested in our ansible playbook that sets up IPsec and > overlays: > https://github.com/erigones/esdc-ce/tree/master/ans/overlays > And our simple IPSsec debug scripts: > https://github.com/erigones/esdc-ce/tree/master/bin/debug Thanks for sharing. > Any feedback on our docs or usage of IPsec is totally welcome. Don't hesitate > to ask anything. Thank you. > One more thing - as you are probably right person to ask - currently we are > trying to set up a reliable Dead Peer Detection so the IPsec can overcome a > remote node reboot or ipseckey flush. Is there any doc that can point us how > to do that? I'm a bit lost in all IKE options. DPD should Just Work on IKE, insofar as I recall. SAs have IDLE timeouts which in.iked monitors. The trick is whether or not one side is behind a NAT or not. If both sides are NAT-free, what should happen is: - IDLE timeout occurs - SAs (and IKE SA) get deleted. - Next outbound traffic starts fresh with a PF_KEY ACQUIRE message, and a fresh IKE exchange. If a NAT is in the way, things get tricky, because only the node *behind* the NAT can initiate cleanly, UNLESS you're doing static port mapping. Now I just looked at your debug scripts. I've noticed some things: 1.) You do not query the highly-queriable in.iked via ikeadm(1M). You use ikeadm to enable full-blown IKE logging, but there's more you can do. Try "ikeadm dump p1", for example. :) 2.) I would recommend having the option of using the -n flag for your invocations of IPsec utilities JUST IN CASE your name services are down. If you're only using files, though, you can ignore this. 3.) You may not be aware of this, but if you utter "ipseckey flush" IKE *also* deletes all of its IKE SAs as well. The ipsec_restart.sh script MAY be redundant, unless in.iked is seriously hosed. Dan ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
