On 2018/01/04 12:47, Martin Pieuchot wrote:
> I'm not writing any isakmpd.policy(5) file.  I don't know anybody sane
> we do.

This means you trust your ipsec peers not to request an invalid flow.
That's reasonable if you run both ends and trust yourself not to fat-finger
it but it's not really OK if you run tunnels to third parties.

> I'd like to enforce some policy based on what I write in
> ipsec.conf(5)...

That would be a bigger change ;)

>                 So I don't understand why I have to pass '-K' in
> every of the machine I setup.  If I don't specify any policy file, then
> I'd assume isakmpd(8) would do the right thing.
> 
> Diff below makes '-K' the default if isakmpd.policy doesn't exist AND
> you didn't specify a "Policy-file".

I have to say I'm not too keen on this. At the moment -K is "danger!
flows are not checked against policy".

Reply via email to