How does isakmpd determine which config stanza to use?

Fri, 19 Feb 2016 06:32:58 -0800 

I have an ipsec setup using certificate/ca based authentication. The
config looks like this:

#       $OpenBSD: ipsec.conf,v 1.5 2006/09/14 15:10:43 hshoexer Exp $
#

my_fqdn="dynamic-0.example.com"
my_v4_ip="192.168.1.1"
my_v4_net="10.0.0.0/23"

remote_fqdn="dynamic-1.example.com"
remote_v4_net="10.0.2.0/24"

## -- Remote router --------------------------------------------------------

ike passive esp from { $my_v4_ip, $my_v4_net } to { $remote_fqdn, 
$remote_v4_net } \
    local $my_v4_ip peer $remote_fqdn \
    main auth hmac-sha256 enc aes-128 group modp1024 lifetime 1800 \
    quick auth hmac-sha256 enc aes-128 group none \
    srcid $my_fqdn dstid $remote_fqdn

## -- Laptop(s) ------------------------------------------------------------

ike passive esp from { $my_v4_ip, $my_v4_net } to any \
    local $my_v4_ip peer any \
    main auth hmac-sha256 enc aes-128 group modp1024 lifetime 1800 \
    quick auth hmac-sha256 enc aes-128 group none \
    srcid $my_fqdn

I'm trying to configure for two kinds of tunnels. One to a small
soekris box that provides it's own network, and one for laptop(s) that
connect ad-hoc from a coffee shops or clients work sites.

The soekris box as a fqdn certificate. The laptops have user-fqdn
certs. My question is:

   * Am I right to assume that when connecting to isakmpd the soekris
     box will match to the "Remote router" stanza because it's trying
     to build a tunnel from "srcid <-> dstid" or is isakmpd using the
     "local <-> peer" to choose the stanza?

I ask the question to get a better understanding of how isakmpd choses
the configuration stanza in case I have to expand on this
config. Also, I find this a little tricky because both sides of the
tunnel are on dynamic IPs although one side changes very very rarely.

Another question I have is:

   * Would it be worth my while to move this config out of
     isakmpd/ikev1 into ike/ikev2?

With the soekris, I'm tunnelling IPv6 traffic over a gif v4/v6
tunnel. While this works, it's a tremendous kludge. And my ipv6 mtu
ends up being something like 1320 bytes after all the overhead from
UDP NAT-T and ESP overhead. I'd heard that ikev2 lowers the overhead
but if it's just in the negotiation exchange it may not be worth the
work.

Thanks
-- 
Chris

      __o          "All I was trying to do was get home from work."
    _`\<,_           -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]

Reply via email to