Hekan Olsson wrote:
On 10 aug 2006, at 16.26, Tech Support wrote:
Question: Can I have an isakmpd.conf file, set only the config
options I
want, run isakmpd WITHOUT
the -K and still use ipsectl?
Yes.
Another item - IS PFS disabled or enabled by default when one uses
ipsecctl? Can this be set?
pfs is enabled by default.
PFS is off on the vendors side, does this matter? I will search how to
disable on my end
Definitely. A suite proposal with PFS can never match a proposal
without it.
/H
Alright! Thanks for all the help from this list - it's very appreciated.
I have gotten this working reliably for the most part. I decided to go
back and try to use the 'old' way of doing things. Namely using isakmpd.conf
I couldn't quit figure out how to override the default suite proposal
using ipsecctl.
I'm mostly asking questions now for my own curiousity so feel free
everyone to ignore these ramblings.
- Is PFS something that's negotiated only during phase 2? Could this be
why it was passing phase one but not passing phase two?
- when I specify a quick mode suite in isakmpd.conf does ipsecctl USE
that suite?
Can I do something like this in isakmpd.conf and then use ipsecctl to
add the add the flows?
[General]
listen on = x.x.x.x
[Phase 1]
x.x.x.x = Remote
[Phase 2]
Connections = VPN1
[Remote]
Configuration = Default-main-mode
[VPN1]
Configuration = Default-quick-mode
[Default-main-mode]
Transforms=(whatever)
[Default-quick-mode]
Suites=(whatever)
Does isakmpd -K simply use a default policy of allowing everything?
Again, thank you everyone for their help!
