On Sun, Jul 10, 2022 at 12:14:14AM +0200, Tobias Heider wrote: > Hi, > > we currently generate one pair of 2048 bit RSA keys for isakmpd and iked by > default on new installations. In 2022 this seems a little outdated and iked > has had proper support for EC keys for quite some time now, so I propose we > switch to P-256 ECDSA keys by default. > > It looks like isakmpd does not support ECDSA, so we will have to generate > a separate pair of keys for iked. I think we should also consider updating > the isakmpd keys to RSA 4096 but I don't have a test setup to see if this > would cause any interop problems.
I think you should also change isakmpd to RSA 4096 keys. Unfortunately my home setup is running iked now. So I cannot test. > ok? Works for me. OK bluhm@ > + if openssl ecparam -genkey -name prime256v1 -out $_iked_key > >/dev/null 2>&1 && Could you wrap the long line?
