On Thu, Jan 04, 2018 at 12:30:39PM +0000, Stuart Henderson wrote:
> On 2018/01/04 12:47, Martin Pieuchot wrote:
> > I'm not writing any isakmpd.policy(5) file. I don't know anybody sane
> > we do.
> This means you trust your ipsec peers not to request an invalid flow.
> That's reasonable if you run both ends and trust yourself not to fat-finger
> it but it's not really OK if you run tunnels to third parties.
I was running isakmpd -K for years without understanding the risk.
Probably I'm not the exception.
The isakmpd man page says:
-K [...] This option can be used when policies for flows
and SA establishment are arranged by other programs like
ipsecctl(8) or bgpd(8).
> > I'd like to enforce some policy based on what I write in
> > ipsec.conf(5)...
> That would be a bigger change ;)
That would be a much appreciated change ;-)
> > So I don't understand why I have to pass '-K' in
> > every of the machine I setup. If I don't specify any policy file, then
> > I'd assume isakmpd(8) would do the right thing.
> > Diff below makes '-K' the default if isakmpd.policy doesn't exist AND
> > you didn't specify a "Policy-file".
> I have to say I'm not too keen on this. At the moment -K is "danger!
> flows are not checked against policy".