On Thu, Jan 04, 2018 at 12:30:39PM +0000, Stuart Henderson wrote: > On 2018/01/04 12:47, Martin Pieuchot wrote: > > I'm not writing any isakmpd.policy(5) file. I don't know anybody sane > > we do. > > This means you trust your ipsec peers not to request an invalid flow. > That's reasonable if you run both ends and trust yourself not to fat-finger > it but it's not really OK if you run tunnels to third parties. >
I was running isakmpd -K for years without understanding the risk. Probably I'm not the exception. The isakmpd man page says: -K [...] This option can be used when policies for flows and SA establishment are arranged by other programs like ipsecctl(8) or bgpd(8). > > I'd like to enforce some policy based on what I write in > > ipsec.conf(5)... > > That would be a bigger change ;) That would be a much appreciated change ;-) > > So I don't understand why I have to pass '-K' in > > every of the machine I setup. If I don't specify any policy file, then > > I'd assume isakmpd(8) would do the right thing. > > > > Diff below makes '-K' the default if isakmpd.policy doesn't exist AND > > you didn't specify a "Policy-file". > > I have to say I'm not too keen on this. At the moment -K is "danger! > flows are not checked against policy".