On 2018/01/04 12:47, Martin Pieuchot wrote: > I'm not writing any isakmpd.policy(5) file. I don't know anybody sane > we do.
This means you trust your ipsec peers not to request an invalid flow. That's reasonable if you run both ends and trust yourself not to fat-finger it but it's not really OK if you run tunnels to third parties. > I'd like to enforce some policy based on what I write in > ipsec.conf(5)... That would be a bigger change ;) > So I don't understand why I have to pass '-K' in > every of the machine I setup. If I don't specify any policy file, then > I'd assume isakmpd(8) would do the right thing. > > Diff below makes '-K' the default if isakmpd.policy doesn't exist AND > you didn't specify a "Policy-file". I have to say I'm not too keen on this. At the moment -K is "danger! flows are not checked against policy".