Johan Ryberg <jo...@securit.se> wrote: > I found this information that seems very interesting: > http://www.openbsd.org/faq/upgrade47.html#hmac-sha2
> ike esp from 192.168.1.1 to 10.0.0.17 peer 192.168.10.1 psk mekmitasdigoat > > The man page of ipsec.conf says that hmac-sha1, aes, and modp1024 is > used as mode auth algorithm enc algorithm group group if omitted In "main mode", which is just the initial IKE negotiation part. Actual traffic is passed in "quick mode", which defaults to hmac-sha2-256 and aes. You can also use ipsecctl -nvf /etc/ipsec.conf to look at the expanded rules, or ipsecctl -ss to look at the parameters used by the currently active security associations. No need to guess. -- Christian "naddy" Weisgerber na...@mips.inka.de