IKEv1 support with IKEv2 on the same router

Discussion:

Dev Op

2021-04-14 12:28:31 UTC

Hello all!

I have several partners working with different IKE versions. Is it possible
to run iked and isakmpd on the same machine if I have two public
IP addresses on it?

On iksampd (IKEv1) it's simple, for example:
/etc/isakmpd/isakmpd.conf
[General]
Listen-on=X.X.X.X
Retransmits=32
Exchange-max-time=240
DPD-check-interval=30
Default-phase-1-lifetime=86400,60:86400
Default-phase-2-lifetime=86400,60:86400

But how to bind iked (IKEv2) to another address Y.Y.Y.Y?

$ uname -r
6.7

--
wbr, Denis

Stefan Sperling

2021-04-14 12:54:08 UTC

Permalink

Post by Dev Op
Hello all!
I have several partners working with different IKE versions. Is it possible
to run iked and isakmpd on the same machine if I have two public
IP addresses on it?
/etc/isakmpd/isakmpd.conf
[General]
Listen-on=X.X.X.X
Retransmits=32
Exchange-max-time=240
DPD-check-interval=30
Default-phase-1-lifetime=86400,60:86400
Default-phase-2-lifetime=86400,60:86400
But how to bind iked (IKEv2) to another address Y.Y.Y.Y?

Running both on the same system isn't possible. As far as I understand
it's not just about the UDP listening ports. It isn't possible to share
the kernel's IPsec flow table cleanly between the two deamons.

You should be able to work around this limitation by running one of the
daemons in a virtual machine, e.g. in vmm(4), provided your hardware
supports this. Check: grep ^vmm0 /var/run/dmesg.boot
It is possible to bridge the VM's host-side network interface with the
physical network interface. This way, the VM could directly use one of
the two IP addresses, eliminating the need for NAT.

Post by Dev Op
$ uname -r
6.7

You should upgrade to 6.8 now. The 6.9 release is just around the corner.

Dev Op

2021-04-14 13:24:16 UTC

Permalink

Now it's clear to me. Thanks a lot!

Post by Dev Op

Post by Dev Op
Hello all!
I have several partners working with different IKE versions. Is it

possible

Post by Dev Op
to run iked and isakmpd on the same machine if I have two public
IP addresses on it?
/etc/isakmpd/isakmpd.conf
[General]
Listen-on=X.X.X.X
Retransmits=32
Exchange-max-time=240
DPD-check-interval=30
Default-phase-1-lifetime=86400,60:86400
Default-phase-2-lifetime=86400,60:86400
But how to bind iked (IKEv2) to another address Y.Y.Y.Y?

Running both on the same system isn't possible. As far as I understand
it's not just about the UDP listening ports. It isn't possible to share
the kernel's IPsec flow table cleanly between the two deamons.
You should be able to work around this limitation by running one of the
daemons in a virtual machine, e.g. in vmm(4), provided your hardware
supports this. Check: grep ^vmm0 /var/run/dmesg.boot
It is possible to bridge the VM's host-side network interface with the
physical network interface. This way, the VM could directly use one of
the two IP addresses, eliminating the need for NAT.

Post by Dev Op
$ uname -r
6.7

You should upgrade to 6.8 now. The 6.9 release is just around the corner.

--
С уважением,
Денис

*Это сообщение и любые документы, приложенные к нему, содержат
конфиденциальную информацию. Уведомляем Вас о том, что использование,
копирование, распространение информации, содержащейся в настоящем
сообщении, запрещено.*