Is it possible to define default Phase1/Phase2 proposals for dynamic policies, e.g. ipsec enabled within GRE and L2TP config?
I want to use sha1/aes256cbc for my GRE tunnels but sha1/aes128 is the default.
For Phase2 apparently only the “Default” proposal can be altered to get the desired behavior, but i couldn’t find a way for Phase1?
bump
Phase1 is ipsec peer configuration. You can add ipsec peer with specific parameters you need.
As for phase2 you can specify proposal in policy template, each time when template is matched configured proposal will be used.
Phase1 is exactly the issue here.
Namely GRE interface with ipsec secret enabled creates a dynamic ipsec peer.
That dynamic ipsec peer uses sha1-3des/aes128 for phase1 and that cannot be changed.
There should be an option inside GRE interface to define phase1/phase2 (group actually).
When you want to do that, just remove the IPsec secret from the GRE / L2TP tunnel config and setup a transport
config in the IP → IPsec confguration. Then you can configure it just like you want.
That was never an issue.
Of course i could do it by hand but since both of my locations are on dynamic IP, i have to rely heavily on scripting in order to achieve the same thing.
When one of the addresses changes I need to edit GRE interface, ipsec peer and finally ipsec policy on both locations.
It’s doable no problem, I rely on such setup since ROS 5.xx where l2tp/gre interface didn’t have ipsec secret option directly.
Since there is already an automated way of configuring ipsec secret through gre/l2tp interface, adding an option to adjust phase1/2 for dynamic peer/policy would make my life so much easier.
… but adding all those options to the “simple IPsec” config would make it just as complicated as the standard
IPsec config, and so the advantage would be lost.
For example, I require (and requested) a selection of AH instead of ESP, so that would be another item.
It is probably best to keep simple config simple and for your case you can write a small script to change the
IP address in all required places in one go.