On Thu, Jan 04, 2018 at 12:30:39PM +0000, Stuart Henderson wrote:
> On 2018/01/04 12:47, Martin Pieuchot wrote:
> > I'm not writing any isakmpd.policy(5) file.  I don't know anybody sane
> > we do.
> 
> This means you trust your ipsec peers not to request an invalid flow.
> That's reasonable if you run both ends and trust yourself not to fat-finger
> it but it's not really OK if you run tunnels to third parties.
> 

I was running isakmpd -K for years without understanding the risk.
Probably I'm not the exception.

The isakmpd man page says:
-K      [...] This option can be used when policies for flows
        and SA establishment are arranged by other programs like
        ipsecctl(8) or bgpd(8).

> > I'd like to enforce some policy based on what I write in
> > ipsec.conf(5)...
> 
> That would be a bigger change ;)

That would be a much appreciated change ;-)

> >                 So I don't understand why I have to pass '-K' in
> > every of the machine I setup.  If I don't specify any policy file, then
> > I'd assume isakmpd(8) would do the right thing.
> > 
> > Diff below makes '-K' the default if isakmpd.policy doesn't exist AND
> > you didn't specify a "Policy-file".
> 
> I have to say I'm not too keen on this. At the moment -K is "danger!
> flows are not checked against policy".

Reply via email to