On 2018/01/04 12:47, Martin Pieuchot wrote:
> I'm not writing any isakmpd.policy(5) file. I don't know anybody sane
> we do.
This means you trust your ipsec peers not to request an invalid flow.
That's reasonable if you run both ends and trust yourself not to fat-finger
it but it's not really OK if you run tunnels to third parties.
> I'd like to enforce some policy based on what I write in
That would be a bigger change ;)
> So I don't understand why I have to pass '-K' in
> every of the machine I setup. If I don't specify any policy file, then
> I'd assume isakmpd(8) would do the right thing.
> Diff below makes '-K' the default if isakmpd.policy doesn't exist AND
> you didn't specify a "Policy-file".
I have to say I'm not too keen on this. At the moment -K is "danger!
flows are not checked against policy".