Home » Mailing list archives » openbsd-misc » 2007 » October » 29

Hoe to specify multiple transform suites in ipsec.conf(5)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Heinrich Rebehn
Subject: Hoe to specify multiple transform suites in ipsec.conf(5)
Date: Monday, October 29, 2007 - 3:44 am

Hello list,

I am trying to move my IPsec configuration from isakmpd.conf to ipsec.conf.
However i cannot find a syntax to specify multiple transform suites with 
ipsec.conf

I tried something like:

ike passive esp from any to any quick enc {aes,3des}

but it is rejected.

I want something like

Suites=QM-ESP-AES-SHA2-256-PFS-SUITE,QM-ESP-3DES-PFS-SUITE

as a result.
As a workaround i can stuff it into the running configuration using 
isakmpd's fifo, but that is not a very robust solution.

Specifying

Default-phase-2-suites  = 
QM-ESP-3DES-MD5-PFS-SUITE,QM-ESP-AES-SHA2-256-PFS-SUITE

in isakmpd.conf
does not help, because ipsecctl overrides it. Is there a way to tell 
ipsecctl to not specify a suite at all, so that the default is used?

BTW, is ipsec.conf meant to ever become a full replacement for isakmpd.conf?

Thanks for any hints.
-- 

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :            -3341
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Hoe to specify multiple transform suites in ipsec.conf(5), Heinrich Rebehn, (Mon Oct 29, 3:44 am)