why the shift from isakmpd.conf?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

why the shift from isakmpd.conf?

nuffnough
Hi...

I have recently started using OpenBSD, and one of the things that I liked
most about it was the ease I got my VPN tunnels working with isakmpd.

I've learnt in the past few weeks that the use of isakmpd is being
deprecated in favour of ipsec.

What were the reasons that led to this decision..?

How long will I still be able to use isakmpd?

What are the advantages that ipsec has over isakmpd?

Will I still be able to configure custom policies when the defaults aren't
appropriate?

TIA

Nuffnough

Reply | Threaded
Open this post in threaded view
|

Re: why the shift from isakmpd.conf?

Håkan Olsson
On 11 dec 2006, at 07.14, nuffnough wrote:

> Hi...
>
> I have recently started using OpenBSD, and one of the things that I  
> liked
> most about it was the ease I got my VPN tunnels working with isakmpd.
>
> I've learnt in the past few weeks that the use of isakmpd is being
> deprecated in favour of ipsec.

Rather, using ipsec.conf is recommended over isakmpd.conf.

> What were the reasons that led to this decision..?

Some people seem to find isakmpd.conf a bit complex. :)

> How long will I still be able to use isakmpd?

ipsecctl is a frontend to isakmpd, it does not replace the  
functionality. isakmpd is still doing all IKE processing.

Typically you create an ipsec.conf file, which ipsecctl parses,  
output is "isakmpd.conf" style data that is fed to isakmpd via the  
command fifo (see isakmpd(8)).

> What are the advantages that ipsec has over isakmpd?

Assuming you mean ipsecctl and not IPsec, it makes IKE configuration  
easier. I.e. one does not have to be an IPsec/IKE "expert" to setup a  
VPN.

> Will I still be able to configure custom policies when the defaults  
> aren't
> appropriate?

Yes. Atleast I've heard nothing about actually disabling isakmpd  
reading isakmpd.conf.

Also, combinations are possible. You can change (some of) isakmpd's  
defaults by tweaking them in isakmpd.conf, then use ipsec.conf to do  
the actual (or additional) tunnel setup. Note that ipsecctl has some  
defaults and settings of it's own that may override your defaults  
(the "last thing to be specified" applies).

/H

Reply | Threaded
Open this post in threaded view
|

Re: why the shift from isakmpd.conf?

Adam-29
In reply to this post by nuffnough
nuffnough <[hidden email]> wrote:

> I have recently started using OpenBSD, and one of the things that I liked
> most about it was the ease I got my VPN tunnels working with isakmpd.
>
> I've learnt in the past few weeks that the use of isakmpd is being
> deprecated in favour of ipsec.
>
> What were the reasons that led to this decision..?

Its recommended for most common uses, because its alot simpler and easier
for those common uses.

> How long will I still be able to use isakmpd?

You still do use it, ipsecctl just parses your ipsec.conf and tells
isakmpd what to do.  Its not a replacement for isakmpd, just for
isakmpd.conf.

> Will I still be able to configure custom policies when the defaults aren't
> appropriate?

Yes.

Adam

Reply | Threaded
Open this post in threaded view
|

Re: why the shift from isakmpd.conf?

Toni Mueller-10
In reply to this post by nuffnough
Hi,

On Mon, 11.12.2006 at 17:14:50 +1100, nuffnough <[hidden email]> wrote:
> I've learnt in the past few weeks that the use of isakmpd is being
> deprecated in favour of ipsec.

Hekan has already written about that, but there's an additional bonus
in using ipsecctl (if you can), as far as I understood it yet:

> What were the reasons that led to this decision..?

Using it should allow for dynamic tunnel reconfiguration, so you should
be able to add or delete individual tunnels w/o the need to tear down
everything in case you have some modification underway. This is already
possible, but difficult, without ipsecctl.


Best,
--Toni++